[Samba] Files suddenly go readonly

Rowland Penny rpenny at samba.org
Wed Jan 18 19:02:09 UTC 2023 


On 18/01/2023 18:37, Greg Dickie wrote:
> 
> 
> On Wed, Jan 18, 2023 at 12:20 PM Rowland Penny via samba 
> <samba at lists.samba.org <mailto:samba at lists.samba.org>> wrote:
> 
> 
> 
>     On 18/01/2023 17:05, Greg Dickie wrote:
> 
>      > Agree but this was a standalone server that we are now transitioning
>      > into the domain and as long as the UIDs and GIDs match everything
>     should
>      > be ok no?
>      >
>      >
>      >     Is it possible to see your smb.conf used on the Unix machines ?
>      >
>      >
>      > O=Sure
>      >
>      > [global]
>      >          workgroup = TOTO
>      >          server string = Samba on SRVLXFS2
>      >          realm = TOTO.CA <http://TOTO.CA> <http://TOTO.CA
>     <http://TOTO.CA>>
>      >          security = ads
>      >          kerberos method = secrets only
>      >          winbind use default domain = true
>      >          winbind offline logon = false
>      >          winbind nss info = rfc2307
>      >          winbind enum users = yes
>      >          winbind enum groups = yes
>      >          idmap config * : range = 16777216-33554431
>      >          idmap config ULTRATCS : schema mode = rfc2307
>      >          idmap config ULTRATCS : backend = ad
>      >          idmap config ULTRATCS : range = 500-10000
>      >          idmap config ULTRATCS : unix_primary_group = yes
>      >          idmap config ULTRATCS : unix_nss_info = yes
> 
>     Oh dear, unless it's bad sanitisation, you have a big problem.
>     Your workgroup is 'TOTO' but you are using 'ULTRATCS' for the idmap
>     config lines, it should be the workgroup name 'TOTO'
> 
> 
> Damit, that's just bad sanitization. sorry, pretend you did not see that.

Not possible, but I can forget I saw it :-D

> 
> 
>      >          idmap_ldb:use rfc2307 = yes
>      >          template homedir = /home/%U
>      >          min domain uid = 0
>      >         unix extensions = no
>      >         wide links = yes
>      >
>      >         printing = cups
>      >         printcap name = cups
>      >         load printers = no
>      >         cups options = raw
>      >          log file = /var/log/samba/log.%m.%U
>      >          log level = 0
>      >          max log size = 50M
>      >          #syslog = 0
>      >
>      > [homes]
>      >          comment = Home Directories
>      >          browseable = no
>      >          writable = yes
>      > #        create mask = 0664
>      > #        directory mask = 0775
>      >          force create mode = 0775
>      >          force directory mode = 0775
>      > #        force security mode = 664
>      > #        force directory security mode = 775
>      >          map archive = no
> 
>     I think you will find that everyone can get into everyone else's homedir
> 
> Yes, it was like that before I got to it, so I just left it.
> 
> 
>      >
>      >
>      >     This has been working fine but now I have some
>      >      > users who suddenly lose write access to their files,
>     sometimes.
>      >     One user
>      >      > has 2 workstations (1 works always, the other exhibits
>     this issue
>      >     so maybe
>      >      > a patch on the workstation?). When this happens IF I give
>     their
>      >     files group
>      >      > write permission they are good again. Does this ring a bell? I
>      >     have a level
>      >      > 10 debug of an ACCESS_DENIED test but nothing in there looks
>      >     obviously
>      >      > wrong until the ACCESS_DENIED so I can't see why.
>      >
>      >     Are they supposed to have 'user' permissions or just 'group'
>      >     permissions, also are you using extended ACL's ?
>      >
>      >
>      > user permissions, all the users on this system have the same primary
>      > group of 1000, No ACLs, or at least not supposed to be.

You really need to use ACL's

> 
>     Would '1000' be the gidNumber for Domain Users ?
> 
> 
> It's not, It's another group, see below which shows AD mapping vs NIS 
> mapping:

Where does NIS come into this ? Is a NIS server running somewhere ?
Or are you just using the ID's NIS used to supply.

> 
> [root at srvlxfs2 ~]# wbinfo -i gdickie
> gdickie:*:1014:1000:Dickie, Greg:/home/gdickie:/bin/bash
> [root at srvlxfs2 ~]# wbinfo --gid-info=1000
> engineering access:x:1000:
> [root at srvlxfs2 ~]# id gdickie
> uid=1014(gdickie) gid=1000(fpga) groups=1000(fpga)
> [root at srvlxfs2 ~]#

Does the Domain Users group have a gidNumber, even though you are using 
a different user primarygroupid, Domain Users needs a gidNumber.

> 
> Again, this has all been working 99% except for a few select users at 
> some times. And at those times the uid as shown in smbstatus is correct.
> 
> I don't suppose you want to see the level 10 debug log?

No, perhaps later.

Rowland

More information about the samba mailing list