[Samba] Permission Issue

Benedikt Kaleß benedikt.kaless at forumZFD.de
Thu Aug 29 07:58:21 UTC 2019


Hi,

Some other abnormalities I recognize:

groups and users < 100000 are the same on both systems (the cluster and
the standalone-fileserver)

all groups and users > 100000 differ on both systems. Some IDs are
smaller on the ctdb, one IDs are bigger.

The idmap config on both systems is the same:

    idmap config * : range = 1000000 - 1999999
    idmap config ZFD : backend = rid
    idmap config ZFD : range = 0 - 200000

We set up this range because we did a classic-upgrade from Samba 3

Can a "net cache flush" help? What can the consequences be, if I run it
on a ctdb node?

To summarize: The behavior is, that a user sometimes has permissions to
a file/folder, sometimes he has not.

Best
Bene


Am 29.08.19 um 09:16 schrieb Benedikt Kaleß via samba:
> Hi,
>
> this configuration doesn't make any differenc in daily life. So perhaps
> an ID-Mapping problem?
>
> an ldbsearch --url=/var/lib/samba/private/sam.ldb
>
> shows
>
> dn: CN=Team IT and facilities,OU=HO,OU=example,DC=com,DC=de
> objectClass: top
> objectClass: group
> cn: Team
> instanceType: 4
> whenCreated: 20180731103742.0Z
> uSNCreated: 3631
> name: Team
> objectGUID: 7a27f859-97dc-4cf8-b4b1-c7b7cfe0f585
> objectSid: S-1-5-21-1996849273-3222042488-349429296-101163
> sAMAccountName: Team
> sAMAccountType: 268435456
> groupType: -2147483646
> objectCategory: CN=Group,CN=Schema,CN=Configuration,DC=example,DC=com
> whenChanged: 20190723103748.0Z
> uSNChanged: 39294
> member::
> Q049QmVuZWRpa3QgS2FsZcOfLE9VPVRlYW0gSVQgJiBGYWNpbGl0eSBNYW5hZ2VtZW50L
>  E9VPUV4ZWN1dGl2ZSBCb2FyZCBGaW5hbmNlXCwgSFJcLCBBZG1pbmlzdHJhdGlvbixPVT1ITyxPVT
>  1aRkQsREM9emZkLERDPWZvcnVtemZkLERDPWRl
> member: CN=Testuser,OU=IRK,OU=ZFD,DC=zfd,DC=forumzfd,DC=de
> distinguishedName: CN=Team,OU=HO,OU=,Example,DC=com,D
>  C=de
>
> So, I assume that the uid on the ctdb and a standalone fileserver has to
> be 101163, right?
>
> The ctdb shows the uid 103150, the fileserver 102150
>
> That can't be okay and I think I have to search further regarding this
> issue.
>
> Is there any offset configured?
>
> Best
>
> Bene
>
>
> Am 29.08.19 um 08:46 schrieb L.P.H. van Belle via samba:
> > Hai, 
> >
> > Great to hear i could help one with a gluster problem :-) 
> >
> > And ofcourse your allowed to keep us up2date. 
> > So yes, plese, by doing that and sharing the configs it might help other people. 
> >
> > Greetz, 
> >
> > Louis
> >
> >
> >  
> >
> > > -----Oorspronkelijk bericht-----
> > > Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
> > > Benedikt Kaleß via samba
> > > Verzonden: woensdag 28 augustus 2019 17:37
> > > Aan: samba at lists.samba.org
> > > Onderwerp: Re: [Samba] Permission Issue
> > > 
> > > Hi,
> > > 
> > > of course  you can not know everything :) I'm glad to have 
> > > your support!
> > > Thank you.
> > > 
> > > Actually I did a gluster_client fluse mount and set up the 
> > > share in the
> > > registry "old fashioned".
> > > 
> > > I changed that now to the following:
> > > 
> > > [share]
> > >     comment = Archivdateien der Abteilung Projekte
> > >     read only = no
