Tamás Papp
2024-Jun-22 09:34 UTC
[Samba] Random permission denied and path not found errors
I have upgraded one of the servers to 4.20 from MJT's repository, however it's not the main one and has way lower traffic load. I have also removed the entries that you suggested. Besides this changes I started wondering two other workarounds. 1. Is it possible to add and authenticate a local user when the samba server is an AD member? I would add a local user and render machines would map the share with that user. 2. Is there any option to cache AD users better? My assumption is that the user id or gid does not resolve properly and that's the root cause. Could you advice, please? On June 17, 2024 20:20:49 Rowland Penny via samba <samba at lists.samba.org> wrote:> On Mon, 17 Jun 2024 19:47:04 +0200 > Tamas Papp via samba <samba at lists.samba.org> wrote: > >> >> On 6/17/24 16:15, Rowland Penny via samba wrote: >>> Are your incus containers privileged ? >> >> Yes. >> >>> I should also point out that, from the Samba point of view, 4.15.13 >>> is EOL. >> >> >> I can upgrade samba (ubuntu), but would only do if there is any >> relevant change/fix/improvement. The release notes are quite long and >> in many cases I am unsure about the meaning of the content. >> >> Ubuntu 24.04 includes 4.19.5+dfsg-4ubuntu9. > > There have been numerous fixes since 4.15.x , using the most recent > version of Samba possible is always a good idea. > >> >>> No idea because I haven't a clue how you are running Samba, for all >>> I know, you could be running sssd on a Samba fileserver. >>> >>> Might be an idea if you post the output of 'testparm -s' >> >> >> Good point, I missed adding the configuration. >> >> The windows server is a AD DC and samba is AD member: >> >> >> # Global parameters >> [global] >> kerberos method = secrets and keytab >> log file = /var/log/samba/log.%m >> logging = file >> map to guest = Bad User >> max log size = 1000 >> obey pam restrictions = Yes >> pam password change = Yes >> panic action = /usr/share/samba/panic-action %d >> passwd chat = *Enter\snew\s*\spassword:* %n\n >> *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* . >> passwd program = /usr/bin/passwd %u >> realm = SPECTRALSTUDIOS.LOCAL >> security = ADS >> server role = standalone server >> server string = %h server (Samba, Ubuntu) >> template homedir = /home/%U@%D >> template shell = /bin/bash >> unix password sync = Yes >> usershare allow guests = Yes >> winbind offline logon = Yes >> winbind refresh tickets = Yes >> workgroup = SPECTRALSTUDIOS >> idmap config * : range = 10000-999999 >> idmap config spectralstudios : backend = rid >> idmap config spectralstudios : range = 2000000-2999999 >> idmap config * : backend = tdb >> >> [HUNY_asset] >> comment = HUNY/asset >> create mask = 0664 >> directory mask = 02775 >> force create mode = 0664 >> force directory mode = 02775 >> path = /data/Projects/HUNY/asset >> read only = No >> valid users = "@spectralstudios\domain users" >> >> >> There are more shares but the configuration is the same. > > Hmm, did you take the standard Ubuntu smb.conf and then add to it ? > I ask this because you have numerous lines that do not really have a > place in Unix domain member smb.conf > > I would definitely remove these lines: > > obey pam restrictions = Yes > pam password change = Yes > passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* > %n\n *password\supdated\ssuccessfully* . > passwd program = /usr/bin/passwd %u > server role = standalone server > unix password sync = Yes > > Unless you have 'guest ok = yes' or 'public = yes' set in a share (if > so why ?) then I would remove this line: > > map to guest = Bad User > > Also if you are not going to be using usershares, I would remove this > line: > > usershare allow guests = Yes > > Turning to your share, add these lines to 'global': > > vfs objects = acl_xattr > map acl inherit = Yes > > then make your share look like this: > > [HUNY_asset] > comment = HUNY/asset > read only = No > > Then read this: > > https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs > > Rowland > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba
Rowland Penny
2024-Jun-22 09:56 UTC
[Samba] Random permission denied and path not found errors
On Sat, 22 Jun 2024 11:34:21 +0200 Tam?s Papp <t.papp at spectral.hu> wrote:> I have upgraded one of the servers to 4.20 from MJT's repository, > however it's not the main one and has way lower traffic load. > > I have also removed the entries that you suggested.I am taking it that your Unix domain members smb.conf now looks similar to this: [global] workgroup = SPECTRALSTUDIOS realm = SPECTRALSTUDIOS.LOCAL security = ADS server string = %h server (Samba, Ubuntu) kerberos method = secrets and keytab log file = /var/log/samba/log.%m logging = file max log size = 1000 panic action = /usr/share/samba/panic-action %d winbind offline logon = Yes winbind refresh tickets = Yes idmap config * : backend = tdb idmap config * : range = 10000-999999 idmap config spectralstudios : backend = rid idmap config spectralstudios : range = 2000000-2999999 template homedir = /home/%U@%D template shell = /bin/bash vfs objects = acl_xattr map acl inherit = Yes [HUNY_asset] comment = HUNY/asset path = /data/Projects/HUNY/asset read only = No> > Besides this changes I started wondering two other workarounds. > > 1. Is it possible to add and authenticate a local user when the samba > server is an AD member?No, a local user is just that, a local user and is unknown to Samba.> I would add a local user and render machines would map the share with > that user.Sorry, but that, in my opinion, would not work.> > 2. Is there any option to cache AD users better?They should already be cached, but you could try adding 'winbind offline login = yes' to the smb.conf> My assumption is that the user id or gid does not resolve properly > and that's the root cause.If they are not resolving, then there must be a reason, which is usually dns, I take it that the Unix domain members are using the Samba DCs as their nameservers ? Rowland