[Samba] Change in behaviour for the "%U" substitution in 4.10.8?
gac
gac at tutanota.com
Wed Sep 18 09:56:04 UTC 2019
OK, I did what you suggested, and the [homes] share worked. I played around with the other options, and it's specifically the "path" option that breaks it. So by using all the options except "path" I now at least have working home directories, which automatically use the users correct home directory (I guess this ultimately comes from winbind via `getent passwd` or similar?) rather than an explicit path statement with the substitution.
However the other share that uses the "%U" substitution in its path still does not work because it's looking for the wrong path on the server. I can't remove the "path" from this one because it is a separate folder and nothing to do with a users homedir. Something I hadn't picked up on until today when I opened Explorer in Details view is that this second share also uses "%U" in its comment, and in Windows Explorer the comment is also shown incorrectly as "domain_username" with 4.10.8 (and correctly as just "username" in 4.10.7) which reflects the name of the folder on the server it's looking for
---
C:\Users\gac>net view \\server
Shared resources at \\server
Samba 4.10.7-Ubuntu
Share name Type Used as Comment
-------------------------------------------------------------------------------
gac Disk Home Directories
timemachine Disk Time Machine for gac <<< correct
tmp Disk
The command completed successfully.
C:\Users\gac>net view \\server
Shared resources at \\server
Samba 4.10.8-Ubuntu
Share name Type Used as Comment
-------------------------------------------------------------------------------
gac Disk Home Directories
timemachine Disk Time Machine for domain_gac <<< incorrect
tmp Disk
The command completed successfully.
---
This is using exactly the same Windows 7 client machine, running the packages from apt.van-belle.nl ( I manually downgraded to 4.10.7 for the first run, then did `apt-get upgrade` to get back to 4.10.8 for the second run
At this point I'm tempted to try and blow the smb.conf away, but that would probably leave a bunch of broken permissions that I'd have to fix up with `find -uid`. I think the reason this uses idmap_rid is because a long time ago this box used LikeWise/PBIS, then that stopped working in a later Ubuntu release and it was removed but idmap_rid allowed us to keep the same Unix UID for a given user. If we'd used idmap_ad to start with then it would probably be much easier...
18 Sep 2019, 09:33 by samba at lists.samba.org:
> Before i want level 10 logs..
>
> Can you try this for [homes]
>
> [homes]
> readonly = no
>
>
> That it, nothing more, nothing less..
>
>
> Thanks Rowland for this part.
> It might help to understand a few things better, at least it helped me. :-)
>
> In theory %S, %u and %U should all be the same, the users name.
> If you check what they mean, you will find this:
>
> %S : the name of the current service, if any.
> %u : username of the current service, if any.
> %U : session username (the username that the client wanted, not
> necessarily the same as the one they got).
>
> Now, we are not sure yet about your problem.
> You might have found something, and maybe not.
>
> I do understand where you setting is coming from, or at least im thinking of
> You took this part and added it in [homes]
>
> Default: template homedir = /home/%D/%U <<
> Which does work for [home] only, [homes] is different cookie..
> man smb.conf the "[homes]" section
>
> And keep in mind, less settings in samba is better,
> its to easy to mix incompatible settings,
> and these are sometimes hard to detect.
>
> Personaly for a share path in user and profiles shares.
> I really recommend to use something like this. :
> [users]
> path = /home/samba/users
> read only = no
>
> [profiles]
> path = /home/samba/profiles
> read only = no
>
> Path's are changeable to you needs ofcourse here.
> Why i recommend this.
>
> If you creating windows users and your using RSAT.
> You can set the profile path and usershares.
> If you use \\server.fqdn\users\ ( per example from the [users] share.
> Can you can set in RSAT \\server.fqdn\users\%username%
> And now windows creates the homedir and this works the same for profiles.
>
> Just saying..
>
>
> Greetz,
>
> Louis
>
>
>
>
>
>
> ________________________________
>
> Van: gac [mailto:gac at tutanota.com]
> Verzonden: dinsdag 17 september 2019 17:56
> Aan: L.P.H. van Belle
> CC: samba at lists.samba.org
> Onderwerp: Re: [Samba] Change in behaviour for the "%U" substitution in 4.10.8?
>
>
> I found the same bug, and discounted it as irrelevant...I can't see the details of the bug related to the CVE which was the only 4.10.8 change, but I can't imagine that would have anything useful either.
