samba - Jan 2023 - Files suddenly go readonly

On Wed, Jan 18, 2023 at 12:20 PM Rowland Penny via samba <
samba at lists.samba.org> wrote:
>
>
> On 18/01/2023 17:05, Greg Dickie wrote:
>
> > Agree but this was a standalone server that we are now transitioning
> > into the domain and as long as the UIDs and GIDs match everything
should
> > be ok no?
> >
> >
> >     Is it possible to see your smb.conf used on the Unix machines ?
> >
> >
> > O=Sure
> >
> > [global]
> >          workgroup = TOTO
> >          server string = Samba on SRVLXFS2
> >          realm = TOTO.CA <http://TOTO.CA>
> >          security = ads
> >          kerberos method = secrets only
> >          winbind use default domain = true
> >          winbind offline logon = false
> >          winbind nss info = rfc2307
> >          winbind enum users = yes
> >          winbind enum groups = yes
> >          idmap config * : range = 16777216-33554431
> >          idmap config ULTRATCS : schema mode = rfc2307
> >          idmap config ULTRATCS : backend = ad
> >          idmap config ULTRATCS : range = 500-10000
> >          idmap config ULTRATCS : unix_primary_group = yes
> >          idmap config ULTRATCS : unix_nss_info = yes
>
> Oh dear, unless it's bad sanitisation, you have a big problem.
> Your workgroup is 'TOTO' but you are using 'ULTRATCS' for
the idmap
> config lines, it should be the workgroup name 'TOTO'
>
Damit, that's just bad sanitization. sorry, pretend you did not see that.

>
> >          idmap_ldb:use rfc2307 = yes
> >          template homedir = /home/%U
> >          min domain uid = 0
> >         unix extensions = no
> >         wide links = yes
> >
> >         printing = cups
> >         printcap name = cups
> >         load printers = no
> >         cups options = raw
> >          log file = /var/log/samba/log.%m.%U
> >          log level = 0
> >          max log size = 50M
> >          #syslog = 0
> >
> > [homes]
> >          comment = Home Directories
> >          browseable = no
> >          writable = yes
> > #        create mask = 0664
> > #        directory mask = 0775
> >          force create mode = 0775
> >          force directory mode = 0775
> > #        force security mode = 664
> > #        force directory security mode = 775
> >          map archive = no
>
> I think you will find that everyone can get into everyone else's
homedir
>
Yes, it was like that before I got to it, so I just left it.
>
> >
> >
> >     This has been working fine but now I have some
> >      > users who suddenly lose write access to their files,
sometimes.
> >     One user
> >      > has 2 workstations (1 works always, the other exhibits this
issue
> >     so maybe
> >      > a patch on the workstation?). When this happens IF I give
their
> >     files group
> >      > write permission they are good again. Does this ring a bell?
I
> >     have a level
> >      > 10 debug of an ACCESS_DENIED test but nothing in there looks
> >     obviously
> >      > wrong until the ACCESS_DENIED so I can't see why.
> >
> >     Are they supposed to have 'user' permissions or just
'group'
> >     permissions, also are you using extended ACL's ?
> >
> >
> > user permissions, all the users on this system have the same primary
> > group of 1000, No ACLs, or at least not supposed to be.
>
> Would '1000' be the gidNumber for Domain Users ?
>
It's not, It's another group, see below which shows AD mapping vs NIS
mapping:

[root at srvlxfs2 ~]# wbinfo -i gdickie
gdickie:*:1014:1000:Dickie, Greg:/home/gdickie:/bin/bash
[root at srvlxfs2 ~]# wbinfo --gid-info=1000
engineering access:x:1000:
[root at srvlxfs2 ~]# id gdickie
uid=1014(gdickie) gid=1000(fpga) groups=1000(fpga)
[root at srvlxfs2 ~]#

Again, this has all been working 99% except for a few select users at some
times. And at those times the uid as shown in smbstatus is correct.

I don't suppose you want to see the level 10 debug log?

