[Samba] chown: changing ownership of 'test': Invalid argument
L.P.H. van Belle
belle at bazuin.nl
Wed Apr 10 09:12:30 UTC 2019
I forgot, post also:
cat /etc/idmapd.conf
( im adding it in the debug-collector atm )
There might be a mis in detecting the Domain or Local-Realm.
I suggest, add this :
Domain = jeoffice.jacklin.co.za
Local-Realm = JEOFFICE.JACKLIN.CO.ZA
see if that helps.
Greetz,
Louis
Van: Ian Coetzee [mailto:samba at iancoetzee.za.net]
Verzonden: woensdag 10 april 2019 10:17
Aan: L.P.H. van Belle
CC: samba at lists.samba.org
Onderwerp: Re: [Samba] chown: changing ownership of 'test': Invalid argument
Hi Louis,
Thank you. I will add those line and test. Will revert shortly
As requested. The output:
root at ho-vpn-ctx-ac01:~# cat /tmp/samba-debug-info.txt
Collected config --- 2019-04-10-08:12 -----------
Hostname: ho-vpn-ctx-ac01
DNS Domain: jeoffice.jacklin.co.za
FQDN: ho-vpn-ctx-ac01.jeoffice.jacklin.co.za
ipaddress: 10.10.18.50 10.10.11.50
-----------
Samba is running as a Unix domain member
-----------
Checking file: /etc/os-release
PRETTY_NAME="Debian GNU/Linux 9 (stretch)"
NAME="Debian GNU/Linux"
VERSION_ID="9"
VERSION="9 (stretch)"
ID=debian
HOME_URL="https://www.debian.org/"
SUPPORT_URL="https://www.debian.org/support"
BUG_REPORT_URL="https://bugs.debian.org/"
-----------
This computer is running Debian 9.8 x86_64
-----------
running command : ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet MailScanner warning: numerical links are often malicious: 127.0.0.1/8 scope host lo
inet6 ::1/128 scope host
44: native0 at if45: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
link/ether 00:c1:2a:15:5c:fe brd ff:ff:ff:ff:ff:ff link-netnsid 0
inet MailScanner warning: numerical links are often malicious: 10.10.18.50/24 brd 10.10.18.255 scope global native0
inet6 fe80::2c1:2aff:fe15:5cfe/64 scope link
46: dmz0 at if47: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
link/ether 00:c1:b1:ea:6c:fe brd ff:ff:ff:ff:ff:ff link-netnsid 0
inet MailScanner warning: numerical links are often malicious: 10.10.11.50/24 brd 10.10.11.255 scope global dmz0
inet6 fe80::2c1:b1ff:feea:6cfe/64 scope link
-----------
Checking file: /etc/hosts
127.0.0.1 localhost
::1 localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
# --- BEGIN PVE ---
10.10.18.50 ho-vpn-ctx-ac01.jeoffice.jacklin.co.za ho-vpn-ctx-ac01
# --- END PVE ---
-----------
Checking file: /etc/resolv.conf
# --- BEGIN PVE ---
search jeoffice.jacklin.co.za
nameserver 10.10.10.4
# --- END PVE ---
-----------
Checking file: /etc/krb5.conf
[libdefaults]