>
>
> Just to be clear, do you want information and logs from the working 4.10.7, the broken 4.10.8, or both?
>
>
> Thanks
>
>
> 17 Sep 2019, 14:58 by samba at lists.samba.org:
>
>
> Hai,
>
>
>
> Well, i did go throught the bug reports, and i could only find one simular thing but in the printing functions.
>
> https://bugzilla.samba.org/show_bug.cgi?id=13745
>
>
>
> Can you run this debug script for me, that give me all i need to know about you system and setup.
>
> https://raw.githubusercontent.com/thctlo/samba4/master/samba-collect-debug-info.sh
>
>
>
> Then set debug level 10 and try again.
>
> if you can pm me the logs, compress them and attach them.
>
>
>
> I'll have a look that is happening there.
>
>
>
>
>
> Greetz,
>
>
>
> Louis
>
>
>
>
>
>
>
>
>
>
>
>
> Van: gac [mailto:gac at tutanota.com]
>
> Verzonden: dinsdag 17 september 2019 15:41
>
> Aan: gac
>
> CC: L.P.H. van Belle; samba at lists.samba.org
>
> Onderwerp: Re: [Samba] Change in behaviour for the "%U" substitution in 4.10.8?
>
>
>
>
> I downgraded the packages to 4.10.7
>
>
>
>
> The issue is fixed; the two shares I use which contain %U in their paths are now working correctly using the same Windows 7 client logged in as the same user that breaks on 4.10.8. I realise 4.10.7->4.10.8 was a very small changeset but it really seems like some behaviour has changed there...
>
>
>
>
> I obviously don't have any error logs (since there is no longer an error) but if there are any debug level logs which I can turn on to help troubleshoot this by getting the correct "canonicalize_connect_path" output then please let me know and I can turn them on
>
>
>
>
> Thanks
>
>
>
> 17 Sep 2019, 13:11 by samba at lists.samba.org:
>
>
> Ah, thanks - I'll try with those this afternoon and check the behaviour with this version
>
>
>
>
> 17 Sep 2019, 12:56 by samba at lists.samba.org:
>
>
> Hai,
>
>
>
>
> Yes, the repo does not allow different versionnumbers, but i do have all my versions in backup.
>
>
>
>
> I made a few tar.gz for you so you can test again with 4.10.7 on a local repo.
>
>
> You can find them here. http://downloads.van-belle.nl/samba4/
>
>
> The 4.10.7 for Stretch Buster and Bionic source and deb's are there to get.
>
>
>
>
>
>
> Greetz,
>
>
>
>
> Louis
>
>
>
>
>
>
> -----Oorspronkelijk bericht-----
>
>
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens gac via samba
>
>
> Verzonden: dinsdag 17 september 2019 12:49
>
>
> Aan: Samba
>
>
> Onderwerp: Re: [Samba] Change in behaviour for the "%U"
>
>
> substitution in 4.10.8?
>
>
>
>
> This is unfortunately still happening - anyone else have any
>
>
> other ideas?
>
>
>
>
> As a reminder/summary of the information from earlier in the thread;
>
>
>
>
> - My [homes] share is "path = /shares/DOMAIN/%U"
>
>
> - I am logging into a Windows 7 client as "DOMAIN\username"
>
>
> - My log.smbd shows "canonicalize_connect_path failed for
>
>
> service username, path /shares/DOMAIN/domain_username" (where
>
>
> DOMAIN is the domain name with upper-case letters, domain is
>
>
> the domain name with lower-case latters)
>
>
> - this issue is affecting two shares in total which use the
>
>
> %U substitution, both are showing the same error. Any shares
>
>
> which use fixed paths are fine, as expected
>
>
> - this only seemed to start happening when I upgraded to
>
>
> 4.10.8 from Louis van Belle's repo; I did not see the problem
>
>
> with the 4.10.7 packages from the same repo. Unfortunately
>
>
> the repo removes old versions of packages so I can't roll
>
>
> back to 4.10.7 as a reproduction or workaround
>
>
>
>
> I'd appreciate any more tips, thank you!
>
>
>
>
> 6 Sep 2019, 11:53 by samba at lists.samba.org:
>
>
>
>
> I hadn't, but I did that just now; still the same behaviour.
