Samba user quota implementation question

Rowland penny rpenny at samba.org
Thu May 28 07:11:58 UTC 2020 

On 28/05/2020 02:27, Krishna Harathi wrote:
>
> Andrew – Tried with "winbind enum users = yes" and "winbind enum 
> groups = yes" configuration, no change or improvement.
>
> Rowland – smb.conf attached.
>
> Regards.
>
> Krishna Harathi
>
> *From: *Andrew Walker <awalker at ixsystems.com>
> *Date: *Wednesday, May 27, 2020 at 4:45 PM
> *To: *Krishna Harathi <krishna.harathi at storagecraft.com>
> *Cc: *Rowland penny <rpenny at samba.org>, Isaac Boukris via 
> samba-technical <samba-technical at lists.samba.org>
> *Subject: *Re: Samba user quota implementation question
>
> ****EXTERNAL SENDER. Only open links and attachments from known 
> senders. DO NOT provide your username or password.****
>
> Depending on the situation, you may need "winbind enum users = yes" 
> and "winbind enum groups = yes" in your smb.conf for AD user quotas to 
> be enumerated. It might be nice to have some mechanism to override the 
> default user quota enumeration method in Samba. For example "zfs 
> userspace <dataset>" and "zfs groupspace <dataset>" will enumerate 
> user / group quotas on a given dataset (and the equivalent can be 
> obtained (though not trivially easily) through libzfs.
>
> Andrew
>
> On Wed, May 27, 2020 at 6:17 PM Krishna Harathi via samba-technical 
> <samba-technical at lists.samba.org 
> <mailto:samba-technical at lists.samba.org>> wrote:
>
>     On the contrary; normally, there is no passwd entry made for a AD
>     user in the local password file.
>
>     The set user-quota (for a user user-quota was not set before) is
>     working fine as intended without any manual addition to local
>     password file.
>
>     I have to manually add the uid/gid entry of the SID/GID of the
>     user authenticated/authorized by AD,  in order for the windows
>     client to list/show the user that has user-quota already set.
>
>     My question is - is it expected to find the subset of AD users
>     with user-quota set in the local password file ?
>     I am trying to figure out if there is any other way to accomplish
>     windows client listing existing quota without this manual
>     intervention.
>     But if this is expected, I will find a way to make those entries
>     in the local password file when a quota for a new user is set.
>
>     Hope this explanation helps to describe the problem more. I will
>     post the actual smb.conf file asap (not available at this moment).
>     We have the "get quota command" and "set quota command" values and
>     AD server with idmap "backend = autorid" and range configured.
>
>     Regards.
>     Krishna Harathi
>
>
>     On 5/27/20, 12:53 PM, "samba-technical on behalf of Rowland penny
>     via samba-technical" <samba-technical-bounces at lists.samba.org
>     <mailto:samba-technical-bounces at lists.samba.org> on behalf of
>     samba-technical at lists.samba.org
>     <mailto:samba-technical at lists.samba.org>> wrote:
>
>         ***EXTERNAL SENDER. Only open links and attachments from known
>     senders. DO NOT provide your username or password.***
>
>         On 27/05/2020 20:42, Krishna Harathi via samba-technical wrote:
>         > Our OneXafe FS  supports share/fs level quota using smb.conf
>     “set quota command” and “get quota command”.
>         >
>         > We are currently extending support to user-level quotas
>     using the same interface, when Samba smbd is an AD DC member.
>         >
>         > Setting user quota from a windows client is working as
>     expected. But once quota is set, none of the users are listed in
>     the quota’s pop-up window, so cannot delete or modify quota
>     properties. Moreover, creating a new quota entry for the same user
>     is generating a “quota entry already exists for this user” error.
>         >
>         > By tracing get/set requests to our file server, I see that
>     our FS server is receiving a get request for Samba for every user
>     entry in the local password file, but none for the UID of the DC
>     member user. But I do see a default quota get request for the
>     group GID.
>         >
>         > The problem seems to be that the get/set command interface
>     does not obviously support a “list” user quota api to the hosting FS.
>         >
>         > Questions on this –  We can post and manage user entry
>     (host-local uid/gid) corresponding to the DC user sid/gid whenever
>     a “set user quota” is received. I did verify that when an entry is
>     made manually, windows user quota workflow behaves as expected. Is
>     the problem assumption correct and is this a way to implement? Is
>     there a better way, given the constraints?
>         >
>         > We are using Samba 4.7.11 patched with
>     https://nam03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fbugzilla.samba.org%2Fshow_bug.cgi%3Fid%3D13553%23c17&data=01%7C01%7Ckrishna.harathi%40storagecraft.com%7Cb00f68c028324ea5ece308d80277a7c3%7C99f4e3c9bed5443dbd532b3f22d4eddf%7C0&sdata=T6FbBy04TqSxJ%2FFx%2BZ3nVF29h%2BoHdNEqqIwuZXzm0hY%3D&reserved=0
>     <https://nam03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fbugzilla.samba.org%2Fshow_bug.cgi%3Fid%3D13553%23c17&data=01%7C01%7Ckrishna.harathi%40storagecraft.com%7Cebaa380afa4b42ec029108d802980280%7C99f4e3c9bed5443dbd532b3f22d4eddf%7C0&sdata=JMjlHIwI3IZb3S6JW8ON0%2FdTpRg7LBFwi6INMjLAvYQ%3D&reserved=0>
>     fix for 4.7.
>         >
>         > Any help is this issue is much appreciated in advance.
>         >
>         > Regards.
>         > Krishna Harathi
>
>          From reading the above, it looks like you are saying that you
>     have the
>         same users in /etc/passwd and AD, is this correct ?
>
>         Can you also please post the entire smb.conf you are using on
>     the OneXafe.
>
>         Rowland
>
>
>
Is this computer a member of a CTDB cluster, if not, remove 'clustering 
= yes'

You have:

idmap config * : backend = tdb
idmap config * : range = 2000000-2999999

And:

idmap config *: backend = autorid
idmap config *: range = 10000000-2020000000
idmap config *: rangesize = 100000000

You cannot have both ;-)

I would suggest you remove the first two lines.

You have a share called 'Public' with 'guest ok = yes' and presumably it 
is supposed to be a public share, it isn't, because you do not have 'map 
to guest = bad user' set in '[global]'. I also cannot see how quota is 
going to work on a share where everything is going to end up belonging 
to nobody:nogroup.

Finally if 'path = /exports/Public' and 'path = /exports/TestQ' means 
that you are sharing NFS shares via Samba, then this is never a good idea.

Rowland

More information about the samba-technical mailing list