[Samba] urgent problem with samba 4.13 and chown/chgrp

L.P.H. van Belle belle at bazuin.nl
Thu Feb 11 10:03:36 UTC 2021 

Ps. 

For the NFS related parts. 

Make sure you servers all have the : 
- nfs/fqdn SPN. 
- A + PTR for all servers, OR if you dont use PTR (not adviced)
  set rdns=no in krb5.conf 

If you deny root to access the user home. 
You might need : 
[appdefaults]
    forwardable = true
    pam = {
        minimum_uid = 1000
        YOUR.REALM.HERE = {
		# automounts try to read the file $HOME/.k5login
		# if the cant read it, mount fails, we ignore it.
           ignore_k5login = true
        }
    }
(or add root/spn to the servername, also works) 

My exportfs file on debian buster.
I use all options as shown with NFSv4.x (and 3.x not shown here) 

sec=sys:krb5:krb5i:krb5p
if you set all these for NFS, you can first try with/without kerberos authentication.

#/etc/exportfs
/srv 192.168.0.0/24(rw,sync,fsid=0,no_subtree_check,crossmnt,sec=sys:krb5:krb5i:krb5p)

/srv/samba/users 192.168.0.0/24(rw,sync,no_subtree_check,sec=sys:krb5:krb5i:krb5p)

Here my assinged homed dir is on all my server.. 
/home/users

which im mount bind with systemd as followed.

/etc/systemd/system/home-users.mount
[Unit]
Description=Mount (bind) (/home/users)
Wants=network-online.target

[Mount]
What=/srv/samba/users
Where=/home/users
Type=none
Options=bind

[Install]
WantedBy=multi-user.target

I hope this helps you. 


Greetz, 

Louis



> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens L.P.H. van Belle
> via samba
> Verzonden: donderdag 11 februari 2021 10:48
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] urgent problem with samba 4.13 and chown/chgrp
> 
> Besides your problem.
> 
> >>> idmap config EECSYORKUCA : range = 1000-999999
> 
> now, ONLY if you didnt create a first user on linux, your ok here.
> normaly we do recommend to use/start higher.
> 
> You should now use overlapping ID's.
> 
> see also :
> cat /etc/addusers.conf
> 
> start there, at least verify you dont have any users in the assigned range
> for samba
> 
> 
> 
> Greetz,
> 
> Louis
> 
> 
> > -----Oorspronkelijk bericht-----
> > Van: samba [mailto:samba-bounces at lists.samba.org] Namens Jason Keltz via
> > samba
> > Verzonden: woensdag 10 februari 2021 21:50
> > Aan: samba at lists.samba.org
> > Onderwerp: [Samba] urgent problem with samba 4.13 and chown/chgrp
> >
> > I'm trying to use chown/chgrp commands on files on NFS storage.
> >
> > Take a file "l" that I touched:
> >
> > -rw------- 1 jas tech 0 Feb 10 15:21 l
> >
> > (note that user and group mapping is working perfectly)
> >
> > % chgrp core l
> > chgrp: changing group of ?l?: Invalid argument
> >
> > The problem is not the group:
> >
> > % getent group core
> > core:x:1001:
> >
> > % wbinfo -n 'core'
> > S-1-5-21-1981678738-1545235886-4256466701-6765 SID_DOM_GROUP (2)
> >
> > % wbinfo -Y 'S-1-5-21-1981678738-1545235886-4256466701-6765'
> > 1001
> >
> > The problem is not the user:
> >
> > % getent passwd jas
> >
> > jas:*:1004:1000::/cs/home/jas:/cs/local/bin/tcsh
> >
> > When looking at an strace of the chgrp above, I see this odd call:
> >
> > fchownat(AT_FDCWD, "l", -1, 1001, 0) = -1 EINVAL (Invalid argument)
> >
> > Where the third argument should be my uid 1004 and is instead -1.
> >
> > In smb.conf:
> >
> > idmap config * : backend = tdb
> > idmap config * : range = 1000000-1999999
> >
> > # idmap config for the EECSYORKUCA domain
> > # range should match UNIX ID in AD
> >
> > idmap config EECSYORKUCA : backend = ad
> > idmap config EECSYORKUCA : schema_mode = rfc2307
> > idmap config EECSYORKUCA : range = 1000-999999
> > idmap config EECSYORKUCA : unix_primary_group = yes
> > idmap config EECSYORKUCA : unix_nss_info = yes
> >
> > Yes, and in /etc/nsswitch.conf:
> >
> > passwd:     files winbind
> > shadow:     files
> > group:      files winbind
> >
> > As a side note, if I try to change the ownership of the file, I get a
> > similar behaviour.
> >
> > This is a showstopper if I can't get this figured out. :( panic setting
> > in....
> >
> > (I'm positive I used chown/chgrp with 4.11 successfully.)
> >
> > Jason.
> >
> >
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions:  https://lists.samba.org/mailman/options/samba
> 
> 
> 
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list