> > >     vfs objects = acl_xattr glusterfs
> > >     glusterfs:volume = gv-ho
> > >     glusterfs:logfile = /var/log/samba/glusterfs-gv-ho.log
> > >     glusterfs:loglevel = 3
> > >     glusterfs:volfile_server = gluster1 gluster3
> > >     kernel share modes = no
> > >     path = /data/share
> > > 
> > > Of course I added your recomondations as well like "store dos 
> > > attributes"...
> > > 
> > > It looks good in the moment. But I will stay you updated here, if I'm
> > > allowed to.
> > > 
> > > Best regards
> > > 
> > > Bene
> > > 
> > > 
> > > Am 28.08.19 um 15:56 schrieb L.P.H. van Belle via samba:
> > > > Hai,
> > > >
> > > > First i must say, i dont use/know gluster. 
> > > >
> > > > But I noticed you config (smb.conf) is a bit off. 
> > > >
> > > >     store dos attributes = Yes 	<< is missing. 
> > > >
> > > > And i would say setup netbios name and REALM in CAPS.
> > > > And 
> > > > >     smbd:search ask sharemode = no 
> > > > Should be : smbd search ask sharemod 
> > > > >> https://www.samba.org/samba/history/samba-4.10.0.html 
> > > > See smb.conf changes, 
> > > >
> > > > What i dont know, but dont you need one or both of these. 
> > > (vfs_modules) 
> > > > Because i also notice New glusterfs_fuse VFS module as 
> > > "new" in the changelog.
> > > >
> > > > See: 
> > > > man vfs_glusterfs
> > > > man vfs_glusterfs_fuse
> > > >
> > > > Someone, who knows gluster, should give more info about this.
> > > > I cant.. (sorry), I cant know everything..  :-/ 
> > > >
> > > > Greetz, 
> > > >
> > > > Louis
> > > >
> > > >
> > > >
> > > >
> > > >
> > > > > -----Oorspronkelijk bericht-----
> > > > > Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
> > > > > Benedikt Kaleß via samba
> > > > > Verzonden: woensdag 28 augustus 2019 11:22
> > > > > Aan: samba at lists.samba.org >> samba
> > > > > Onderwerp: [Samba] Permission Issue
> > > > > 
> > > > > Hi again,
> > > > > 
> > > > > regarding my post "plenty of vacuuuming process" a "gluster 
> > > > > volume heal"
> > > > > seems to improve the situation.
> > > > > 
> > > > > But I still have a strange problem:
> > > > > 
> > > > > Sometimes a user don't have permissions to  a restricted 
> > > folder when h
> > > > > connects to a share or logs in at a windows client. In 
> > > some times all
> > > > > permissions are granted. If the user creates a file, the user 
> > > > > and group
> > > > > is correctly set.
> > > > > 
> > > > > Im running Samba version 4.9.12-SerNet-Debian-15.stretch on 
> > > > > all 3 nodes.
> > > > > 
> > > > > I tried to enlarge the id range with no effects.
> > > > > 
> > > > > This is the output off net conf list:
> > > > > 
> > > > > [global]
> > > > >     winbind refresh tickets = Yes
> > > > >     winbind use default domain = yes
> > > > >     template shell = /bin/bash
> > > > >     idmap config * : range = 1000000 - 1999999
> > > > >     idmap config DOMAINNAME : backend = rid
> > > > >     idmap config DOMAINNAME : range = 1000 - 999999
> > > > >     hide dot files = yes
> > > > >     server string = Daten server %h (Samba %v)
> > > > >     vfs objects = acl_xattr
> > > > >     map acl inherit = yes
> > > > >     workgroup = DOMAINNAME