default_realm = JEOFFICE.JACKLIN.CO.ZA
# The following krb5.conf variables are only for MIT Kerberos.
kdc_timesync = 1
ccache_type = 4
forwardable = true
proxiable = true
# The following encryption type specification will be used by MIT Kerberos
# if uncommented. In general, the defaults in the MIT Kerberos code are
# correct and overriding these specifications only serves to disable new
# encryption types as they are added, creating interoperability problems.
#
# The only time when you might need to uncomment these lines and change
# the enctypes is if you have local software that will break on ticket
# caches containing ticket encryption types it doesn't know about (such as
# old versions of Sun Java).
# default_tgs_enctypes = des3-hmac-sha1
# default_tkt_enctypes = des3-hmac-sha1
# permitted_enctypes = des3-hmac-sha1
# The following libdefaults parameters are only for Heimdal Kerberos.
fcc-mit-ticketflags = true
[realms]
ATHENA.MIT.EDU = {
kdc = kerberos.mit.edu
kdc = kerberos-1.mit.edu
kdc = kerberos-2.mit.edu:88
admin_server = kerberos.mit.edu
default_domain = mit.edu
}
ZONE.MIT.EDU = {
kdc = casio.mit.edu
kdc = seiko.mit.edu
admin_server = casio.mit.edu
}
CSAIL.MIT.EDU = {
admin_server = kerberos.csail.mit.edu
default_domain = csail.mit.edu
}
IHTFP.ORG = {
kdc = kerberos.ihtfp.org
admin_server = kerberos.ihtfp.org
}
1TS.ORG = {
kdc = kerberos.1ts.org
admin_server = kerberos.1ts.org
}
ANDREW.CMU.EDU = {
admin_server = kerberos.andrew.cmu.edu
default_domain = andrew.cmu.edu
}
CS.CMU.EDU = {
kdc = kerberos-1.srv.cs.cmu.edu
kdc = kerberos-2.srv.cs.cmu.edu
kdc = kerberos-3.srv.cs.cmu.edu
admin_server = kerberos.cs.cmu.edu
}
DEMENTIA.ORG = {
kdc = kerberos.dementix.org
kdc = kerberos2.dementix.org
admin_server = kerberos.dementix.org
}
stanford.edu = {
kdc = krb5auth1.stanford.edu
kdc = krb5auth2.stanford.edu
kdc = krb5auth3.stanford.edu
master_kdc = krb5auth1.stanford.edu
admin_server = krb5-admin.stanford.edu
default_domain = stanford.edu
}
UTORONTO.CA = {
kdc = kerberos1.utoronto.ca
kdc = kerberos2.utoronto.ca
kdc = kerberos3.utoronto.ca
admin_server = kerberos1.utoronto.ca
default_domain = utoronto.ca
}
[domain_realm]
.mit.edu = ATHENA.MIT.EDU
mit.edu = ATHENA.MIT.EDU
.media.mit.edu = MEDIA-LAB.MIT.EDU
media.mit.edu = MEDIA-LAB.MIT.EDU
.csail.mit.edu = CSAIL.MIT.EDU
csail.mit.edu = CSAIL.MIT.EDU
.whoi.edu = ATHENA.MIT.EDU
whoi.edu = ATHENA.MIT.EDU
.stanford.edu = stanford.edu
.slac.stanford.edu = SLAC.STANFORD.EDU
.toronto.edu = UTORONTO.CA
.utoronto.ca = UTORONTO.CA
-----------
Checking file: /etc/nsswitch.conf
# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.
passwd: compat winbind
group: compat winbind
shadow: compat
gshadow: files
hosts: files dns
networks: files
protocols: db files
services: db files
ethers: db files
rpc: db files
netgroup: nis
-----------
Checking file: /etc/samba/smb.conf
[global]
workgroup = JEOFFICE
realm = JEOFFICE.JACKLIN.CO.ZA
security = ADS
template homedir = /home/%D/%U
template shell = /bin/bash
kerberos method = secrets only
winbind use default domain = true
# winbind offline logon = true
winbind enum groups = true
netbios name = ho-vpn-ctx-ac01
log file = /var/log/samba/%m.log
log level = 1
# Default ID mapping configuration for local BUILTIN accounts
# and groups on a domain member. The default (*) domain:
# - must not overlap with any domain ID mapping configuration!
# - must use an read-write-enabled back end, such as tdb.
idmap config * : backend = tdb
idmap config * : range = 70001-80000
idmap config JEOFFICE : backend = rid
idmap config JEOFFICE : range = 3200000-3300000
winbind nss info = template
-----------
Running as Unix domain member and no user.map detected.
