Rowland Penny
2024-Mar-28 18:53 UTC
[Samba] Linux Mint 21.3 client AD joined OK but no usb working
On Thu, 28 Mar 2024 19:04:44 +0100 Kees van Vloten via samba <samba at lists.samba.org> wrote:> > On 28-03-2024 18:53, Rowland Penny via samba wrote: > > On Thu, 28 Mar 2024 11:33:16 +0000 > > Rowland Penny via samba <samba at lists.samba.org> wrote: > > > >> On Wed, 27 Mar 2024 18:13:16 +0000 > >> Rowland Penny via samba <samba at lists.samba.org> wrote: > >>> Now thinking about apparmor, could this be stopping writing to the > >>> drive ? > >>> > >> No, I removed apparmor and rebooted, no different. > >> > >> Tried to format the drive, but it seems to have gone read only, so > >> used another drive and formatted that. > >> > >> When I insert the USB drive, it gets mounted on > >> /media/rowland/usbdrive1 > >> > >> Checking the permissions on the path, shows this: > >> > >> rowland at devstation:~$ ls -ld /media/ > >> drwxr-xr-x 4 root root 4096 Mar 27 17:15 /media/ > >> > >> Anyone can traverse /media > >> > >> rowland at devstation:~$ ls -ld /media/rowland/ > >> drwxr-x---+ 3 root root 4096 Mar 28 09:36 /media/rowland/ > >> > >> There is an EA, so check that: > >> > >> rowland at devstation:~$ getfacl /media/rowland/ > >> getfacl: Removing leading '/' from absolute path names > >> # file: media/rowland/ > >> # owner: root > >> # group: root > >> user::rwx > >> user:rowland:r-x > >> group::--- > >> mask::r-x > >> other::--- > >> > >> Only 'root', members of the 'root' group and 'rowland' can traverse > >> /media/rowland > >> > >> rowland at devstation:~$ ls -ld /media/rowland/usbdrive1/ > >> drwxr-xr-x 3 root root 4096 Mar 28 09:32 /media/rowland/usbdrive1/ > >> > >> So 'rowland' can traverse to the 'usbdrive1' directory, but only > >> 'root' can write to it. > >> > >> WHY ?????????? > >> > >> It mounts the drive in a directory named after the user, it allows > >> the user to get to the drive, but then denies the user the ability > >> to write to the drive. > >> > >> Off to find out just what 'mounts' the drive and how. > >> > >> Rowland > >> > > It seems that it is udev and udisks2 that automatically mount the > > USB drive after it is plugged into a USB port. > > The problem is I stated earlier, whilst it is mounted under a > > directory with the users name, it is mounted rwx for root and r-x > > for the user (others), which, if you think about it, is probably > > correct for a removable drive. Whilst the user may have one ID on a > > computer, they may have another ID on a different computer. > > The only cure I can find is to change the owner of the USB drives > > directory, e.g. chown rowland /media/rowland/usbdrive1 > > > > Rowland > > I did not read the whole thread back, so perhaps this is long > obvious... > > If the user is a domain-user and the same id-mapping is used > everywhere, it should get the same UID/GID everywhere...Well yes, but udev & udisks2 are written from the point of view of a Linux computer where a user or group may not get the same IDs on different computers. I found this: https://wiki.archlinux.org/title/Udev#Allowing_regular_users_to_use_devices Which seems say that you can make it work for user writing, but it sounds like it works on a device by device basis. I haven't given up on this yet, there must be a way for domain users to write to a USB drive without manual intervention. Rowland
Kees van Vloten
2024-Mar-28 19:10 UTC
[Samba] Linux Mint 21.3 client AD joined OK but no usb working