Thanks,
Greg



>
> Rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

-- 


Greg Dickie
just a guy
514-983-5400

On 18/01/2023 18:37, Greg Dickie wrote:
> 
> 
> On Wed, Jan 18, 2023 at 12:20 PM Rowland Penny via samba 
> <samba at lists.samba.org <mailto:samba at lists.samba.org>>
wrote:
> 
> 
> 
>     On 18/01/2023 17:05, Greg Dickie wrote:
> 
>      > Agree but this was a standalone server that we are now
transitioning
>      > into the domain and as long as the UIDs and GIDs match everything
>     should
>      > be ok no?
>      >
>      >
>      >? ? ?Is it possible to see your smb.conf used on the Unix machines
?
>      >
>      >
>      > O=Sure
>      >
>      > [global]
>      >? ? ? ? ? workgroup = TOTO
>      >? ? ? ? ? server string = Samba on SRVLXFS2
>      >? ? ? ? ? realm = TOTO.CA <http://TOTO.CA>
<http://TOTO.CA
>     <http://TOTO.CA>>
>      >? ? ? ? ? security = ads
>      >? ? ? ? ? kerberos method = secrets only
>      >? ? ? ? ? winbind use default domain = true
>      >? ? ? ? ? winbind offline logon = false
>      >? ? ? ? ? winbind nss info = rfc2307
>      >? ? ? ? ? winbind enum users = yes
>      >? ? ? ? ? winbind enum groups = yes
>      >? ? ? ? ? idmap config * : range = 16777216-33554431
>      >? ? ? ? ? idmap config ULTRATCS : schema mode = rfc2307
>      >? ? ? ? ? idmap config ULTRATCS : backend = ad
>      >? ? ? ? ? idmap config ULTRATCS : range = 500-10000
>      >? ? ? ? ? idmap config ULTRATCS : unix_primary_group = yes
>      >? ? ? ? ? idmap config ULTRATCS : unix_nss_info = yes
> 
>     Oh dear, unless it's bad sanitisation, you have a big problem.
>     Your workgroup is 'TOTO' but you are using 'ULTRATCS'
for the idmap
>     config lines, it should be the workgroup name 'TOTO'
> 
> 
> Damit, that's just bad sanitization. sorry, pretend you did not see
that.
Not possible, but I can forget I saw it :-D
> 
> 
>      >? ? ? ? ? idmap_ldb:use rfc2307 = yes
>      >? ? ? ? ? template homedir = /home/%U
>      >? ? ? ? ? min domain uid = 0
>      >? ? ? ? ?unix extensions = no
>      >? ? ? ? ?wide links = yes
>      >
>      >? ? ? ? ?printing = cups
>      >? ? ? ? ?printcap name = cups
>      >? ? ? ? ?load printers = no
>      >? ? ? ? ?cups options = raw
>      >? ? ? ? ? log file = /var/log/samba/log.%m.%U
>      >? ? ? ? ? log level = 0
>      >? ? ? ? ? max log size = 50M
>      >? ? ? ? ? #syslog = 0
>      >
>      > [homes]
>      >? ? ? ? ? comment = Home Directories
>      >? ? ? ? ? browseable = no
>      >? ? ? ? ? writable = yes
>      > # ? ? ? ?create mask = 0664
>      > # ? ? ? ?directory mask = 0775
>      >? ? ? ? ? force create mode = 0775
>      >? ? ? ? ? force directory mode = 0775
>      > # ? ? ? ?force security mode = 664
>      > # ? ? ? ?force directory security mode = 775
>      >? ? ? ? ? map archive = no
> 
>     I think you will find that everyone can get into everyone else's
homedir
> 
> Yes, it was like that before I got to it, so I just left it.
> 
> 
>      >
>      >
>      >? ? ?This has been working fine but now I have some
>      >? ? ? > users who suddenly lose write access to their files,
>     sometimes.
>      >? ? ?One user
>      >? ? ? > has 2 workstations (1 works always, the other exhibits
>     this issue
>      >? ? ?so maybe
>      >? ? ? > a patch on the workstation?). When this happens IF I
give
>     their
>      >? ? ?files group
>      >? ? ? > write permission they are good again. Does this ring a
bell? I
>      >? ? ?have a level
>      >? ? ? > 10 debug of an ACCESS_DENIED test but nothing in there
looks
>      >? ? ?obviously
>      >? ? ? > wrong until the ACCESS_DENIED so I can't see why.
>      >
>      >? ? ?Are they supposed to have 'user' permissions or just
'group'
>      >? ? ?permissions, also are you using extended ACL's ?
>      >
>      >
>      > user permissions, all the users on this system have the same
primary
>      > group of 1000, No ACLs, or at least not supposed to be.
You really need to use ACL's
> 
>     Would '1000' be the gidNumber for Domain Users ?
> 
> 
> It's not, It's another group, see below which shows AD mapping vs
NIS
> mapping:
Where does NIS come into this ? Is a NIS server running somewhere ?
Or are you just using the ID's NIS used to supply.
> 
> [root at srvlxfs2 ~]# wbinfo -i gdickie
> gdickie:*:1014:1000:Dickie, Greg:/home/gdickie:/bin/bash
> [root at srvlxfs2 ~]# wbinfo --gid-info=1000
> engineering access:x:1000:
> [root at srvlxfs2 ~]# id gdickie
> uid=1014(gdickie) gid=1000(fpga) groups=1000(fpga)
> [root at srvlxfs2 ~]#
Does the Domain Users group have a gidNumber, even though you are using 
a different user primarygroupid, Domain Users needs a gidNumber.
> 
> Again, this has all been working 99% except for a few select?users at 
> some times. And at those times the uid as shown in smbstatus is correct.
> 
> I don't suppose you want to see the level 10 debug log?
No, perhaps later.

Rowland