On 18/01/2023 18:37, Greg Dickie wrote:> > > On Wed, Jan 18, 2023 at 12:20 PM Rowland Penny via samba > <samba at lists.samba.org <mailto:samba at lists.samba.org>> wrote: > > > > On 18/01/2023 17:05, Greg Dickie wrote: > > > Agree but this was a standalone server that we are now transitioning > > into the domain and as long as the UIDs and GIDs match everything > should > > be ok no? > > > > > >? ? ?Is it possible to see your smb.conf used on the Unix machines ? > > > > > > O=Sure > > > > [global] > >? ? ? ? ? workgroup = TOTO > >? ? ? ? ? server string = Samba on SRVLXFS2 > >? ? ? ? ? realm = TOTO.CA <http://TOTO.CA> <http://TOTO.CA > <http://TOTO.CA>> > >? ? ? ? ? security = ads > >? ? ? ? ? kerberos method = secrets only > >? ? ? ? ? winbind use default domain = true > >? ? ? ? ? winbind offline logon = false > >? ? ? ? ? winbind nss info = rfc2307 > >? ? ? ? ? winbind enum users = yes > >? ? ? ? ? winbind enum groups = yes > >? ? ? ? ? idmap config * : range = 16777216-33554431 > >? ? ? ? ? idmap config ULTRATCS : schema mode = rfc2307 > >? ? ? ? ? idmap config ULTRATCS : backend = ad > >? ? ? ? ? idmap config ULTRATCS : range = 500-10000 > >? ? ? ? ? idmap config ULTRATCS : unix_primary_group = yes > >? ? ? ? ? idmap config ULTRATCS : unix_nss_info = yes > > Oh dear, unless it's bad sanitisation, you have a big problem. > Your workgroup is 'TOTO' but you are using 'ULTRATCS' for the idmap > config lines, it should be the workgroup name 'TOTO' > > > Damit, that's just bad sanitization. sorry, pretend you did not see that.Not possible, but I can forget I saw it :-D> > > >? ? ? ? ? idmap_ldb:use rfc2307 = yes > >? ? ? ? ? template homedir = /home/%U > >? ? ? ? ? min domain uid = 0 > >? ? ? ? ?unix extensions = no > >? ? ? ? ?wide links = yes > > > >? ? ? ? ?printing = cups > >? ? ? ? ?printcap name = cups > >? ? ? ? ?load printers = no > >? ? ? ? ?cups options = raw > >? ? ? ? ? log file = /var/log/samba/log.%m.%U > >? ? ? ? ? log level = 0 > >? ? ? ? ? max log size = 50M > >? ? ? ? ? #syslog = 0 > > > > [homes] > >? ? ? ? ? comment = Home Directories > >? ? ? ? ? browseable = no > >? ? ? ? ? writable = yes > > # ? ? ? ?create mask = 0664 > > # ? ? ? ?directory mask = 0775 > >? ? ? ? ? force create mode = 0775 > >? ? ? ? ? force directory mode = 0775 > > # ? ? ? ?force security mode = 664 > > # ? ? ? ?force directory security mode = 775 > >? ? ? ? ? map archive = no > > I think you will find that everyone can get into everyone else's homedir > > Yes, it was like that before I got to it, so I just left it. > > > > > > > >? ? ?This has been working fine but now I have some > >? ? ? > users who suddenly lose write access to their files, > sometimes. > >? ? ?One user > >? ? ? > has 2 workstations (1 works always, the other exhibits > this issue > >? ? ?so maybe > >? ? ? > a patch on the workstation?). When this happens IF I give > their > >? ? ?files group > >? ? ? > write permission they are good again. Does this ring a bell? I > >? ? ?have a level > >? ? ? > 10 debug of an ACCESS_DENIED test but nothing in there looks > >? ? ?obviously > >? ? ? > wrong until the ACCESS_DENIED so I can't see why. > > > >? ? ?Are they supposed to have 'user' permissions or just 'group' > >? ? ?permissions, also are you using extended ACL's ? > > > > > > user permissions, all the users on this system have the same primary > > group of 1000, No ACLs, or at least not supposed to be.You really need to use ACL's> > Would '1000' be the gidNumber for Domain Users ? > > > It's not, It's another group, see below which shows AD mapping vs NIS > mapping:Where does NIS come into this ? Is a NIS server running somewhere ? Or are you just using the ID's NIS used to supply.> > [root at srvlxfs2 ~]# wbinfo -i gdickie > gdickie:*:1014:1000:Dickie, Greg:/home/gdickie:/bin/bash > [root at srvlxfs2 ~]# wbinfo --gid-info=1000 > engineering access:x:1000: > [root at srvlxfs2 ~]# id gdickie > uid=1014(gdickie) gid=1000(fpga) groups=1000(fpga) > [root at srvlxfs2 ~]#Does the Domain Users group have a gidNumber, even though you are using a different user primarygroupid, Domain Users needs a gidNumber.> > Again, this has all been working 99% except for a few select?users at > some times. And at those times the uid as shown in smbstatus is correct. > > I don't suppose you want to see the level 10 debug log?No, perhaps later. Rowland