On 28-03-2024 19:53, Rowland Penny via samba wrote:> On Thu, 28 Mar 2024 19:04:44 +0100 > Kees van Vloten via samba<samba at lists.samba.org> wrote: > >> On 28-03-2024 18:53, Rowland Penny via samba wrote: >>> On Thu, 28 Mar 2024 11:33:16 +0000 >>> Rowland Penny via samba<samba at lists.samba.org> wrote: >>> >>>> On Wed, 27 Mar 2024 18:13:16 +0000 >>>> Rowland Penny via samba<samba at lists.samba.org> wrote: >>>>> Now thinking about apparmor, could this be stopping writing to the >>>>> drive ? >>>>> >>>> No, I removed apparmor and rebooted, no different. >>>> >>>> Tried to format the drive, but it seems to have gone read only, so >>>> used another drive and formatted that. >>>> >>>> When I insert the USB drive, it gets mounted on >>>> /media/rowland/usbdrive1 >>>> >>>> Checking the permissions on the path, shows this: >>>> >>>> rowland at devstation:~$ ls -ld /media/ >>>> drwxr-xr-x 4 root root 4096 Mar 27 17:15 /media/ >>>> >>>> Anyone can traverse /media >>>> >>>> rowland at devstation:~$ ls -ld /media/rowland/ >>>> drwxr-x---+ 3 root root 4096 Mar 28 09:36 /media/rowland/ >>>> >>>> There is an EA, so check that: >>>> >>>> rowland at devstation:~$ getfacl /media/rowland/ >>>> getfacl: Removing leading '/' from absolute path names >>>> # file: media/rowland/ >>>> # owner: root >>>> # group: root >>>> user::rwx >>>> user:rowland:r-x >>>> group::--- >>>> mask::r-x >>>> other::--- >>>> >>>> Only 'root', members of the 'root' group and 'rowland' can traverse >>>> /media/rowland >>>> >>>> rowland at devstation:~$ ls -ld /media/rowland/usbdrive1/ >>>> drwxr-xr-x 3 root root 4096 Mar 28 09:32 /media/rowland/usbdrive1/ >>>> >>>> So 'rowland' can traverse to the 'usbdrive1' directory, but only >>>> 'root' can write to it. >>>> >>>> WHY ?????????? >>>> >>>> It mounts the drive in a directory named after the user, it allows >>>> the user to get to the drive, but then denies the user the ability >>>> to write to the drive. >>>> >>>> Off to find out just what 'mounts' the drive and how. >>>> >>>> Rowland >>>> >>> It seems that it is udev and udisks2 that automatically mount the >>> USB drive after it is plugged into a USB port. >>> The problem is I stated earlier, whilst it is mounted under a >>> directory with the users name, it is mounted rwx for root and r-x >>> for the user (others), which, if you think about it, is probably >>> correct for a removable drive. Whilst the user may have one ID on a >>> computer, they may have another ID on a different computer. >>> The only cure I can find is to change the owner of the USB drives >>> directory, e.g. chown rowland /media/rowland/usbdrive1 >>> >>> Rowland >> I did not read the whole thread back, so perhaps this is long >> obvious... >> >> If the user is a domain-user and the same id-mapping is used >> everywhere, it should get the same UID/GID everywhere... > Well yes, but udev & udisks2 are written from the point of view of a > Linux computer where a user or group may not get the same IDs on > different computers. > > I found this: > > https://wiki.archlinux.org/title/Udev#Allowing_regular_users_to_use_devices > > Which seems say that you can make it work for user writing, but it > sounds like it works on a device by device basis. > > I haven't given up on this yet, there must be a way for domain users to > write to a USB drive without manual intervention. > > RowlandA local daemon will use /etc/nsswitch.conf to lookup UIDs and Winbind can supply them. In addition I make (domain) users member of these local groups: audio,video,dialout,cdrom,floppy,lpadmin,plugdev,bluetooth,netdev,pulse-access,users Some users also want to be member of local-groups like: libvirt, kvm, docker, vboxusers You can do this with: usermod -a -G <group> <domain-user>, this mechanism works much better than pam_group (which does not work for this purpose). I do this when a domain-user logs in and the reverse when (s)he logs off with a script triggered by pam-session, a copy is already in the list archive somewhere. - Kees.>