[Samba] Files suddenly go readonly

Rowland Penny rpenny at samba.org
Wed Jan 18 17:20:24 UTC 2023 


On 18/01/2023 17:05, Greg Dickie wrote:

> Agree but this was a standalone server that we are now transitioning 
> into the domain and as long as the UIDs and GIDs match everything should 
> be ok no?
> 
> 
>     Is it possible to see your smb.conf used on the Unix machines ?
> 
> 
> O=Sure
> 
> [global]
>          workgroup = TOTO
>          server string = Samba on SRVLXFS2
>          realm = TOTO.CA <http://TOTO.CA>
>          security = ads
>          kerberos method = secrets only
>          winbind use default domain = true
>          winbind offline logon = false
>          winbind nss info = rfc2307
>          winbind enum users = yes
>          winbind enum groups = yes
>          idmap config * : range = 16777216-33554431
>          idmap config ULTRATCS : schema mode = rfc2307
>          idmap config ULTRATCS : backend = ad
>          idmap config ULTRATCS : range = 500-10000
>          idmap config ULTRATCS : unix_primary_group = yes
>          idmap config ULTRATCS : unix_nss_info = yes

Oh dear, unless it's bad sanitisation, you have a big problem.
Your workgroup is 'TOTO' but you are using 'ULTRATCS' for the idmap 
config lines, it should be the workgroup name 'TOTO'

>          idmap_ldb:use rfc2307 = yes
>          template homedir = /home/%U
>          min domain uid = 0
>         unix extensions = no
>         wide links = yes
> 
>         printing = cups
>         printcap name = cups
>         load printers = no
>         cups options = raw
>          log file = /var/log/samba/log.%m.%U
>          log level = 0
>          max log size = 50M
>          #syslog = 0
> 
> [homes]
>          comment = Home Directories
>          browseable = no
>          writable = yes
> #        create mask = 0664
> #        directory mask = 0775
>          force create mode = 0775
>          force directory mode = 0775
> #        force security mode = 664
> #        force directory security mode = 775
>          map archive = no

I think you will find that everyone can get into everyone else's homedir

> 
> 
>     This has been working fine but now I have some
>      > users who suddenly lose write access to their files, sometimes.
>     One user
>      > has 2 workstations (1 works always, the other exhibits this issue
>     so maybe
>      > a patch on the workstation?). When this happens IF I give their
>     files group
>      > write permission they are good again. Does this ring a bell? I
>     have a level
>      > 10 debug of an ACCESS_DENIED test but nothing in there looks
>     obviously
>      > wrong until the ACCESS_DENIED so I can't see why.
> 
>     Are they supposed to have 'user' permissions or just 'group'
>     permissions, also are you using extended ACL's ?
> 
> 
> user permissions, all the users on this system have the same primary 
> group of 1000, No ACLs, or at least not supposed to be.

Would '1000' be the gidNumber for Domain Users ?

Rowland

More information about the samba mailing list