[Samba] User permissions of profile/home directory lost
Paul R. Ganci
ganci at nurdog.com
Fri Mar 2 03:08:29 UTC 2018
On 03/01/2018 01:02 AM, Rowland Penny wrote:
> Is this a PDC (NT4-style domain) or an AD DC ?
> Either way, I have never heard of anything like this happening before,
> perhaps it might help if you post your smb.conf.
Hi Rowland,
Whatever is occurring has happened again today. I had to "chown -R" my
wife's home/Profile directories and files. Very strange and makes me
wonder if she doesn't have some kind of malware on her laptop. I am
checking that now.
In any case let me answer your questions. The DC is an AD DC. I
originally set it up with an early 4.0 version of Samba. Over time I
haven't really done anything to the configuration. However, there were a
few things necessary as the behavior of Samba ADs changed with new
versions. Before I show the smb.conf file several historical things
should be noted.
1.) I originally used a RID back-end. However, I was persuaded on a
10/22/2013 thread to switch to an AD back-end. I did that but kept the
RID generated UID/GID. You had mentioned in another thread that was
confusing but I never changed to saner UIDs/GIDs because everything
worked as it was.
2.) There is a long "server services" line that at one point you had
questioned in an early thread when winbind on the DC behavior changed.
You pointed out what I had was equivalent to something simpler albeit I
couldn't find the thread but it was around the time I updated from
4.1.18 to 4.2.2.
3.) I have the winbind enum groups/users set to yes purposely. I have so
few users there is no penalty really. It is nice to have getent
enumerate all the users and groups for debug reasons. That is usually
one of the first things I do after an upgrade.
4.) The original set up is what I could find on the web back in the fall
of 2013 when I setup the domain. Everything has worked relatively
flawlessly until this week (2/25/2018) so that is nearly 5 years without
doing much maintenance except Samba updates.
Presently the AD DC runs on a Dell 2950iii with Centos 6.9, the Sernet
packages version 4.7.5-10. I am not sure but I think this problem
occurred with an update from a 4.7.4 version. I was thinking of
downgrading to see if the problem disappears.
Here is a sanitized version of the smb.conf on the AD DC and some other
linux stuff on the DC
[global]
server string = Active Directory Server
workgroup = MYDOM
realm = MYDOM.NURDOG.COM
netbios name = NIKITA
server role = active directory domain controller
server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc,
drepl, winbindd, ntp_signd, kcc, dnsupdate
bind interfaces only = yes
interfaces = br0 lo
encrypt passwords = true
kerberos method = secrets and keytab
winbind use default domain = yes
winbind offline logon = false
winbind enum groups = yes
winbind enum users = yes
# winbind separator = +
winbind nss info = rfc2307
map untrusted to domain = no
template homedir = /home/%U
template shell = /bin/bash
idmap_ldb:use rfc2307 = yes
[netlogon]
path = /var/lib/samba/sysvol/mydom.nurdog.com/scripts
read only = No
[sysvol]
path = /var/lib/samba/sysvol
read only = No
[Profiles]
path = /home/Profiles/
read only = No
[home]
path = /home
read only = No
The two users have these IDs as determined by getent:
MYDOM\mywife:*:3001108:3000513::/home/mywife_home:/bin/bash
MYDOM\me:*:3001107:3000513::/home/my_home:/bin/bash
Home directories:
drwx------+ 43 MYDOM\mywife MYDOM\domain users 4096 Feb 28 23:02
mywife_home
drwx------+ 80 MYDOM\me MYHOME\domain users 20480 Feb 28 08:21 my_home
Profile directories:
drwxrwx---+ 17 MYDOM\mywife MYDOMdomain users 4096 Mar 1 17:19 mywife.V2
drwxrwx---+ 20 MYDOM\me MYDOM\domain users 4096 Feb 28 20:15 me.V2
Everything looks just like I show when the problem occurs. There will be
a permission denied error once the problem occurs even though everything
looks good. It only happens to my wife's account. She is on a Windows 7
Professional laptop for most of the day. I am always on linux and have
not experienced any problems. The issue effects both the Windows and
linux accounts. It really is like mywife's file ownership is lost even
though linux says everything is good. And when the problem occurs,
authentication still works. It is possible to logon to the DC with
mywife's account but access to the home directory is denied. Very
strange problem indeed.
Thank you for your help.
--
Paul (ganci at nurdog.com)
Cell: (303)257-5208
More information about the samba
mailing list