[Samba] Change in behaviour for the "%U" substitution in 4.10.8?
L.P.H. van Belle
belle at bazuin.nl
Wed Sep 18 10:54:44 UTC 2019
Ok so for [homes] is correct now.
> I'm tempted to try and blow the smb.conf away,
Thats not needed in my opinion, at least not yet.
> However the other share that uses the "%U" substitution in its path still does not work because it's looking for the wrong path on the server.
Have you tried to replace %U in the path off the not working share with %u ?
Greetz,
Louis
Van: gac [mailto:gac at tutanota.com]
Verzonden: woensdag 18 september 2019 11:56
Aan: L.P.H. van Belle
CC: samba at lists.samba.org
Onderwerp: Re: [Samba] Change in behaviour for the "%U" substitution in 4.10.8?
OK, I did what you suggested, and the [homes] share worked. I played around with the other options, and it's specifically the "path" option that breaks it. So by using all the options except "path" I now at least have working home directories, which automatically use the users correct home directory (I guess this ultimately comes from winbind via `getent passwd` or similar?) rather than an explicit path statement with the substitution.
However the other share that uses the "%U" substitution in its path still does not work because it's looking for the wrong path on the server. I can't remove the "path" from this one because it is a separate folder and nothing to do with a users homedir. Something I hadn't picked up on until today when I opened Explorer in Details view is that this second share also uses "%U" in its comment, and in Windows Explorer the comment is also shown incorrectly as "domain_username" with 4.10.8 (and correctly as just "username" in 4.10.7) which reflects the name of the folder on the server it's looking for
---
C:\Users\gac>net view \\server
Shared resources at \\server
Samba 4.10.7-Ubuntu
Share name Type Used as Comment
-------------------------------------------------------------------------------
gac Disk Home Directories
timemachine Disk Time Machine for gac <<< correct
tmp Disk
The command completed successfully.
C:\Users\gac>net view \\server
Shared resources at \\server
Samba 4.10.8-Ubuntu
Share name Type Used as Comment
-------------------------------------------------------------------------------
gac Disk Home Directories
timemachine Disk Time Machine for domain_gac <<< incorrect
tmp Disk
The command completed successfully.
---
This is using exactly the same Windows 7 client machine, running the packages from apt.van-belle.nl ( I manually downgraded to 4.10.7 for the first run, then did `apt-get upgrade` to get back to 4.10.8 for the second run
At this point I'm tempted to try and blow the smb.conf away, but that would probably leave a bunch of broken permissions that I'd have to fix up with `find -uid`. I think the reason this uses idmap_rid is because a long time ago this box used LikeWise/PBIS, then that stopped working in a later Ubuntu release and it was removed but idmap_rid allowed us to keep the same Unix UID for a given user. If we'd used idmap_ad to start with then it would probably be much easier...
18 Sep 2019, 09:33 by samba at lists.samba.org:
Before i want level 10 logs..
Can you try this for [homes]
[homes]
readonly = no
That it, nothing more, nothing less..
Thanks Rowland for this part.
It might help to understand a few things better, at least it helped me. :-)
In theory %S, %u and %U should all be the same, the users name.
If you check what they mean, you will find this:
%S : the name of the current service, if any.
%u : username of the current service, if any.
%U : session username (the username that the client wanted, not
necessarily the same as the one they got).
Now, we are not sure yet about your problem.
You might have found something, and maybe not.
I do understand where you setting is coming from, or at least im thinking of
You took this part and added it in [homes]
Default: template homedir = /home/%D/%U <<
Which does work for [home] only, [homes] is different cookie..
man smb.conf the "[homes]" section
And keep in mind, less settings in samba is better,
its to easy to mix incompatible settings,
and these are sometimes hard to detect.
Personaly for a share path in user and profiles shares.
I really recommend to use something like this. :
[users]
path = /home/samba/users
read only = no
[profiles]
path = /home/samba/profiles
read only = no
Path's are changeable to you needs ofcourse here.
Why i recommend this.
If you creating windows users and your using RSAT.
You can set the profile path and usershares.
If you use \\server.fqdn\users\ ( per example from the [users] share.
Can you can set in RSAT \\server.fqdn\users\%username%
And now windows creates the homedir and this works the same for profiles.
Just saying..
Greetz,
Louis
________________________________
Van: gac [mailto:gac at tutanota.com]
Verzonden: dinsdag 17 september 2019 17:56
Aan: L.P.H. van Belle
CC: samba at lists.samba.org
Onderwerp: Re: [Samba] Change in behaviour for the "%U" substitution in 4.10.8?
I found the same bug, and discounted it as irrelevant...I can't see the details of the bug related to the CVE which was the only 4.10.8 change, but I can't imagine that would have anything useful either.
Just to be clear, do you want information and logs from the working 4.10.7, the broken 4.10.8, or both?
Thanks
17 Sep 2019, 14:58 by samba at lists.samba.org:
Hai,
Well, i did go throught the bug reports, and i could only find one simular thing but in the printing functions.
https://bugzilla.samba.org/show_bug.cgi?id=13745
Can you run this debug script for me, that give me all i need to know about you system and setup.
https://raw.githubusercontent.com/thctlo/samba4/master/samba-collect-debug-info.sh
Then set debug level 10 and try again.
if you can pm me the logs, compress them and attach them.
