[Samba] Permission Issue

Benedikt Kaleß benedikt.kaless at forumZFD.de
Thu Aug 29 07:16:51 UTC 2019


Hi,

this configuration doesn't make any differenc in daily life. So perhaps
an ID-Mapping problem?

an ldbsearch --url=/var/lib/samba/private/sam.ldb

shows

dn: CN=Team IT and facilities,OU=HO,OU=example,DC=com,DC=de
objectClass: top
objectClass: group
cn: Team
instanceType: 4
whenCreated: 20180731103742.0Z
uSNCreated: 3631
name: Team
objectGUID: 7a27f859-97dc-4cf8-b4b1-c7b7cfe0f585
objectSid: S-1-5-21-1996849273-3222042488-349429296-101163
sAMAccountName: Team
sAMAccountType: 268435456
groupType: -2147483646
objectCategory: CN=Group,CN=Schema,CN=Configuration,DC=example,DC=com
whenChanged: 20190723103748.0Z
uSNChanged: 39294
member::
Q049QmVuZWRpa3QgS2FsZcOfLE9VPVRlYW0gSVQgJiBGYWNpbGl0eSBNYW5hZ2VtZW50L
 E9VPUV4ZWN1dGl2ZSBCb2FyZCBGaW5hbmNlXCwgSFJcLCBBZG1pbmlzdHJhdGlvbixPVT1ITyxPVT
 1aRkQsREM9emZkLERDPWZvcnVtemZkLERDPWRl
member: CN=Testuser,OU=IRK,OU=ZFD,DC=zfd,DC=forumzfd,DC=de
distinguishedName: CN=Team,OU=HO,OU=,Example,DC=com,D
 C=de

So, I assume that the uid on the ctdb and a standalone fileserver has to
be 101163, right?

The ctdb shows the uid 103150, the fileserver 102150

That can't be okay and I think I have to search further regarding this
issue.

Is there any offset configured?

