[Samba] Files suddenly go readonly
rpenny at samba.org
Wed Jan 18 17:20:24 UTC 2023
On 18/01/2023 17:05, Greg Dickie wrote:
> Agree but this was a standalone server that we are now transitioning
> into the domain and as long as the UIDs and GIDs match everything should
> be ok no?
> Is it possible to see your smb.conf used on the Unix machines ?
> workgroup = TOTO
> server string = Samba on SRVLXFS2
> realm = TOTO.CA <http://TOTO.CA>
> security = ads
> kerberos method = secrets only
> winbind use default domain = true
> winbind offline logon = false
> winbind nss info = rfc2307
> winbind enum users = yes
> winbind enum groups = yes
> idmap config * : range = 16777216-33554431
> idmap config ULTRATCS : schema mode = rfc2307
> idmap config ULTRATCS : backend = ad
> idmap config ULTRATCS : range = 500-10000
> idmap config ULTRATCS : unix_primary_group = yes
> idmap config ULTRATCS : unix_nss_info = yes
Oh dear, unless it's bad sanitisation, you have a big problem.
Your workgroup is 'TOTO' but you are using 'ULTRATCS' for the idmap
config lines, it should be the workgroup name 'TOTO'
> idmap_ldb:use rfc2307 = yes
> template homedir = /home/%U
> min domain uid = 0
> unix extensions = no
> wide links = yes
> printing = cups
> printcap name = cups
> load printers = no
> cups options = raw
> log file = /var/log/samba/log.%m.%U
> log level = 0
> max log size = 50M
> #syslog = 0
> comment = Home Directories
> browseable = no
> writable = yes
> # create mask = 0664
> # directory mask = 0775
> force create mode = 0775
> force directory mode = 0775
> # force security mode = 664
> # force directory security mode = 775
> map archive = no
I think you will find that everyone can get into everyone else's homedir
> This has been working fine but now I have some
> > users who suddenly lose write access to their files, sometimes.
> One user
> > has 2 workstations (1 works always, the other exhibits this issue
> so maybe
> > a patch on the workstation?). When this happens IF I give their
> files group
> > write permission they are good again. Does this ring a bell? I
> have a level
> > 10 debug of an ACCESS_DENIED test but nothing in there looks
> > wrong until the ACCESS_DENIED so I can't see why.
> Are they supposed to have 'user' permissions or just 'group'
> permissions, also are you using extended ACL's ?
> user permissions, all the users on this system have the same primary
> group of 1000, No ACLs, or at least not supposed to be.
Would '1000' be the gidNumber for Domain Users ?
More information about the samba