I'll have a look that is happening there.
Greetz,
Louis
Van: gac [mailto:gac at tutanota.com]
Verzonden: dinsdag 17 september 2019 15:41
Aan: gac
CC: L.P.H. van Belle; samba at lists.samba.org
Onderwerp: Re: [Samba] Change in behaviour for the "%U" substitution in 4.10.8?
I downgraded the packages to 4.10.7
The issue is fixed; the two shares I use which contain %U in their paths are now working correctly using the same Windows 7 client logged in as the same user that breaks on 4.10.8. I realise 4.10.7->4.10.8 was a very small changeset but it really seems like some behaviour has changed there...
I obviously don't have any error logs (since there is no longer an error) but if there are any debug level logs which I can turn on to help troubleshoot this by getting the correct "canonicalize_connect_path" output then please let me know and I can turn them on
Thanks
17 Sep 2019, 13:11 by samba at lists.samba.org:
Ah, thanks - I'll try with those this afternoon and check the behaviour with this version
17 Sep 2019, 12:56 by samba at lists.samba.org:
Hai,
Yes, the repo does not allow different versionnumbers, but i do have all my versions in backup.
I made a few tar.gz for you so you can test again with 4.10.7 on a local repo.
You can find them here. http://downloads.van-belle.nl/samba4/
The 4.10.7 for Stretch Buster and Bionic source and deb's are there to get.
Greetz,
Louis
-----Oorspronkelijk bericht-----
Van: samba [mailto:samba-bounces at lists.samba.org] Namens gac via samba
Verzonden: dinsdag 17 september 2019 12:49
Aan: Samba
Onderwerp: Re: [Samba] Change in behaviour for the "%U"
substitution in 4.10.8?
This is unfortunately still happening - anyone else have any
other ideas?
As a reminder/summary of the information from earlier in the thread;
- My [homes] share is "path = /shares/DOMAIN/%U"
- I am logging into a Windows 7 client as "DOMAIN\username"
- My log.smbd shows "canonicalize_connect_path failed for
service username, path /shares/DOMAIN/domain_username" (where
DOMAIN is the domain name with upper-case letters, domain is
the domain name with lower-case latters)
- this issue is affecting two shares in total which use the
%U substitution, both are showing the same error. Any shares
which use fixed paths are fine, as expected
- this only seemed to start happening when I upgraded to
4.10.8 from Louis van Belle's repo; I did not see the problem
with the 4.10.7 packages from the same repo. Unfortunately
the repo removes old versions of packages so I can't roll
back to 4.10.7 as a reproduction or workaround
I'd appreciate any more tips, thank you!
6 Sep 2019, 11:53 by samba at lists.samba.org:
I hadn't, but I did that just now; still the same behaviour.
6 Sep 2019, 11:49 by samba at lists.samba.org:
Have you tried running
net cache flush
after you have removed the SERVER lines from you config?
Regards
Am 06.09.19 um 12:33 schrieb gac via samba:
I've now changed the ownership to root, as you suggest.
I've removed the ACLs from /shares/DOMAIN - they don't
need to be there as anyone can enter this directory already
so there's no need for them.
The ACLs on my individual home directory:
root at server:/shares# getfacl /shares/DOMAIN/username
getfacl: Removing leading '/' from absolute path names
# file: shares/DOMAIN/username
# owner: username
# group: domain\040users
user::rwx
user:www-data:--x
group::---
mask::r-x
other::---
Still no joy, and the logs are still showing:
canonicalize_connect_path failed for service username,
path /shares/DOMAIN/domain_username
Thanks for all your advice so far but I still don't
believe this is a permissions problem, Samba is trying to
access a directory which simply does not exist, and never has
existed...
6 Sep 2019, 11:19 by samba at lists.samba.org:
On 06/09/2019 11:12, gac wrote:
I imagine the numeric UID is my old boss who left the
company a few years ago, and by this point his account has
been removed, not just disabled. The only thing contained by
the DOMAIN directory is a home directory for each user, which
is owned by them. So I don't _think_ this is the problem.
The command you suggested returns:
winbind_lookup_rids failed: WBC_ERR_DOMAIN_NOT_FOUND
The ACLs are to allow --x access for the 'www-data'
into users home directories for use with Apache+mod_userdir,
and then r-x access for their www directory
Try changing the ownership of /shares/DOMAIN to root
What about the getfacl commands ?
Rowland
--
To unsubscribe from this list go to the following URL
and read the
instructions: https://lists.samba.org/mailman/options/samba
--
Dr. Christian Naumer
Unit Head Bioprocess Development
B.R.A.I.N Aktiengesellschaft
Darmstaedter Str. 34-36, D-64673 Zwingenberg
e-mail cn at brain-biotech.com, homepage www.brain-biotech.com
fon +49-6251-9331-30 / fax +49-6251-9331-11
Sitz der Gesellschaft: Zwingenberg/Bergstrasse
Registergericht AG Darmstadt, HRB 24758
Vorstand: Dr. Juergen Eck (Vorsitzender), Manfred Bender,
Ludger Roedder
Aufsichtsratsvorsitzender: Dr. Georg Kellinghusen
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
More information about the samba
mailing list