-----------
Installed packages:
ii acl 2.2.52-3+b1 amd64 Access control list utilities
ii attr 1:2.4.47-2+b2 amd64 Utilities for manipulating filesystem extended attributes
ii krb5-config 2.6 all Configuration files for Kerberos Version 5
ii krb5-locales 1.15-1+deb9u1 all internationalization support for MIT Kerberos
ii krb5-user 1.15-1+deb9u1 amd64 basic programs to authenticate using MIT Kerberos
ii libacl1:amd64 2.2.52-3+b1 amd64 Access control list shared library
ii libacl1-dev 2.2.52-3+b1 amd64 Access control list static libraries and headers
ii libattr1:amd64 1:2.4.47-2+b2 amd64 Extended attribute shared library
ii libattr1-dev:amd64 1:2.4.47-2+b2 amd64 Extended attribute static libraries and headers
ii libgssapi-krb5-2:amd64 1.15-1+deb9u1 amd64 MIT Kerberos runtime libraries - krb5 GSS-API Mechanism
ii libkrb5-3:amd64 1.15-1+deb9u1 amd64 MIT Kerberos runtime libraries
ii libkrb5support0:amd64 1.15-1+deb9u1 amd64 MIT Kerberos runtime libraries - Support library
ii libnss-winbind:amd64 2:4.9.6+nmu-1.0debian1 amd64 Samba nameservice integration plugins
ii libpam-winbind:amd64 2:4.9.6+nmu-1.0debian1 amd64 Windows domain authentication integration plugin
ii libwbclient0:amd64 2:4.9.6+nmu-1.0debian1 amd64 Samba winbind client library
ii python-samba 2:4.9.6+nmu-1.0debian1 amd64 Python bindings for Samba
ii samba 2:4.9.6+nmu-1.0debian1 amd64 SMB/CIFS file, print, and login server for Unix
ii samba-common 2:4.9.6+nmu-1.0debian1 all common files used by both the Samba server and client
ii samba-common-bin 2:4.9.6+nmu-1.0debian1 amd64 Samba common files used by both the server and the client
ii samba-dsdb-modules:amd64 2:4.9.6+nmu-1.0debian1 amd64 Samba Directory Services Database
ii samba-libs:amd64 2:4.9.6+nmu-1.0debian1 amd64 Samba core libraries
ii samba-vfs-modules:amd64 2:4.9.6+nmu-1.0debian1 amd64 Samba Virtual FileSystem plugins
ii winbind 2:4.9.6+nmu-1.0debian1 amd64 service to resolve user and group information from Windows NT servers
-----------
On Wed, 10 Apr 2019 at 09:37, L.P.H. van Belle via samba <samba at lists.samba.org> wrote:
Hai Ian,
Can you run my setup debugger..
https://raw.githubusercontent.com/thctlo/samba4/master/samba-collect-debug-info.sh
Anonimize where needed and post output.
Because when i run this, it works fine.
chown -v username test-own.txt
changed ownership of 'test-own.txt' from root to username
And yes, this user only exist in AD.
Check if attr and acl are installed also.
And if the smb.conf below is complete then your missing:
# For ACL support on member servers with shares
vfs objects = acl_xattr
map acl inherit = Yes
store dos attributes = Yes
The difference between you and me, in smb.conf as far i can tell now.
Me backend AD. You RID.
Me
kerberos method = secrets and keytab
dedicated keytab file = /etc/krb5.keytab
winbind refresh tickets = yes
You ( only secrets )
I've just tested these versions because today my vpn needed the upgrades of samba also.
I've tested and upgraded from 4.8.9 upto 4.8.11, 4.9.6 and 4.10.2
It still might be a bug, but i need more info.
Greetz,
Louis
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Ian
> Coetzee via samba
> Verzonden: woensdag 10 april 2019 9:04
> Aan: Samba List
> Onderwerp: [Samba] chown: changing ownership of 'test':
> Invalid argument
>
> Hi All,
>
> I have a very weird issue on one of my servers. I think I
> might just be
> missing something quite obviously... I will post the config
> files at the
> bottom
>
> I have a brand new Debian server running as an LXC container
>
> > root at ho-vpn-ctx-ac01:~# lsb_release -a
> > No LSB modules are available.
