[Samba] Why some user names are not resolved by 'getfacl' ?

Nicola Mingotti nmingotti at gmail.com
Wed Feb 24 21:43:06 UTC 2021



On 2/24/21 10:07 PM, Rowland penny via samba wrote:
> On 24/02/2021 20:55, Nicola Mingotti via samba wrote:
>>
>> ERRATA CORRIGE.
>>
>> ---- wrong ----
>> WINDOM\riccardo at nas $> getfacl aaa-test-riccardo-2/
>> -------------
>>
>> To change with
>> ------------------
>> WINDOM\riccardo at nas> getent passwd
>> ------------------
>>
>> Sorry
>>
>> n.
>>
>>
>> On 2/24/21 9:49 PM, Nicola Mingotti wrote:
>>> Hi,
>>>
>>> I have a Samba NAS and a Samba DC. Both running in Linux Debian 10, 
>>> stable.
>>> Samba installed via .deb packages.
>>>
>>> Recently i found this strange behavior in 'getfacl' output. Some 
>>> user names
>>> are correctly reported, for others instead only a number is shown.
>>>
>>> Note that, if the same domain user runs
>>> -------
>>> WINDOM\riccardo at nas $> getfacl aaa-test-riccardo-2/
>>> -------
>>> all usernames are correctly shown.
>>> So, for example:
>>> -------
>>> WINDOM\riccardo at nas> getent passwd | grep 10512
>>> WINDOM\adam1:*:11127:10512::/home/WINDOM-adam1:/bin/bash
>>> ---------
>>>
>>> Misbehavior example. Observe user '10512' is not resolved to 
>>> 'WINDOM\adam1', for example.
>>> ------------------------------
>>> WINDOM\riccardo at nas $> getfacl aaa-test-riccardo-2/
>>> ---- long output ------
>>> # file: aaa-test-riccardo-2/
>>> # owner: root
>>> # group: adm
>>> user::rwx
>>> user:10512:rwx
>>> user:10513:r-x
>>> user:11157:rwx
>>> user:11159:r-x
>>> user:11173:r-x
>>> user:11180:rwx
>>> group::r-x
>>> group:WINDOM\\domain\040admins:rwx
>>> group:WINDOM\\domain\040users:r-x
>>> group:WINDOM\\riccardo:rwx
>>> group:WINDOM\\g-ufficiotecnico:rwx
>>> group:WINDOM\\g-leggitutto:r-x
>>> group:WINDOM\\g-utentiufficio:r-x
>>> group:WINDOM\\g-foto-video:rwx
>>> mask::rwx
>>> other::---
>>> default:user::rwx
>>> default:user:10512:rwx
>>> default:user:10513:r-x
>>> default:user:WINDOM\\riccardo:rwx
>>> default:user:11157:rwx
>>> default:user:11159:r-x
>>> default:user:11173:r-x
>>> default:user:11180:rwx
>>> default:group::r-x
>>> default:group:WINDOM\\domain\040admins:rwx
>>> default:group:WINDOM\\domain\040users:r-x
>>> default:group:WINDOM\\g-ufficiotecnico:rwx
>>> default:group:WINDOM\\g-leggitutto:r-x
>>> default:group:WINDOM\\g-utentiufficio:r-x
>>> default:group:WINDOM\\g-foto-video:rwx
>>> default:mask::rwx
>>> default:other::---
>>> ------------------
>>>
>>> I rebooted the NAS, that was of no help.
>>>
>>> I can tell you that this directory was made by a Windows system.
>>> If a make the same directory, with the same domain user, but from
>>> a Linux system the result is much shorter.
>>>
>>> Thank in advance for any hint you may give me !
>>>
>>> bye
>>> Nicola
>>>
>>>
>>>
>>>
>>
>
> There is something going wrong here, can you post the smb.conf files 
> from the NAS and DC.
>
> Rowland
>
>
>

Hi Rowloand,

I put here my files. Here is late, if you have any other request
I can send you other info tomorrow.

It is the first time i see such a mess with getfacl.

Recently other unusual things happened.

For example today I added a user to a new group and I was not able to 
see it from the NAS,
even after a reboot. I had to wait a few hours and all office employees
to go home to see the change propagated to the NAS.

Other unusual things. About 10 days ago there was a severe power shortage,
backup batteries run off and and all the server shut down badly. On reboot
I observed this unusual fact, a few users were not able to access 
certain target directories
because the lost right to walk through intermediate ones.
For example, image user Foo had access to dir D till the day before
which is in /A/B/C/D. Well, after the power shortage a few users had
lost the ability to walk through B or C.