> > > > >     netbios name = cluster-ho
> > > > >     clustering = yes
> > > > >     security = ads
> > > > >     realm = zfd.forumzfd.de
> > > > >     smbd:search ask sharemode = no
> > > > > 
> > > > > [home]
> > > > >     path = /data/ho/
> > > > >     comment = Home Directories
> > > > >     read only = no
> > > > >     browseable = yes
> > > > > 
> > > > > [Ablage]
> > > > >     comment = DATA_Share
> > > > >     path = /data/ho/data
> > > > >     read only = no
> > > > > 
> > > > > 
> > > > > This is is the message in /var/log/samba/log.smbd:
> > > > > 
> > > > >  smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1]
> > > > > status[NT_STATUS_ACCESS_DENIED] || at 
> > > > > ../source3/smbd/smb2_getinfo.c:159
> > > > > 
> > > > > Thank you again for ideas or comments.
> > > > > 
> > > > > 
> > > > > Best regards
> > > > > 
> > > > > Bene
> > > > > 
> > > > > -- 
> > > > > ???forumZFD
> > > > > Entschieden für Frieden|Committed to Peace
> > > > > 
> > > > > Benedikt Kaleß
> > > > > Leiter Team IT|Head team IT
> > > > > 
> > > > > Forum Ziviler Friedensdienst e.V.|Forum Civil Peace Service
> > > > > Am Kölner Brett 8 | 50825 Köln | Germany  
> > > > > 
> > > > > Tel 0221 91273233 | Fax 0221 91273299 | 
> > > > > http://www.forumZFD.de 
> > > > > 
> > > > > Vorstand nach § 26 BGB, 
> > > einzelvertretungsberechtigt|Executive Board:
> > > > > Oliver Knabe (Vorsitz|Chair), Sonja Wiekenberg-Mlalandle, 
> > > > > Alexander Mauz  
> > > > > VR 17651 Amtsgericht Köln
> > > > > 
> > > > > Spenden|Donations: IBAN DE37 3702 0500 0008 2401 01 BIC 
> > > BFSWDE33XXX 
> > > > > 
> > > > > 
> > > > > -- 
> > > > > To unsubscribe from this list go to the following URL and read the
> > > > > instructions:  https://lists.samba.org/mailman/options/samba
> > > > > 
> > > > > 
> > > >
> > > >
> > > -- 
> > > ???forumZFD
> > > Entschieden für Frieden|Committed to Peace
> > > 
> > > Benedikt Kaleß
> > > Leiter Team IT|Head team IT
> > > 
> > > Forum Ziviler Friedensdienst e.V.|Forum Civil Peace Service
> > > Am Kölner Brett 8 | 50825 Köln | Germany  
> > > 
> > > Tel 0221 91273233 | Fax 0221 91273299 | 
> > > http://www.forumZFD.de 
> > > 
> > > Vorstand nach § 26 BGB, einzelvertretungsberechtigt|Executive Board:
> > > Oliver Knabe (Vorsitz|Chair), Sonja Wiekenberg-Mlalandle, 
> > > Alexander Mauz  
> > > VR 17651 Amtsgericht Köln
> > > 
> > > Spenden|Donations: IBAN DE37 3702 0500 0008 2401 01 BIC BFSWDE33XXX 
> > > 
> > > 
> > > -- 
> > > To unsubscribe from this list go to the following URL and read the
> > > instructions:  https://lists.samba.org/mailman/options/samba
> > > 
> > > 
> >
> >

-- 
forumZFD
Entschieden für Frieden|Committed to Peace

Benedikt Kaleß
Leiter Team IT|Head team IT

Forum Ziviler Friedensdienst e.V.|Forum Civil Peace Service
Am Kölner Brett 8 | 50825 Köln | Germany  

Tel 0221 91273233 | Fax 0221 91273299 | 
http://www.forumZFD.de 

Vorstand nach § 26 BGB, einzelvertretungsberechtigt|Executive Board:
Oliver Knabe (Vorsitz|Chair), Sonja Wiekenberg-Mlalandle, Alexander Mauz  
VR 17651 Amtsgericht Köln

Spenden|Donations: IBAN DE37 3702 0500 0008 2401 01 BIC BFSWDE33XXX 




More information about the samba mailing list