[Samba] Permission Issue
Benedikt Kaleß
benedikt.kaless at forumZFD.de
Thu Aug 29 07:58:21 UTC 2019
Hi,
Some other abnormalities I recognize:
groups and users < 100000 are the same on both systems (the cluster and
the standalone-fileserver)
all groups and users > 100000 differ on both systems. Some IDs are
smaller on the ctdb, one IDs are bigger.
The idmap config on both systems is the same:
idmap config * : range = 1000000 - 1999999
idmap config ZFD : backend = rid
idmap config ZFD : range = 0 - 200000
We set up this range because we did a classic-upgrade from Samba 3
Can a "net cache flush" help? What can the consequences be, if I run it
on a ctdb node?
To summarize: The behavior is, that a user sometimes has permissions to
a file/folder, sometimes he has not.
Best
Bene
Am 29.08.19 um 09:16 schrieb Benedikt Kaleß via samba:
> Hi,
>
> this configuration doesn't make any differenc in daily life. So perhaps
> an ID-Mapping problem?
>
> an ldbsearch --url=/var/lib/samba/private/sam.ldb
>
> shows
>
> dn: CN=Team IT and facilities,OU=HO,OU=example,DC=com,DC=de
> objectClass: top
> objectClass: group
> cn: Team
> instanceType: 4
> whenCreated: 20180731103742.0Z
> uSNCreated: 3631
> name: Team
> objectGUID: 7a27f859-97dc-4cf8-b4b1-c7b7cfe0f585
> objectSid: S-1-5-21-1996849273-3222042488-349429296-101163
> sAMAccountName: Team
> sAMAccountType: 268435456
> groupType: -2147483646
> objectCategory: CN=Group,CN=Schema,CN=Configuration,DC=example,DC=com
> whenChanged: 20190723103748.0Z
> uSNChanged: 39294
> member::
> Q049QmVuZWRpa3QgS2FsZcOfLE9VPVRlYW0gSVQgJiBGYWNpbGl0eSBNYW5hZ2VtZW50L
> E9VPUV4ZWN1dGl2ZSBCb2FyZCBGaW5hbmNlXCwgSFJcLCBBZG1pbmlzdHJhdGlvbixPVT1ITyxPVT
> 1aRkQsREM9emZkLERDPWZvcnVtemZkLERDPWRl
> member: CN=Testuser,OU=IRK,OU=ZFD,DC=zfd,DC=forumzfd,DC=de
> distinguishedName: CN=Team,OU=HO,OU=,Example,DC=com,D
> C=de
>
> So, I assume that the uid on the ctdb and a standalone fileserver has to
> be 101163, right?
>
> The ctdb shows the uid 103150, the fileserver 102150
>
> That can't be okay and I think I have to search further regarding this
> issue.
>
> Is there any offset configured?
>
> Best
>
> Bene
>
>
> Am 29.08.19 um 08:46 schrieb L.P.H. van Belle via samba:
> > Hai,
> >
> > Great to hear i could help one with a gluster problem :-)
> >
> > And ofcourse your allowed to keep us up2date.
> > So yes, plese, by doing that and sharing the configs it might help other people.
> >
> > Greetz,
> >
> > Louis
> >
> >
> >
> >
> > > -----Oorspronkelijk bericht-----
> > > Van: samba [mailto:samba-bounces at lists.samba.org] Namens
> > > Benedikt Kaleß via samba
> > > Verzonden: woensdag 28 augustus 2019 17:37
> > > Aan: samba at lists.samba.org
> > > Onderwerp: Re: [Samba] Permission Issue
> > >
> > > Hi,
> > >
> > > of course you can not know everything :) I'm glad to have
> > > your support!
> > > Thank you.
> > >
> > > Actually I did a gluster_client fluse mount and set up the
> > > share in the
> > > registry "old fashioned".
> > >
> > > I changed that now to the following:
> > >
> > > [share]
> > > comment = Archivdateien der Abteilung Projekte
> > > read only = no
> > > vfs objects = acl_xattr glusterfs
> > > glusterfs:volume = gv-ho
> > > glusterfs:logfile = /var/log/samba/glusterfs-gv-ho.log
> > > glusterfs:loglevel = 3
> > > glusterfs:volfile_server = gluster1 gluster3
> > > kernel share modes = no
> > > path = /data/share
> > >
> > > Of course I added your recomondations as well like "store dos
> > > attributes"...
> > >
> > > It looks good in the moment. But I will stay you updated here, if I'm
> > > allowed to.
> > >
> > > Best regards
> > >
> > > Bene
> > >
> > >
> > > Am 28.08.19 um 15:56 schrieb L.P.H. van Belle via samba:
> > > > Hai,
> > > >
> > > > First i must say, i dont use/know gluster.
> > > >
> > > > But I noticed you config (smb.conf) is a bit off.
> > > >
> > > > store dos attributes = Yes << is missing.
> > > >
> > > > And i would say setup netbios name and REALM in CAPS.
> > > > And
> > > > > smbd:search ask sharemode = no
> > > > Should be : smbd search ask sharemod
> > > > >> https://www.samba.org/samba/history/samba-4.10.0.html
> > > > See smb.conf changes,
> > > >
> > > > What i dont know, but dont you need one or both of these.
> > > (vfs_modules)
> > > > Because i also notice New glusterfs_fuse VFS module as
> > > "new" in the changelog.
> > > >
> > > > See:
> > > > man vfs_glusterfs
> > > > man vfs_glusterfs_fuse
> > > >
> > > > Someone, who knows gluster, should give more info about this.
