[Samba] Linux Mint 21.3 client AD joined OK but no usb working

[Kees van Vloten]

On 28-03-2024 19:53, Rowland Penny via samba wrote:
> On Thu, 28 Mar 2024 19:04:44 +0100
> Kees van Vloten via samba<samba at lists.samba.org>  wrote:
>
>> On 28-03-2024 18:53, Rowland Penny via samba wrote:
>>> On Thu, 28 Mar 2024 11:33:16 +0000
>>> Rowland Penny via samba<samba at lists.samba.org>  wrote:
>>>
>>>> On Wed, 27 Mar 2024 18:13:16 +0000
>>>> Rowland Penny via samba<samba at lists.samba.org>  wrote:
>>>>> Now thinking about apparmor, could this be stopping writing to the
>>>>> drive ?
>>>>>
>>>> No, I removed apparmor and rebooted, no different.
>>>>
>>>> Tried to format the drive, but it seems to have gone read only, so
>>>> used another drive and formatted that.
>>>>
>>>> When I insert the USB drive, it gets mounted on
>>>> /media/rowland/usbdrive1
>>>>
>>>> Checking the permissions on the path, shows this:
>>>>
>>>> rowland at devstation:~$ ls -ld /media/
>>>> drwxr-xr-x 4 root root 4096 Mar 27 17:15 /media/
>>>>
>>>> Anyone can traverse /media
>>>>
>>>> rowland at devstation:~$ ls -ld /media/rowland/
>>>> drwxr-x---+ 3 root root 4096 Mar 28 09:36 /media/rowland/
>>>>
>>>> There is an EA, so check that:
>>>>
>>>> rowland at devstation:~$ getfacl /media/rowland/
>>>> getfacl: Removing leading '/' from absolute path names
>>>> # file: media/rowland/
>>>> # owner: root
>>>> # group: root
>>>> user::rwx
>>>> user:rowland:r-x
>>>> group::---
>>>> mask::r-x
>>>> other::---
>>>>
>>>> Only 'root', members of the 'root' group and 'rowland' can traverse
>>>> /media/rowland
>>>>
>>>> rowland at devstation:~$ ls -ld /media/rowland/usbdrive1/
>>>> drwxr-xr-x 3 root root 4096 Mar 28 09:32 /media/rowland/usbdrive1/
>>>>
>>>> So 'rowland' can traverse to the 'usbdrive1' directory, but only
>>>> 'root' can write to it.
>>>>
>>>> WHY ??????????
>>>>
>>>> It mounts the drive in a directory named after the user, it allows
>>>> the user to get to the drive, but then denies the user the ability
>>>> to write to the drive.
>>>>
>>>> Off to find out just what 'mounts' the drive and how.
>>>>
>>>> Rowland
>>>>
>>> It seems that it is udev and udisks2 that automatically mount the
>>> USB drive after it is plugged into a USB port.
>>> The problem is I stated earlier, whilst it is mounted under a
>>> directory with the users name, it is mounted rwx for root and r-x
>>> for the user (others), which, if you think about it, is probably
>>> correct for a removable drive. Whilst the user may have one ID on a
>>> computer, they may have another ID on a different computer.
>>> The only cure I can find is to change the owner of the USB drives
>>> directory, e.g. chown rowland /media/rowland/usbdrive1
>>>
>>> Rowland
>> I did not read the whole thread back, so perhaps this is long
>> obvious...
>>
>> If the user is a domain-user and the same id-mapping is used
>> everywhere, it should get the same UID/GID everywhere...
> Well yes, but udev & udisks2 are written from the point of view of a
> Linux computer where a user or group may not get the same IDs on
> different computers.
>
> I found this:
>
> https://wiki.archlinux.org/title/Udev#Allowing_regular_users_to_use_devices
>
> Which seems say that you can make it work for user writing, but it
> sounds like it works on a device by device basis.
>
> I haven't given up on this yet, there must be a way for domain users to
> write to a USB drive without manual intervention.
>
> Rowland

A local daemon will use /etc/nsswitch.conf to lookup UIDs and Winbind 
can supply them.

In addition I make (domain) users member of these local groups:

audio,video,dialout,cdrom,floppy,lpadmin,plugdev,bluetooth,netdev,pulse-access,users

Some users also want to be member of local-groups like: libvirt, kvm, 
docker, vboxusers

You can do this with: usermod -a -G <group> <domain-user>, this 
mechanism works much better than pam_group (which does not work for this 
purpose).

I do this when a domain-user logs in and the reverse when (s)he logs off 
with a script triggered by pam-session, a copy is already in the list 
archive somewhere.

- Kees.


>