Best

Bene


Am 29.08.19 um 08:46 schrieb L.P.H. van Belle via samba:
> Hai, 
>
> Great to hear i could help one with a gluster problem :-) 
>
> And ofcourse your allowed to keep us up2date. 
> So yes, plese, by doing that and sharing the configs it might help other people. 
>
> Greetz, 
>
> Louis
>
>
>  
>
> > -----Oorspronkelijk bericht-----
> > Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
> > Benedikt Kaleß via samba
> > Verzonden: woensdag 28 augustus 2019 17:37
> > Aan: samba at lists.samba.org
> > Onderwerp: Re: [Samba] Permission Issue
> > 
> > Hi,
> > 
> > of course  you can not know everything :) I'm glad to have 
> > your support!
> > Thank you.
> > 
> > Actually I did a gluster_client fluse mount and set up the 
> > share in the
> > registry "old fashioned".
> > 
> > I changed that now to the following:
> > 
> > [share]
> >     comment = Archivdateien der Abteilung Projekte
> >     read only = no
> >     vfs objects = acl_xattr glusterfs
> >     glusterfs:volume = gv-ho
> >     glusterfs:logfile = /var/log/samba/glusterfs-gv-ho.log
> >     glusterfs:loglevel = 3
> >     glusterfs:volfile_server = gluster1 gluster3
> >     kernel share modes = no
> >     path = /data/share
> > 
> > Of course I added your recomondations as well like "store dos 
> > attributes"...
> > 
> > It looks good in the moment. But I will stay you updated here, if I'm
> > allowed to.
> > 
> > Best regards
> > 
> > Bene
> > 
> > 
> > Am 28.08.19 um 15:56 schrieb L.P.H. van Belle via samba:
> > > Hai,
> > >
> > > First i must say, i dont use/know gluster. 
> > >
> > > But I noticed you config (smb.conf) is a bit off. 
> > >
> > >     store dos attributes = Yes 	<< is missing. 
> > >
> > > And i would say setup netbios name and REALM in CAPS.
> > > And 
> > > >     smbd:search ask sharemode = no 
> > > Should be : smbd search ask sharemod 
> > > >> https://www.samba.org/samba/history/samba-4.10.0.html 
> > > See smb.conf changes, 
> > >
> > > What i dont know, but dont you need one or both of these. 
> > (vfs_modules) 
> > > Because i also notice New glusterfs_fuse VFS module as 
> > "new" in the changelog.
> > >
> > > See: 
> > > man vfs_glusterfs
> > > man vfs_glusterfs_fuse
> > >
> > > Someone, who knows gluster, should give more info about this.
> > > I cant.. (sorry), I cant know everything..  :-/ 
> > >
> > > Greetz, 
> > >
> > > Louis
> > >
> > >
> > >
> > >
> > >
> > > > -----Oorspronkelijk bericht-----
> > > > Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
> > > > Benedikt Kaleß via samba
> > > > Verzonden: woensdag 28 augustus 2019 11:22
> > > > Aan: samba at lists.samba.org >> samba
> > > > Onderwerp: [Samba] Permission Issue
> > > > 
> > > > Hi again,
> > > > 
> > > > regarding my post "plenty of vacuuuming process" a "gluster 
> > > > volume heal"
> > > > seems to improve the situation.
> > > > 
> > > > But I still have a strange problem:
> > > > 
> > > > Sometimes a user don't have permissions to  a restricted 
> > folder when h
> > > > connects to a share or logs in at a windows client. In 
> > some times all
> > > > permissions are granted. If the user creates a file, the user 
> > > > and group
> > > > is correctly set.
> > > > 
> > > > Im running Samba version 4.9.12-SerNet-Debian-15.stretch on 
> > > > all 3 nodes.
> > > > 
> > > > I tried to enlarge the id range with no effects.
> > > > 
> > > > This is the output off net conf list:
> > > > 
> > > > [global]
> > > >     winbind refresh tickets = Yes
> > > >     winbind use default domain = yes
> > > >     template shell = /bin/bash
> > > >     idmap config * : range = 1000000 - 1999999
> > > >     idmap config DOMAINNAME : backend = rid
> > > >     idmap config DOMAINNAME : range = 1000 - 999999
> > > >     hide dot files = yes
> > > >     server string = Daten server %h (Samba %v)
> > > >     vfs objects = acl_xattr
> > > >     map acl inherit = yes
> > > >     workgroup = DOMAINNAME
> > > >     netbios name = cluster-ho
> > > >     clustering = yes
> > > >     security = ads
> > > >     realm = zfd.forumzfd.de
> > > >     smbd:search ask sharemode = no
> > > > 
> > > > [home]
> > > >     path = /data/ho/
> > > >     comment = Home Directories
> > > >     read only = no
> > > >     browseable = yes
> > > > 
> > > > [Ablage]
> > > >     comment = DATA_Share
> > > >     path = /data/ho/data
> > > >     read only = no
> > > > 
> > > > 
> > > > This is is the message in /var/log/samba/log.smbd:
> > > > 
> > > >  smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1]
> > > > status[NT_STATUS_ACCESS_DENIED] || at 
> > > > ../source3/smbd/smb2_getinfo.c:159
> > > > 
> > > > Thank you again for ideas or comments.
> > > > 
> > > > 
> > > > Best regards
> > > > 
> > > > Bene
> > > > 
> > > > -- 
> > > > ???forumZFD
> > > > Entschieden für Frieden|Committed to Peace
> > > > 
> > > > Benedikt Kaleß
> > > > Leiter Team IT|Head team IT
> > > > 
> > > > Forum Ziviler Friedensdienst e.V.|Forum Civil Peace Service
> > > > Am Kölner Brett 8 | 50825 Köln | Germany  
> > > > 
> > > > Tel 0221 91273233 | Fax 0221 91273299 | 
> > > > http://www.forumZFD.de 
> > > > 
> > > > Vorstand nach § 26 BGB, 
> > einzelvertretungsberechtigt|Executive Board:
> > > > Oliver Knabe (Vorsitz|Chair), Sonja Wiekenberg-Mlalandle, 
> > > > Alexander Mauz  
> > > > VR 17651 Amtsgericht Köln
> > > > 
> > > > Spenden|Donations: IBAN DE37 3702 0500 0008 2401 01 BIC 
> > BFSWDE33XXX 
> > > > 
> > > > 
> > > > -- 
> > > > To unsubscribe from this list go to the following URL and read the
> > > > instructions:  https://lists.samba.org/mailman/options/samba
> > > > 
> > > > 
> > >
> > >
> > -- 
> > ???forumZFD
> > Entschieden für Frieden|Committed to Peace
> > 
> > Benedikt Kaleß
> > Leiter Team IT|Head team IT
> > 
> > Forum Ziviler Friedensdienst e.V.|Forum Civil Peace Service
> > Am Kölner Brett 8 | 50825 Köln | Germany  
> > 
> > Tel 0221 91273233 | Fax 0221 91273299 | 
> > http://www.forumZFD.de 
> > 
> > Vorstand nach § 26 BGB, einzelvertretungsberechtigt|Executive Board:
> > Oliver Knabe (Vorsitz|Chair), Sonja Wiekenberg-Mlalandle, 
> > Alexander Mauz  
> > VR 17651 Amtsgericht Köln
> > 
> > Spenden|Donations: IBAN DE37 3702 0500 0008 2401 01 BIC BFSWDE33XXX 
> > 
> > 
> > -- 
> > To unsubscribe from this list go to the following URL and read the
> > instructions:  https://lists.samba.org/mailman/options/samba
> > 
> > 
>
>
-- 
forumZFD
Entschieden für Frieden|Committed to Peace

Benedikt Kaleß
Leiter Team IT|Head team IT

Forum Ziviler Friedensdienst e.V.|Forum Civil Peace Service
Am Kölner Brett 8 | 50825 Köln | Germany  

Tel 0221 91273233 | Fax 0221 91273299 | 
http://www.forumZFD.de 

Vorstand nach § 26 BGB, einzelvertretungsberechtigt|Executive Board:
Oliver Knabe (Vorsitz|Chair), Sonja Wiekenberg-Mlalandle, Alexander Mauz  
VR 17651 Amtsgericht Köln

Spenden|Donations: IBAN DE37 3702 0500 0008 2401 01 BIC BFSWDE33XXX 




More information about the samba mailing list