> > > > I cant.. (sorry), I cant know everything.. :-/
> > > >
> > > > Greetz,
> > > >
> > > > Louis
> > > >
> > > >
> > > >
> > > >
> > > >
> > > > > -----Oorspronkelijk bericht-----
> > > > > Van: samba [mailto:samba-bounces at lists.samba.org] Namens
> > > > > Benedikt Kaleß via samba
> > > > > Verzonden: woensdag 28 augustus 2019 11:22
> > > > > Aan: samba at lists.samba.org >> samba
> > > > > Onderwerp: [Samba] Permission Issue
> > > > >
> > > > > Hi again,
> > > > >
> > > > > regarding my post "plenty of vacuuuming process" a "gluster
> > > > > volume heal"
> > > > > seems to improve the situation.
> > > > >
> > > > > But I still have a strange problem:
> > > > >
> > > > > Sometimes a user don't have permissions to a restricted
> > > folder when h
> > > > > connects to a share or logs in at a windows client. In
> > > some times all
> > > > > permissions are granted. If the user creates a file, the user
> > > > > and group
> > > > > is correctly set.
> > > > >
> > > > > Im running Samba version 4.9.12-SerNet-Debian-15.stretch on
> > > > > all 3 nodes.
> > > > >
> > > > > I tried to enlarge the id range with no effects.
> > > > >
> > > > > This is the output off net conf list:
> > > > >
> > > > > [global]
> > > > > winbind refresh tickets = Yes
> > > > > winbind use default domain = yes
> > > > > template shell = /bin/bash
> > > > > idmap config * : range = 1000000 - 1999999
> > > > > idmap config DOMAINNAME : backend = rid
> > > > > idmap config DOMAINNAME : range = 1000 - 999999
> > > > > hide dot files = yes
> > > > > server string = Daten server %h (Samba %v)
> > > > > vfs objects = acl_xattr
> > > > > map acl inherit = yes
> > > > > workgroup = DOMAINNAME
> > > > > netbios name = cluster-ho
> > > > > clustering = yes
> > > > > security = ads
> > > > > realm = zfd.forumzfd.de
> > > > > smbd:search ask sharemode = no
> > > > >
> > > > > [home]
> > > > > path = /data/ho/
> > > > > comment = Home Directories
> > > > > read only = no
> > > > > browseable = yes
> > > > >
> > > > > [Ablage]
> > > > > comment = DATA_Share
> > > > > path = /data/ho/data
> > > > > read only = no
> > > > >
> > > > >
> > > > > This is is the message in /var/log/samba/log.smbd:
> > > > >
> > > > > smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1]
> > > > > status[NT_STATUS_ACCESS_DENIED] || at
> > > > > ../source3/smbd/smb2_getinfo.c:159
> > > > >
> > > > > Thank you again for ideas or comments.
> > > > >
> > > > >
> > > > > Best regards
> > > > >
> > > > > Bene
> > > > >
> > > > > --
> > > > > ???forumZFD
> > > > > Entschieden für Frieden|Committed to Peace
> > > > >
> > > > > Benedikt Kaleß
> > > > > Leiter Team IT|Head team IT
> > > > >
> > > > > Forum Ziviler Friedensdienst e.V.|Forum Civil Peace Service
> > > > > Am Kölner Brett 8 | 50825 Köln | Germany
> > > > >
> > > > > Tel 0221 91273233 | Fax 0221 91273299 |
> > > > > http://www.forumZFD.de
> > > > >
> > > > > Vorstand nach § 26 BGB,
> > > einzelvertretungsberechtigt|Executive Board:
> > > > > Oliver Knabe (Vorsitz|Chair), Sonja Wiekenberg-Mlalandle,
> > > > > Alexander Mauz
> > > > > VR 17651 Amtsgericht Köln
> > > > >
> > > > > Spenden|Donations: IBAN DE37 3702 0500 0008 2401 01 BIC
> > > BFSWDE33XXX
> > > > >
> > > > >
> > > > > --
> > > > > To unsubscribe from this list go to the following URL and read the
> > > > > instructions: https://lists.samba.org/mailman/options/samba
> > > > >
> > > > >
> > > >
> > > >
> > > --
> > > ???forumZFD
> > > Entschieden für Frieden|Committed to Peace
> > >
> > > Benedikt Kaleß
> > > Leiter Team IT|Head team IT
> > >
> > > Forum Ziviler Friedensdienst e.V.|Forum Civil Peace Service
> > > Am Kölner Brett 8 | 50825 Köln | Germany
> > >
> > > Tel 0221 91273233 | Fax 0221 91273299 |
> > > http://www.forumZFD.de
> > >
> > > Vorstand nach § 26 BGB, einzelvertretungsberechtigt|Executive Board:
> > > Oliver Knabe (Vorsitz|Chair), Sonja Wiekenberg-Mlalandle,
> > > Alexander Mauz
> > > VR 17651 Amtsgericht Köln
> > >
> > > Spenden|Donations: IBAN DE37 3702 0500 0008 2401 01 BIC BFSWDE33XXX
> > >
> > >
> > > --
> > > To unsubscribe from this list go to the following URL and read the
> > > instructions: https://lists.samba.org/mailman/options/samba
> > >
> > >
> >
> >
--
forumZFD
Entschieden für Frieden|Committed to Peace
Benedikt Kaleß
Leiter Team IT|Head team IT
Forum Ziviler Friedensdienst e.V.|Forum Civil Peace Service
Am Kölner Brett 8 | 50825 Köln | Germany
Tel 0221 91273233 | Fax 0221 91273299 |
http://www.forumZFD.de
Vorstand nach § 26 BGB, einzelvertretungsberechtigt|Executive Board:
Oliver Knabe (Vorsitz|Chair), Sonja Wiekenberg-Mlalandle, Alexander Mauz
VR 17651 Amtsgericht Köln
Spenden|Donations: IBAN DE37 3702 0500 0008 2401 01 BIC BFSWDE33XXX
More information about the samba
mailing list