[Samba] Why some user names are not resolved by 'getfacl' ?
Nicola Mingotti
nmingotti at gmail.com
Wed Feb 24 21:43:06 UTC 2021
On 2/24/21 10:07 PM, Rowland penny via samba wrote:
> On 24/02/2021 20:55, Nicola Mingotti via samba wrote:
>>
>> ERRATA CORRIGE.
>>
>> ---- wrong ----
>> WINDOM\riccardo at nas $> getfacl aaa-test-riccardo-2/
>> -------------
>>
>> To change with
>> ------------------
>> WINDOM\riccardo at nas> getent passwd
>> ------------------
>>
>> Sorry
>>
>> n.
>>
>>
>> On 2/24/21 9:49 PM, Nicola Mingotti wrote:
>>> Hi,
>>>
>>> I have a Samba NAS and a Samba DC. Both running in Linux Debian 10,
>>> stable.
>>> Samba installed via .deb packages.
>>>
>>> Recently i found this strange behavior in 'getfacl' output. Some
>>> user names
>>> are correctly reported, for others instead only a number is shown.
>>>
>>> Note that, if the same domain user runs
>>> -------
>>> WINDOM\riccardo at nas $> getfacl aaa-test-riccardo-2/
>>> -------
>>> all usernames are correctly shown.
>>> So, for example:
>>> -------
>>> WINDOM\riccardo at nas> getent passwd | grep 10512
>>> WINDOM\adam1:*:11127:10512::/home/WINDOM-adam1:/bin/bash
>>> ---------
>>>
>>> Misbehavior example. Observe user '10512' is not resolved to
>>> 'WINDOM\adam1', for example.
>>> ------------------------------
>>> WINDOM\riccardo at nas $> getfacl aaa-test-riccardo-2/
>>> ---- long output ------
>>> # file: aaa-test-riccardo-2/
>>> # owner: root
>>> # group: adm
>>> user::rwx
>>> user:10512:rwx
>>> user:10513:r-x
>>> user:11157:rwx
>>> user:11159:r-x
>>> user:11173:r-x
>>> user:11180:rwx
>>> group::r-x
>>> group:WINDOM\\domain\040admins:rwx
>>> group:WINDOM\\domain\040users:r-x
>>> group:WINDOM\\riccardo:rwx
>>> group:WINDOM\\g-ufficiotecnico:rwx
>>> group:WINDOM\\g-leggitutto:r-x
>>> group:WINDOM\\g-utentiufficio:r-x
>>> group:WINDOM\\g-foto-video:rwx
>>> mask::rwx
>>> other::---
>>> default:user::rwx
>>> default:user:10512:rwx
>>> default:user:10513:r-x
>>> default:user:WINDOM\\riccardo:rwx
>>> default:user:11157:rwx
>>> default:user:11159:r-x
>>> default:user:11173:r-x
>>> default:user:11180:rwx
>>> default:group::r-x
>>> default:group:WINDOM\\domain\040admins:rwx
>>> default:group:WINDOM\\domain\040users:r-x
>>> default:group:WINDOM\\g-ufficiotecnico:rwx
>>> default:group:WINDOM\\g-leggitutto:r-x
>>> default:group:WINDOM\\g-utentiufficio:r-x
>>> default:group:WINDOM\\g-foto-video:rwx
>>> default:mask::rwx
>>> default:other::---
>>> ------------------
>>>
>>> I rebooted the NAS, that was of no help.
>>>
>>> I can tell you that this directory was made by a Windows system.
>>> If a make the same directory, with the same domain user, but from
>>> a Linux system the result is much shorter.
>>>
>>> Thank in advance for any hint you may give me !
>>>
>>> bye
>>> Nicola
>>>
>>>
>>>
>>>
>>
>
> There is something going wrong here, can you post the smb.conf files
> from the NAS and DC.
>
> Rowland
>
>
>
Hi Rowloand,
I put here my files. Here is late, if you have any other request
I can send you other info tomorrow.
It is the first time i see such a mess with getfacl.
Recently other unusual things happened.
For example today I added a user to a new group and I was not able to
see it from the NAS,
even after a reboot. I had to wait a few hours and all office employees
to go home to see the change propagated to the NAS.
Other unusual things. About 10 days ago there was a severe power shortage,
backup batteries run off and and all the server shut down badly. On reboot
I observed this unusual fact, a few users were not able to access
certain target directories
because the lost right to walk through intermediate ones.