> > Distributor ID: Debian
> > Description: Debian GNU/Linux 9.8 (stretch)
> > Release: 9.8
> > Codename: stretch
> > root at ho-vpn-ctx-ac01:~# uname -a
> > Linux ho-vpn-ctx-ac01 4.15.18-12-pve #1 SMP PVE 4.15.18-35
> (Wed, 13 Mar
> > 2019 08:24:42 +0100) x86_64 GNU/Linux
> > root at ho-vpn-ctx-ac01:~#
> >
>
> I am running said server as a domain member using the latest
> packages in
> Louis' 4.9 branch
>
> > root at ho-vpn-ctx-ac01:~# net -V
> > Version 4.9.6-Debian
> > root at ho-vpn-ctx-ac01:~# net ads testjoin
> > Join is OK
> >
>
> The join seems to be good, nsswitch is working
>
> > root at ho-vpn-ctx-ac01:~# wbinfo -i ianc
> > ianc:*:3201407:3200513::/home/JEOFFICE/ianc:/bin/bash
> > root at ho-vpn-ctx-ac01:~# getent passwd ianc
> > ianc:*:3201407:3200513::/home/JEOFFICE/ianc:/bin/bash
> >
>
> Yet when I try to change the ownership of a file to a domain user, it
> fails with "Invalid argument"
>
> > root at ho-vpn-ctx-ac01:~# chown -v ianc test
> > chown: changing ownership of 'test': Invalid argument
> > failed to change ownership of 'test' from root to ianc
> > root at ho-vpn-ctx-ac01:~# chown -v jeadmin test
> > changed ownership of 'test' from root to jeadmin
> > root at ho-vpn-ctx-ac01:~# getent passwd jeadmin
> > jeadmin:x:1000:27::/home/jeadmin:/bin/bash
> >
>
> It works however when changing to a local user. So it looks
> like the issue
> might be in samba. This is the first time I have had this
> problem after
> quite a few other servers (a mix between CentOS, Debian and
> Ubuntu) has
> already been joined to the domain using the exact same smb.conf.
>
> On a side note, I am also unable to log into the server using domain
> credentials, which I am currently attributing to the same cause.
>
> Can you guys maybe point me in the right direction where I
> might start to
> troubleshoot further?
>
> Kind regards
> Ian
>
> Configs:
>
> root at ho-vpn-ctx-ac01:~# cat /etc/samba/smb.conf
> [global]
> workgroup = JEOFFICE
> realm = JEOFFICE.JACKLIN.CO.ZA
> security = ADS
> template homedir = /home/%D/%U
> template shell = /bin/bash
> kerberos method = secrets only
> winbind use default domain = true
> # winbind offline logon = true
> winbind enum groups = true
>
> netbios name = ho-vpn-ctx-ac01
>
> log file = /var/log/samba/%m.log
> log level = 1
>
> # Default ID mapping configuration for local BUILTIN accounts
> # and groups on a domain member. The default (*) domain:
> # - must not overlap with any domain ID mapping configuration!
> # - must use an read-write-enabled back end, such as tdb.
> idmap config * : backend = tdb
> idmap config * : range = 70001-80000
> idmap config JEOFFICE : backend = rid
> idmap config JEOFFICE : range = 3200000-3300000
>
> winbind nss info = template
> root at ho-vpn-ctx-ac01:~# cat /etc/nsswitch.conf
> # /etc/nsswitch.conf
> #
> # Example configuration of GNU Name Service Switch functionality.
> # If you have the `glibc-doc-reference' and `info' packages
> installed, try:
> # `info libc "Name Service Switch"' for information about this file.
>
> passwd: compat winbind
> group: compat winbind
> shadow: compat
> gshadow: files
>
> hosts: files dns
> networks: files
>
> protocols: db files
> services: db files
> ethers: db files
> rpc: db files
>
> netgroup: nis
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
>
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
More information about the samba
mailing list