>
>
>
> 6 Sep 2019, 11:49 by samba at lists.samba.org:
>
>
>
> Have you tried running
>
>
>
> net cache flush
>
>
>
> after you have removed the SERVER lines from you config?
>
>
>
> Regards
>
>
>
>
> Am 06.09.19 um 12:33 schrieb gac via samba:
>
>
>
> I've now changed the ownership to root, as you suggest.
>
>
>
> I've removed the ACLs from /shares/DOMAIN - they don't
>
>
>
> need to be there as anyone can enter this directory already
>
>
> so there's no need for them.
>
>
>
> The ACLs on my individual home directory:
>
>
>
> root at server:/shares# getfacl /shares/DOMAIN/username
>
>
> getfacl: Removing leading '/' from absolute path names
>
>
> # file: shares/DOMAIN/username
>
>
> # owner: username
>
>
> # group: domain\040users
>
>
> user::rwx
>
>
> user:www-data:--x
>
>
> group::---
>
>
> mask::r-x
>
>
> other::---
>
>
>
> Still no joy, and the logs are still showing:
>
>
>
> canonicalize_connect_path failed for service username,
>
>
>
> path /shares/DOMAIN/domain_username
>
>
>
> Thanks for all your advice so far but I still don't
>
>
>
> believe this is a permissions problem, Samba is trying to
>
>
> access a directory which simply does not exist, and never has
>
>
> existed...
>
>
> 6 Sep 2019, 11:19 by samba at lists.samba.org:
>
>
>
> On 06/09/2019 11:12, gac wrote:
>
>
>
> I imagine the numeric UID is my old boss who left the
>
>
>
> company a few years ago, and by this point his account has
>
>
> been removed, not just disabled. The only thing contained by
>
>
> the DOMAIN directory is a home directory for each user, which
>
>
> is owned by them. So I don't _think_ this is the problem.
>
>
>
> The command you suggested returns:
>
>
>
> winbind_lookup_rids failed: WBC_ERR_DOMAIN_NOT_FOUND
>
>
>
> The ACLs are to allow --x access for the 'www-data'
>
>
>
> into users home directories for use with Apache+mod_userdir,
>
>
> and then r-x access for their www directory
>
>
>
> Try changing the ownership of /shares/DOMAIN to root
>
>
>
> What about the getfacl commands ?
>
>
>
> Rowland
>
>
>
>
>
> --
>
>
> To unsubscribe from this list go to the following URL
>
>
>
> and read the
>
>
> instructions: https://lists.samba.org/mailman/options/samba
>
>
>
>
> --
>
>
> Dr. Christian Naumer
>
>
> Unit Head Bioprocess Development
>
>
> B.R.A.I.N Aktiengesellschaft
>
>
> Darmstaedter Str. 34-36, D-64673 Zwingenberg
>
>
> e-mail cn at brain-biotech.com, homepage www.brain-biotech.com
>
>
> fon +49-6251-9331-30 / fax +49-6251-9331-11
>
>
>
> Sitz der Gesellschaft: Zwingenberg/Bergstrasse
>
>
> Registergericht AG Darmstadt, HRB 24758
>
>
> Vorstand: Dr. Juergen Eck (Vorsitzender), Manfred Bender,
>
>
> Ludger Roedder
>
>
> Aufsichtsratsvorsitzender: Dr. Georg Kellinghusen
>
>
>
> --
>
>
> To unsubscribe from this list go to the following URL and read the
>
>
> instructions: https://lists.samba.org/mailman/options/samba
>
>
>
>
> --
>
>
> To unsubscribe from this list go to the following URL and read the
>
>
> instructions: https://lists.samba.org/mailman/options/samba
>
>
>
>
>
>
> --
>
>
> To unsubscribe from this list go to the following URL and read the
>
>
> instructions: https://lists.samba.org/mailman/options/samba
>
>
>
>
>
>
> --
>
>
> To unsubscribe from this list go to the following URL and read the
>
>
> instructions: https://lists.samba.org/mailman/options/samba
>
>
>
>
> --
>
>
> To unsubscribe from this list go to the following URL and read the
>
>
> instructions: https://lists.samba.org/mailman/options/samba
>
>
>
>
> --
>
> To unsubscribe from this list go to the following URL and read the
>
> instructions: https://lists.samba.org/mailman/options/samba
>
>
>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
More information about the samba
mailing list