For example, image user Foo had access to dir D till the day before
which is in /A/B/C/D. Well, after the power shortage a few users had
lost the ability to walk through B or C.
This is my first serious Samba, so I am pretty sure I made some mistakes
here and there.
The only big thing I added in the last month is that a QNAP is part of the
domain and it is accessing the NAS. It did not give me the impression
of being solid. I hope it is not that box making the mess because it is
nightmare to configure.
thank you
bye
n.
=============================================
================ dc =========================
=============================================
# Global parameters
[global]
dns forwarder = 172.16.3.49
netbios name = DC1
realm = WINDOM.BORGHI.LAN
server role = active directory domain controller
workgroup = WINDOM
idmap_ldb:use rfc2307 = yes
# . per log
log level = 1 auth_json_audit:3
# log level = 1 auth_audit:3 auth_json_audit:3
# log level = 1 auth_audit:3
# . per la propagazione delle group policy
apply group policies = yes
[netlogon]
path = /var/lib/samba/sysvol/windom.borghi.lan/scripts
read only = No
[sysvol]
path = /var/lib/samba/sysvol
read only = No
===========================================
================= nas =====================
===========================================
[global]
workgroup = WINDOM
security = ADS
realm = WINDOM.BORGHI.LAN
# per le windows ACL
winbind refresh tickets = Yes
# vfs objects = acl_xattr
# vfs objects = acl_xattr shadow_copy2
map acl inherit = Yes
store dos attributes = Yes
dedicated keytab file = /etc/krb5.keytab
kerberos method = secrets and keytab
# rimuovere dopo il testing
winbind enum users = yes
winbind enum groups = yes
# disable printing
load printers = no
printing = bsd
printcap name = /dev/null
disable spoolss = yes
# logs
# log file = /var/log/samba/%m.log
# log level = 1
log file = /var/log/samba/samba.log
# log file = /var/log/samba/perPersonOrMachine/%U.log
# log level = 1 smb:2 smb2:3
# log level = 2 smb:2 smb2:2 vfs:9
log level = 2 smb:2 smb2:2
# . certo di gestirlo con logrotate
# max file size 100 mega, si spera che logrotate lo tagli prima
max log size = 100000
# ---- ID mapping backend rid -------
# Default ID mapping configuration for local BUILTIN accounts
# and groups on a domain member. The default (*) domain:
# - must not overlap with any domain ID mapping configuration!
# - must use a read-write-enabled back end, such as tdb.
idmap config * : backend = tdb
idmap config * : range = 3000-7999
# - You must set a DOMAIN backend configuration
# idmap config for the SAMDOM domain
idmap config WINDOM : backend = rid
idmap config WINDOM : range = 10000-999999
# Template settings for login shell and home directory
template shell = /bin/bash
template homedir = /home/WINDOM-%U
# mappare "Administrator" a "root"
username map = /usr/local/samba/etc/user.map
# directory che funge da disco in condivisione
[sambaDisk]
path = /mnt/sambaShared/sambaDisk
read only = no
# --- mask di default per gli utenti
create mask = 777
directory mask = 777
# -- cosa succede se un'utente se ne va ?
# meglio assicurarsi che non ci siano problemi fissando
# un default user e gruppo per tutti i file.
# (*) vale per i client windows. Non vale per Linux. Per Mac ?
# => DISABILITATO, perche' nei log non vedo piu' chi apre i
files, solo "root", ovunque
# force user = root
# force group = adm
# inherit permissions = true
# ---- carica moduli che servono
# vfs objects = full_audit shadow_copy2
vfs objects = acl_xattr shadow_copy2
# -------------------------------
# --- per l'audit ---------------
# . disattivato, per issues con i log che non ripartono
# posso leggere gli accessi in lettura/scrittura ai files sui
log di default.
# opendir: troppi output, viene lette in automatico
# questi non capisco cosa fanno: read write pread pwrite
# full_audit:prefix = %u|%I
# full_audit:success = open
# full_audit:failure = all
# full_audit:facility = LOCAL5
# --------------------------------
# ---- per le shadow copies ------
shadow:snapdir = /mnt/sambaShared/snapshots
shadow:basedir = /mnt/sambaShared/sambaDisk
shadow:sort = desc
# ===================================================================
More information about the samba
mailing list