[Samba] Domain Users cannot write to the share.
Leszek Szczepanowski
twinsen at mspanc.net
Mon Nov 28 23:33:23 UTC 2022
Yes, I'm using those manuals. The problem is that I'm using CentOS 9
Stream, and for that reason I cannot use samba-vfs-glusterfs.
Thus I need to use a fuse mount, and that has issues with permissions. When
I tried to install centos-release-samba416 into my server, it screwed up
all dependencies, so I had to do a dnf history rollback... And in CentOS
main repos there is no samba-vfs-glusterfs plugin anymore :( (also CentOS 8
does not have it). So I will try yet with the glusterfs_fuse module.
And I guess, using those modules will allow to omit classic fuse mount
issues?
pon., 28 lis 2022 o 21:06 Rowland Penny via samba <samba at lists.samba.org>
napisał(a):
>
>
> On 28/11/2022 19:36, Leszek Szczepanowski via samba wrote:
> > Hi,
> >
> > I successfully made a GlusterFS+CTDB+Samba cluster, integrated to the AD.
> > I also made it to work with SELiunx after some investigation.
> > Now I have some final issues: AD users cannot write to the share, if it
> has
> > 775 permission.
> > I tried to put ACLs, but always if 'other' is r-x, no one who is not in
> > 'classic' gluster UNIX group, cannot write to the share. Here getfactl:
> >
> > [root at fs01 symptoms]# getfacl /mnt/glusterfs/symptoms/
> > getfacl: Removing leading '/' from absolute path names
> > # file: mnt/glusterfs/symptoms/
> > # owner: gluster
> > # group: gluster
> > user::rwx
> > group::rwx
> > other::rwx
> > default:user::rwx
> > default:group::rwx
> > default:group:XXX\\domain\040users:rwx
> > default:mask::rwx
> > default:other::r-x
> >
> > Here the content (when I did chmod 777 because nothing was working):
> >
> > [root at fs01 symptoms]# ls -ln
> > total 659859
> > [...]
> > drwxrwxr-x+ 2 315360 300513 4096 Nov 28 20:04 blabla
> > drwxrwxr-x+ 2 315360 300513 4096 Nov 28 19:57 ble
> > -rwxrwxr-x. 1 1000 1000 0 Nov 15 15:09 test10
> > -rwxr--r--. 1 1001 1002 0 Nov 15 18:55 test99
> > drwxrwxr-x+ 2 315360 300513 4096 Nov 28 19:58 testy
> > drwxrwxr-x+ 2 315360 300513 4096 Nov 28 20:06 yuma
> > [...]
> >
> > So, as you can see, AD user mapped as UID 315360 and GID 300513 can only
> > write, when this folder has 777. Here is the smb.cong (from registry):
> >
> > [root at fs01 symptoms]# net conf list
> > [global]
> > logging = syslog
> > log level = 1
> > netbios name = fs
> > workgroup = XXX
> > clustering = yes
> > security = ads
> > realm = XXX.XXX.XXX
> > vfs objects = acl_xattr
> > map acl inherit = yes
> > idmap config XXX: backend = rid
> > idmap config * : range = 100000-299999
> > idmap config XXX: range = 300000-499999
> > idmap config * : backend = tdb
> > winbind rpc only = yes
> > kerberos method = secrets and keytab
> >
> > [symptoms]
> > path = /mnt/glusterfs/symptoms/
> > guest ok = no
> > read only = no
> > browseable = yes
> > map acl inherit = yes
> > inherit acls = yes
> >
> > [root at fs01 symptoms]# net groupmap list
> > Administrators (S-1-5-32-544) -> BUILTIN\administrators
> > Guests (S-1-5-32-546) -> BUILTIN\guests
> > Users (S-1-5-32-545) -> BUILTIN\users
> > Domain Users (S-1-5-21-76667877-53546716-1882380502-974) -> gluster
> >
> > [root at fs01 symptoms]# id gluster
> > uid=974(gluster) gid=974(gluster) groups=974(gluster)
> >
> > For all local UNIX user belonging to gluster group, either as GID or as
> > supplementary, write permission is granted (in case of 775). But not for
> AD
> > users. What am I doing wrong?
> >
> > How to allow AD users to write, in case of standard UNIX permissions are
> > 775?
>
> Are you following these wiki pages ? :
>
> https://wiki.samba.org/index.php/GlusterFS
> https://wiki.samba.org/index.php/My-CTDB
>
> Rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
--
--
Leszek A. Szczepanowski
twinsen at mspanc.net
More information about the samba
mailing list