On Wed, Jan 18, 2023 at 2:02 PM Rowland Penny via samba < samba at lists.samba.org> wrote:> > > On 18/01/2023 18:37, Greg Dickie wrote: > > > > > > On Wed, Jan 18, 2023 at 12:20 PM Rowland Penny via samba > > <samba at lists.samba.org <mailto:samba at lists.samba.org>> wrote: > > > > > > > > On 18/01/2023 17:05, Greg Dickie wrote: > > > > > Agree but this was a standalone server that we are now > transitioning > > > into the domain and as long as the UIDs and GIDs match everything > > should > > > be ok no? > > > > > > > > > Is it possible to see your smb.conf used on the Unix machines > ? > > > > > > > > > O=Sure > > > > > > [global] > > > workgroup = TOTO > > > server string = Samba on SRVLXFS2 > > > realm = TOTO.CA <http://TOTO.CA> <http://TOTO.CA > > <http://TOTO.CA>> > > > security = ads > > > kerberos method = secrets only > > > winbind use default domain = true > > > winbind offline logon = false > > > winbind nss info = rfc2307 > > > winbind enum users = yes > > > winbind enum groups = yes > > > idmap config * : range = 16777216-33554431 > > > idmap config ULTRATCS : schema mode = rfc2307 > > > idmap config ULTRATCS : backend = ad > > > idmap config ULTRATCS : range = 500-10000 > > > idmap config ULTRATCS : unix_primary_group = yes > > > idmap config ULTRATCS : unix_nss_info = yes > > > > Oh dear, unless it's bad sanitisation, you have a big problem. > > Your workgroup is 'TOTO' but you are using 'ULTRATCS' for the idmap > > config lines, it should be the workgroup name 'TOTO' > > > > > > Damit, that's just bad sanitization. sorry, pretend you did not see that. > > Not possible, but I can forget I saw it :-D >deal.> > > > > > > > idmap_ldb:use rfc2307 = yes > > > template homedir = /home/%U > > > min domain uid = 0 > > > unix extensions = no > > > wide links = yes > > > > > > printing = cups > > > printcap name = cups > > > load printers = no > > > cups options = raw > > > log file = /var/log/samba/log.%m.%U > > > log level = 0 > > > max log size = 50M > > > #syslog = 0 > > > > > > [homes] > > > comment = Home Directories > > > browseable = no > > > writable = yes > > > # create mask = 0664 > > > # directory mask = 0775 > > > force create mode = 0775 > > > force directory mode = 0775 > > > # force security mode = 664 > > > # force directory security mode = 775 > > > map archive = no > > > > I think you will find that everyone can get into everyone else's > homedir > > > > Yes, it was like that before I got to it, so I just left it. > > > > > > > > > > > > > This has been working fine but now I have some > > > > users who suddenly lose write access to their files, > > sometimes. > > > One user > > > > has 2 workstations (1 works always, the other exhibits > > this issue > > > so maybe > > > > a patch on the workstation?). When this happens IF I give > > their > > > files group > > > > write permission they are good again. Does this ring a > bell? I > > > have a level > > > > 10 debug of an ACCESS_DENIED test but nothing in there > looks > > > obviously > > > > wrong until the ACCESS_DENIED so I can't see why. > > > > > > Are they supposed to have 'user' permissions or just 'group' > > > permissions, also are you using extended ACL's ? > > > > > > > > > user permissions, all the users on this system have the same > primary > > > group of 1000, No ACLs, or at least not supposed to be. > > You really need to use ACL's >Much simpler without no? especially as this is also an NFS server.> > > > > Would '1000' be the gidNumber for Domain Users ? > > > > > > It's not, It's another group, see below which shows AD mapping vs NIS > > mapping: > > Where does NIS come into this ? Is a NIS server running somewhere ? > Or are you just using the ID's NIS used to supply. >This machine is actually still a NIS server for a bunch of others that will be migrated to AD.> > > > > [root at srvlxfs2 ~]# wbinfo -i gdickie > > gdickie:*:1014:1000:Dickie, Greg:/home/gdickie:/bin/bash > > [root at srvlxfs2 ~]# wbinfo --gid-info=1000 > > engineering access:x:1000: > > [root at srvlxfs2 ~]# id gdickie > > uid=1014(gdickie) gid=1000(fpga) groups=1000(fpga) > > [root at srvlxfs2 ~]# > > Does the Domain Users group have a gidNumber, even though you are using > a different user primarygroupid, Domain Users needs a gidNumber. >It has: [root at srvlxfs2 ~]# wbinfo --gid-info=513 domain users:x:513: [root at srvlxfs2 ~]# wbinfo --group-info="Domain Users" domain users:x:513:> > > > > Again, this has all been working 99% except for a few select users at > > some times. And at those times the uid as shown in smbstatus is correct. > > > > I don't suppose you want to see the level 10 debug log? > > No, perhaps later. > > Rowland > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >-- Greg Dickie just a guy 514-983-5400