This is my first serious Samba, so I am pretty sure I made some mistakes
here and there.

The only big thing I added in the last month is that a QNAP is part of the
domain and it is accessing the NAS.  It did not give me the impression
of being solid. I hope it is not that box making the mess because it is
nightmare to configure.

thank you

bye
n.


=============================================
================ dc =========================
=============================================

# Global parameters
[global]
     dns forwarder = 172.16.3.49
     netbios name = DC1
     realm = WINDOM.BORGHI.LAN
     server role = active directory domain controller
     workgroup = WINDOM
     idmap_ldb:use rfc2307 = yes
     # . per log
     log level = 1 auth_json_audit:3
         # log level = 1 auth_audit:3 auth_json_audit:3
     # log level = 1 auth_audit:3
     # . per la propagazione delle group policy
         apply group policies = yes

[netlogon]
     path = /var/lib/samba/sysvol/windom.borghi.lan/scripts
     read only = No

[sysvol]
     path = /var/lib/samba/sysvol
     read only = No


===========================================
================= nas =====================
===========================================

[global]
    workgroup = WINDOM
    security = ADS
    realm = WINDOM.BORGHI.LAN

    # per le windows ACL
    winbind refresh tickets = Yes
    # vfs objects = acl_xattr
    # vfs objects = acl_xattr shadow_copy2
    map acl inherit = Yes
    store dos attributes = Yes

    dedicated keytab file = /etc/krb5.keytab
    kerberos method = secrets and keytab

    # rimuovere dopo il testing
    winbind enum users = yes
    winbind enum groups = yes

    # disable printing
    load printers = no
    printing = bsd
    printcap name = /dev/null
    disable spoolss = yes

    # logs
    # log file = /var/log/samba/%m.log
    # log level = 1
    log file = /var/log/samba/samba.log
    # log file = /var/log/samba/perPersonOrMachine/%U.log
    # log level = 1 smb:2 smb2:3
    # log level = 2 smb:2 smb2:2 vfs:9
    log level = 2 smb:2 smb2:2
    # . certo di gestirlo con logrotate
    # max file size 100 mega, si spera che logrotate lo tagli prima
    max log size = 100000

    # ---- ID mapping backend rid -------
    # Default ID mapping configuration for local BUILTIN accounts
    # and groups on a domain member. The default (*) domain:
    # - must not overlap with any domain ID mapping configuration!
    # - must use a read-write-enabled back end, such as tdb.
    idmap config * : backend = tdb
    idmap config * : range = 3000-7999
    # - You must set a DOMAIN backend configuration
    # idmap config for the SAMDOM domain
    idmap config WINDOM : backend = rid
    idmap config WINDOM : range = 10000-999999

    # Template settings for login shell and home directory
    template shell = /bin/bash
    template homedir = /home/WINDOM-%U

    # mappare "Administrator" a "root"
    username map = /usr/local/samba/etc/user.map

# directory che funge da disco in condivisione
[sambaDisk]
        path = /mnt/sambaShared/sambaDisk
        read only = no
        # --- mask di default per gli utenti
        create mask = 777
        directory mask = 777
        # -- cosa succede se un'utente se ne va ?
        #    meglio assicurarsi che non ci siano problemi fissando
        #    un default user e gruppo per tutti i file.
        #    (*) vale per i client windows. Non vale per Linux. Per Mac ?
        # => DISABILITATO, perche' nei log non vedo piu' chi apre i 
files, solo "root", ovunque
        # force user = root
        # force group = adm
        # inherit permissions = true
        # ---- carica moduli che servono
        # vfs objects = full_audit shadow_copy2
        vfs objects = acl_xattr shadow_copy2
        # -------------------------------
        # --- per l'audit ---------------
        # . disattivato, per issues con i log che non ripartono
        #   posso leggere gli accessi in lettura/scrittura ai files sui 
log di default.
        # opendir: troppi output, viene lette in automatico
        # questi non capisco cosa fanno: read write pread pwrite
        # full_audit:prefix = %u|%I
        # full_audit:success = open
        # full_audit:failure = all
        # full_audit:facility = LOCAL5
        # --------------------------------
        # ---- per le shadow copies ------
        shadow:snapdir = /mnt/sambaShared/snapshots
        shadow:basedir = /mnt/sambaShared/sambaDisk
        shadow:sort = desc

# ===================================================================











More information about the samba mailing list