[Samba] urgent problem with samba 4.13 and chown/chgrp
L.P.H. van Belle
belle at bazuin.nl
Thu Feb 11 10:03:36 UTC 2021
Ps.
For the NFS related parts.
Make sure you servers all have the :
- nfs/fqdn SPN.
- A + PTR for all servers, OR if you dont use PTR (not adviced)
set rdns=no in krb5.conf
If you deny root to access the user home.
You might need :
[appdefaults]
forwardable = true
pam = {
minimum_uid = 1000
YOUR.REALM.HERE = {
# automounts try to read the file $HOME/.k5login
# if the cant read it, mount fails, we ignore it.
ignore_k5login = true
}
}
(or add root/spn to the servername, also works)
My exportfs file on debian buster.
I use all options as shown with NFSv4.x (and 3.x not shown here)
sec=sys:krb5:krb5i:krb5p
if you set all these for NFS, you can first try with/without kerberos authentication.
#/etc/exportfs
/srv 192.168.0.0/24(rw,sync,fsid=0,no_subtree_check,crossmnt,sec=sys:krb5:krb5i:krb5p)
/srv/samba/users 192.168.0.0/24(rw,sync,no_subtree_check,sec=sys:krb5:krb5i:krb5p)
Here my assinged homed dir is on all my server..
/home/users
which im mount bind with systemd as followed.
/etc/systemd/system/home-users.mount
[Unit]
Description=Mount (bind) (/home/users)
Wants=network-online.target
[Mount]
What=/srv/samba/users
Where=/home/users
Type=none
Options=bind
[Install]
WantedBy=multi-user.target
I hope this helps you.
Greetz,
Louis
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens L.P.H. van Belle
> via samba
> Verzonden: donderdag 11 februari 2021 10:48
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] urgent problem with samba 4.13 and chown/chgrp
>
> Besides your problem.
>
> >>> idmap config EECSYORKUCA : range = 1000-999999
>
> now, ONLY if you didnt create a first user on linux, your ok here.
> normaly we do recommend to use/start higher.
>
> You should now use overlapping ID's.
>
> see also :
> cat /etc/addusers.conf
>
> start there, at least verify you dont have any users in the assigned range
> for samba
>
>
>
> Greetz,
>
> Louis
>
>
> > -----Oorspronkelijk bericht-----
> > Van: samba [mailto:samba-bounces at lists.samba.org] Namens Jason Keltz via
> > samba
> > Verzonden: woensdag 10 februari 2021 21:50
> > Aan: samba at lists.samba.org
> > Onderwerp: [Samba] urgent problem with samba 4.13 and chown/chgrp
> >
> > I'm trying to use chown/chgrp commands on files on NFS storage.
> >
> > Take a file "l" that I touched:
> >
> > -rw------- 1 jas tech 0 Feb 10 15:21 l
> >
> > (note that user and group mapping is working perfectly)
> >
> > % chgrp core l
> > chgrp: changing group of ?l?: Invalid argument
> >
> > The problem is not the group:
> >
> > % getent group core
> > core:x:1001:
> >
> > % wbinfo -n 'core'
> > S-1-5-21-1981678738-1545235886-4256466701-6765 SID_DOM_GROUP (2)
> >
> > % wbinfo -Y 'S-1-5-21-1981678738-1545235886-4256466701-6765'
> > 1001
> >
> > The problem is not the user:
> >
> > % getent passwd jas
> >
> > jas:*:1004:1000::/cs/home/jas:/cs/local/bin/tcsh
> >
> > When looking at an strace of the chgrp above, I see this odd call:
> >
> > fchownat(AT_FDCWD, "l", -1, 1001, 0) = -1 EINVAL (Invalid argument)
> >
> > Where the third argument should be my uid 1004 and is instead -1.
> >
> > In smb.conf:
> >
> > idmap config * : backend = tdb
> > idmap config * : range = 1000000-1999999
> >
> > # idmap config for the EECSYORKUCA domain
> > # range should match UNIX ID in AD
> >
> > idmap config EECSYORKUCA : backend = ad
> > idmap config EECSYORKUCA : schema_mode = rfc2307
> > idmap config EECSYORKUCA : range = 1000-999999
> > idmap config EECSYORKUCA : unix_primary_group = yes
> > idmap config EECSYORKUCA : unix_nss_info = yes
> >
> > Yes, and in /etc/nsswitch.conf:
> >
> > passwd: files winbind
> > shadow: files
> > group: files winbind
> >
> > As a side note, if I try to change the ownership of the file, I get a
> > similar behaviour.
> >
> > This is a showstopper if I can't get this figured out. :( panic setting
> > in....
> >
> > (I'm positive I used chown/chgrp with 4.11 successfully.)
> >
> > Jason.
> >
> >
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions: https://lists.samba.org/mailman/options/samba
>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
More information about the samba
mailing list