samba - Jan 2023 - Files suddenly go readonly

Halp?

Thanks,
Greg

On Wed, Jan 18, 2023 at 2:02 PM Rowland Penny via samba <
samba at lists.samba.org> wrote:
>
>
> On 18/01/2023 18:37, Greg Dickie wrote:
> >
> >
> > On Wed, Jan 18, 2023 at 12:20 PM Rowland Penny via samba
> > <samba at lists.samba.org <mailto:samba at
lists.samba.org>> wrote:
> >
> >
> >
> >     On 18/01/2023 17:05, Greg Dickie wrote:
> >
> >      > Agree but this was a standalone server that we are now
> transitioning
> >      > into the domain and as long as the UIDs and GIDs match
everything
> >     should
> >      > be ok no?
> >      >
> >      >
> >      >     Is it possible to see your smb.conf used on the Unix
machines
> ?
> >      >
> >      >
> >      > O=Sure
> >      >
> >      > [global]
> >      >          workgroup = TOTO
> >      >          server string = Samba on SRVLXFS2
> >      >          realm = TOTO.CA <http://TOTO.CA>
<http://TOTO.CA
> >     <http://TOTO.CA>>
> >      >          security = ads
> >      >          kerberos method = secrets only
> >      >          winbind use default domain = true
> >      >          winbind offline logon = false
> >      >          winbind nss info = rfc2307
> >      >          winbind enum users = yes
> >      >          winbind enum groups = yes
> >      >          idmap config * : range = 16777216-33554431
> >      >          idmap config ULTRATCS : schema mode = rfc2307
> >      >          idmap config ULTRATCS : backend = ad
> >      >          idmap config ULTRATCS : range = 500-10000
> >      >          idmap config ULTRATCS : unix_primary_group = yes
> >      >          idmap config ULTRATCS : unix_nss_info = yes
> >
> >     Oh dear, unless it's bad sanitisation, you have a big problem.
> >     Your workgroup is 'TOTO' but you are using
'ULTRATCS' for the idmap
> >     config lines, it should be the workgroup name 'TOTO'
> >
> >
> > Damit, that's just bad sanitization. sorry, pretend you did not
see that.
>
> Not possible, but I can forget I saw it :-D
>
> >
> >
> >      >          idmap_ldb:use rfc2307 = yes
> >      >          template homedir = /home/%U
> >      >          min domain uid = 0
> >      >         unix extensions = no
> >      >         wide links = yes
> >      >
> >      >         printing = cups
> >      >         printcap name = cups
> >      >         load printers = no
> >      >         cups options = raw
> >      >          log file = /var/log/samba/log.%m.%U
> >      >          log level = 0
> >      >          max log size = 50M
> >      >          #syslog = 0
> >      >
> >      > [homes]
> >      >          comment = Home Directories
> >      >          browseable = no
> >      >          writable = yes
> >      > #        create mask = 0664
> >      > #        directory mask = 0775
> >      >          force create mode = 0775
> >      >          force directory mode = 0775
> >      > #        force security mode = 664
> >      > #        force directory security mode = 775
> >      >          map archive = no
> >
> >     I think you will find that everyone can get into everyone
else's
> homedir
> >
> > Yes, it was like that before I got to it, so I just left it.
> >
> >
> >      >
> >      >
> >      >     This has been working fine but now I have some
> >      >      > users who suddenly lose write access to their
files,
> >     sometimes.
> >      >     One user
> >      >      > has 2 workstations (1 works always, the other
exhibits
> >     this issue
> >      >     so maybe
> >      >      > a patch on the workstation?). When this happens IF
I give
> >     their
> >      >     files group
> >      >      > write permission they are good again. Does this
ring a
> bell? I
> >      >     have a level
> >      >      > 10 debug of an ACCESS_DENIED test but nothing in
there
> looks
> >      >     obviously
> >      >      > wrong until the ACCESS_DENIED so I can't see
why.
> >      >
> >      >     Are they supposed to have 'user' permissions or
just 'group'
> >      >     permissions, also are you using extended ACL's ?
> >      >
> >      >
> >      > user permissions, all the users on this system have the same
> primary
> >      > group of 1000, No ACLs, or at least not supposed to be.
>
> You really need to use ACL's
>
> >
> >     Would '1000' be the gidNumber for Domain Users ?
> >
> >
> > It's not, It's another group, see below which shows AD mapping
vs NIS
> > mapping:
>
> Where does NIS come into this ? Is a NIS server running somewhere ?
> Or are you just using the ID's NIS used to supply.
>
> >
> > [root at srvlxfs2 ~]# wbinfo -i gdickie
> > gdickie:*:1014:1000:Dickie, Greg:/home/gdickie:/bin/bash
> > [root at srvlxfs2 ~]# wbinfo --gid-info=1000
> > engineering access:x:1000:
> > [root at srvlxfs2 ~]# id gdickie
> > uid=1014(gdickie) gid=1000(fpga) groups=1000(fpga)
> > [root at srvlxfs2 ~]#
>
> Does the Domain Users group have a gidNumber, even though you are using
> a different user primarygroupid, Domain Users needs a gidNumber.
>
> >
> > Again, this has all been working 99% except for a few select users at
> > some times. And at those times the uid as shown in smbstatus is
correct.
> >
> > I don't suppose you want to see the level 10 debug log?
>
> No, perhaps later.
>
> Rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

-- 


Greg Dickie
just a guy
514-983-5400

On 19/01/2023 17:33, Greg Dickie wrote:
> Halp?
> 
> Thanks,
> Greg
> 
The problem is that you seem to be running a mish-mash of a system.

Samba is using the uidNumber and gidNumber attributes it finds in AD for 
the users and groups. However there also seems to be NIS involved and 
with the best will in the world, the Samba user 'fred' will never be the
same user as the NIS user 'fred'. It could be that the 'NIS'
user is
getting different permissions to the AD user.

I do not feel that I can help further because I do not have access to 
your system (nor do I want it). The only further input that I can offer 
is, you need to use one authentication system and I think you know which.

Rowland