[Samba] Permission Issue

Benedikt Kaleß benedikt.kaless at forumZFD.de
Thu Aug 29 10:17:14 UTC 2019


Hi,

I don't have the user root.

No changes :( Sometimes a user gets permissions, sometimes not.

This net conf is now running:

[global]
    winbind refresh tickets = Yes
    winbind use default domain = yes
    template shell = /bin/bash
    idmap config * : range = 1000000 - 1999999
    idmap config EXAMPLE : backend = rid
    idmap config EXAMPLE : range = 500 - 200000
    hide dot files = yes
    server string = FileServer %h (Samba %v)
    map acl inherit = yes
    inherit permissions = yes
    workgroup = ZFD
    netbios name = CLUSTER-HO
    clustering = yes
    security = ads
    realm = EXAMPLE.com
    store dos attributes = Yes
    log level = 3
    vfs objects = acl_xattr

[home]
    comment = Home Directories
    read only = no
    browseable = yes
    vfs objects = acl_xattr glusterfs
    glusterfs:volume = gv-ho
    glusterfs:logfile = /var/log/samba/glusterfs-gv-ho.log
    glusterfs:loglevel = 3
    glusterfs:volfile_server = gluster1 gluster3
    kernel share modes = no
    path = /

[Fileshare]
    comment = Fileshare
    read only = no
    vfs objects = acl_xattr glusterfs
    glusterfs:volume = gv-ho
    glusterfs:logfile = /var/log/samba/glusterfs-gv-ho.log
    glusterfs:loglevel = 10
    glusterfs:volfile_server = gluster1 gluster3
    kernel share modes = no
    path = /data/Files

Does this error in log.smbd give a hint?

[2019/08/29 12:14:24.765433,  2] ../source3/smbd/open.c:4045(open_directory)
  open_directory: unable to create
testuser/AppData/Roaming/Microsoft/Windows/Recent/AutomaticDestinations.
Error was NT_STATUS_OBJECT_NAME_COLLISION
[2019/08/29 12:14:24.765472,  3]
../source3/smbd/smb2_server.c:3214(smbd_smb2_request_error_ex)
  smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1]
status[NT_STATUS_OBJECT_NAME_COLLISION] || at
../source3/smbd/smb2_create.c:296
[2019/08/29 12:14:24.767517,  2] ../source3/smbd/dosmode.c:136(unix_mode)
 
unix_mode(testuser/AppData/Roaming/Microsoft/Windows/Recent/AutomaticDestinations/f18460fded109990.automaticDestinations-ms)
inheriting from
testuser/AppData/Roaming/Microsoft/Windows/Recent/AutomaticDestinations
[2019/08/29 12:14:24.767603,  2] ../source3/smbd/dosmode.c:161(unix_mode)
 
unix_mode(testuser/AppData/Roaming/Microsoft/Windows/Recent/AutomaticDestinations/f18460fded109990.automaticDestinations-ms)
inherit mode 40770
[2019/08/29 12:14:24.767690,  3]
../source3/smbd/smb2_server.c:3214(smbd_smb2_request_error_ex)
  smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1]
status[NT_STATUS_OBJECT_NAME_NOT_FOUND] || at
../source3/smbd/smb2_create.c:296
[2019/08/29 12:14:35.232651,  2]
../source3/smbd/close.c:802(close_normal_file)
  ZFD\testuser closed file
testuser/AppData/Roaming/Microsoft/Windows/Recent/CustomDestinations/f18460fded109990.customDestinations-ms
(numopen=26) NT_STATUS_OK

Best regards

Bene



Am 29.08.19 um 11:17 schrieb Rowland penny via samba:
> On 29/08/2019 09:58, Benedikt Kaleß via samba wrote:
> > Hi,
> >
> > I have an old Fileserver which is working correct:
> >
> > This is the smb.conf:
> >
> > [global]
> > 	security = ads
> > 	realm = EXAMPLE.COM
> > 	workgroup = example
> > 	winbind refresh tickets = Yes
> > 	winbind use default domain = yes
> > 	template shell = /bin/bash
> > 	idmap config * : range = 1000000 - 1999999
> > 	idmap config ZFD : backend = rid
> > 	idmap config ZFD : range = 0 - 200000
> > 	hide dotfiles = yes
> > 	server string = Standalone server %h (Samba %v)
> > 	store dos attributes = yes
> > 	vfs objects = acl_xattr
> > 	inherit permissions = Yes
> >
> > Afterwards I set up the CTDB cluster and did an "rsync -alpAXvt" to copy
> > the data from the old Fileserver to the cluster
> >
> > net conf list:
> >
> > [global]
> >      winbind refresh tickets = Yes
> >      winbind use default domain = yes
> >      template shell = /bin/bash
> >      idmap config * : range = 1000000 - 1999999
> >      idmap config ZFD : backend = rid
> >      idmap config ZFD : range = 0 - 200000
> >      hide dot files = yes
> >      server string = forumZFD Daten server %h (Samba %v)
> >      map acl inherit = yes
> >      inherit permissions = yes
> >      workgroup = EXAMPLE
> >      netbios name = CLUSTER-HO
> >      clustering = yes
> >      security = ads
> >      realm = EXAMPLE.COM
> >      store dos attributes = Yes
> >      log level = 3
> >
> > The users have often  "permission denied" problems even though the
> > windows file explorer the group membership is shown and a gpresult /r
> > shows that membership. Sometimes everything works correct.
> >
> >
> I think I understand this, the first smb.conf is from the original 
> fileserver, the second is from the cluster, if this is the case, we can 
> ignore the first smb.conf.
>
> Are the DCs involved in the ctdb cluster, apart from providing 
> authentication ?
>
> Do you have a user called 'root' in AD ? if so, remove it.
>
> Change this:
>
> idmap config ZFD : range = 0 - 200000
>
> to this:
>
> idmap config ZFD : range = 500 - 200000
>
> Add:
>
> vfs objects = acl_xattr
>
> Rowland
>
>
>
-- 
forumZFD
Entschieden für Frieden|Committed to Peace

Benedikt Kaleß
Leiter Team IT|Head team IT

Forum Ziviler Friedensdienst e.V.|Forum Civil Peace Service
Am Kölner Brett 8 | 50825 Köln | Germany  

Tel 0221 91273233 | Fax 0221 91273299 | 
http://www.forumZFD.de 

Vorstand nach § 26 BGB, einzelvertretungsberechtigt|Executive Board:
Oliver Knabe (Vorsitz|Chair), Sonja Wiekenberg-Mlalandle, Alexander Mauz  
VR 17651 Amtsgericht Köln

Spenden|Donations: IBAN DE37 3702 0500 0008 2401 01 BIC BFSWDE33XXX 




More information about the samba mailing list