Halp? Thanks, Greg On Wed, Jan 18, 2023 at 2:02 PM Rowland Penny via samba < samba at lists.samba.org> wrote:> > > On 18/01/2023 18:37, Greg Dickie wrote: > > > > > > On Wed, Jan 18, 2023 at 12:20 PM Rowland Penny via samba > > <samba at lists.samba.org <mailto:samba at lists.samba.org>> wrote: > > > > > > > > On 18/01/2023 17:05, Greg Dickie wrote: > > > > > Agree but this was a standalone server that we are now > transitioning > > > into the domain and as long as the UIDs and GIDs match everything > > should > > > be ok no? > > > > > > > > > Is it possible to see your smb.conf used on the Unix machines > ? > > > > > > > > > O=Sure > > > > > > [global] > > > workgroup = TOTO > > > server string = Samba on SRVLXFS2 > > > realm = TOTO.CA <http://TOTO.CA> <http://TOTO.CA > > <http://TOTO.CA>> > > > security = ads > > > kerberos method = secrets only > > > winbind use default domain = true > > > winbind offline logon = false > > > winbind nss info = rfc2307 > > > winbind enum users = yes > > > winbind enum groups = yes > > > idmap config * : range = 16777216-33554431 > > > idmap config ULTRATCS : schema mode = rfc2307 > > > idmap config ULTRATCS : backend = ad > > > idmap config ULTRATCS : range = 500-10000 > > > idmap config ULTRATCS : unix_primary_group = yes > > > idmap config ULTRATCS : unix_nss_info = yes > > > > Oh dear, unless it's bad sanitisation, you have a big problem. > > Your workgroup is 'TOTO' but you are using 'ULTRATCS' for the idmap > > config lines, it should be the workgroup name 'TOTO' > > > > > > Damit, that's just bad sanitization. sorry, pretend you did not see that. > > Not possible, but I can forget I saw it :-D > > > > > > > > idmap_ldb:use rfc2307 = yes > > > template homedir = /home/%U > > > min domain uid = 0 > > > unix extensions = no > > > wide links = yes > > > > > > printing = cups > > > printcap name = cups > > > load printers = no > > > cups options = raw > > > log file = /var/log/samba/log.%m.%U > > > log level = 0 > > > max log size = 50M > > > #syslog = 0 > > > > > > [homes] > > > comment = Home Directories > > > browseable = no > > > writable = yes > > > # create mask = 0664 > > > # directory mask = 0775 > > > force create mode = 0775 > > > force directory mode = 0775 > > > # force security mode = 664 > > > # force directory security mode = 775 > > > map archive = no > > > > I think you will find that everyone can get into everyone else's > homedir > > > > Yes, it was like that before I got to it, so I just left it. > > > > > > > > > > > > > This has been working fine but now I have some > > > > users who suddenly lose write access to their files, > > sometimes. > > > One user > > > > has 2 workstations (1 works always, the other exhibits > > this issue > > > so maybe > > > > a patch on the workstation?). When this happens IF I give > > their > > > files group > > > > write permission they are good again. Does this ring a > bell? I > > > have a level > > > > 10 debug of an ACCESS_DENIED test but nothing in there > looks > > > obviously > > > > wrong until the ACCESS_DENIED so I can't see why. > > > > > > Are they supposed to have 'user' permissions or just 'group' > > > permissions, also are you using extended ACL's ? > > > > > > > > > user permissions, all the users on this system have the same > primary > > > group of 1000, No ACLs, or at least not supposed to be. > > You really need to use ACL's > > > > > Would '1000' be the gidNumber for Domain Users ? > > > > > > It's not, It's another group, see below which shows AD mapping vs NIS > > mapping: > > Where does NIS come into this ? Is a NIS server running somewhere ? > Or are you just using the ID's NIS used to supply. > > > > > [root at srvlxfs2 ~]# wbinfo -i gdickie > > gdickie:*:1014:1000:Dickie, Greg:/home/gdickie:/bin/bash > > [root at srvlxfs2 ~]# wbinfo --gid-info=1000 > > engineering access:x:1000: > > [root at srvlxfs2 ~]# id gdickie > > uid=1014(gdickie) gid=1000(fpga) groups=1000(fpga) > > [root at srvlxfs2 ~]# > > Does the Domain Users group have a gidNumber, even though you are using > a different user primarygroupid, Domain Users needs a gidNumber. > > > > > Again, this has all been working 99% except for a few select users at > > some times. And at those times the uid as shown in smbstatus is correct. > > > > I don't suppose you want to see the level 10 debug log? > > No, perhaps later. > > Rowland > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >-- Greg Dickie just a guy 514-983-5400