[Samba] Files suddenly go readonly
Rowland Penny
rpenny at samba.org
Wed Jan 18 19:02:09 UTC 2023
On 18/01/2023 18:37, Greg Dickie wrote:
>
>
> On Wed, Jan 18, 2023 at 12:20 PM Rowland Penny via samba
> <samba at lists.samba.org <mailto:samba at lists.samba.org>> wrote:
>
>
>
> On 18/01/2023 17:05, Greg Dickie wrote:
>
> > Agree but this was a standalone server that we are now transitioning
> > into the domain and as long as the UIDs and GIDs match everything
> should
> > be ok no?
> >
> >
> > Is it possible to see your smb.conf used on the Unix machines ?
> >
> >
> > O=Sure
> >
> > [global]
> > workgroup = TOTO
> > server string = Samba on SRVLXFS2
> > realm = TOTO.CA <http://TOTO.CA> <http://TOTO.CA
> <http://TOTO.CA>>
> > security = ads
> > kerberos method = secrets only
> > winbind use default domain = true
> > winbind offline logon = false
> > winbind nss info = rfc2307
> > winbind enum users = yes
> > winbind enum groups = yes
> > idmap config * : range = 16777216-33554431
> > idmap config ULTRATCS : schema mode = rfc2307
> > idmap config ULTRATCS : backend = ad
> > idmap config ULTRATCS : range = 500-10000
> > idmap config ULTRATCS : unix_primary_group = yes
> > idmap config ULTRATCS : unix_nss_info = yes
>
> Oh dear, unless it's bad sanitisation, you have a big problem.
> Your workgroup is 'TOTO' but you are using 'ULTRATCS' for the idmap
> config lines, it should be the workgroup name 'TOTO'
>
>
> Damit, that's just bad sanitization. sorry, pretend you did not see that.
Not possible, but I can forget I saw it :-D
>
>
> > idmap_ldb:use rfc2307 = yes
> > template homedir = /home/%U
> > min domain uid = 0
> > unix extensions = no
> > wide links = yes
> >
> > printing = cups
> > printcap name = cups
> > load printers = no
> > cups options = raw
> > log file = /var/log/samba/log.%m.%U
> > log level = 0
> > max log size = 50M
> > #syslog = 0
> >
> > [homes]
> > comment = Home Directories
> > browseable = no
> > writable = yes
> > # create mask = 0664
> > # directory mask = 0775
> > force create mode = 0775
> > force directory mode = 0775
> > # force security mode = 664
> > # force directory security mode = 775
> > map archive = no
>
> I think you will find that everyone can get into everyone else's homedir
>
> Yes, it was like that before I got to it, so I just left it.
>
>
> >
> >
> > This has been working fine but now I have some
> > > users who suddenly lose write access to their files,
> sometimes.
> > One user
> > > has 2 workstations (1 works always, the other exhibits
> this issue
> > so maybe
> > > a patch on the workstation?). When this happens IF I give
> their
> > files group
> > > write permission they are good again. Does this ring a bell? I
> > have a level
> > > 10 debug of an ACCESS_DENIED test but nothing in there looks
> > obviously
> > > wrong until the ACCESS_DENIED so I can't see why.
> >
> > Are they supposed to have 'user' permissions or just 'group'
> > permissions, also are you using extended ACL's ?
> >
> >
> > user permissions, all the users on this system have the same primary
> > group of 1000, No ACLs, or at least not supposed to be.
You really need to use ACL's
>
> Would '1000' be the gidNumber for Domain Users ?
>
>
> It's not, It's another group, see below which shows AD mapping vs NIS
> mapping:
Where does NIS come into this ? Is a NIS server running somewhere ?
Or are you just using the ID's NIS used to supply.
>
> [root at srvlxfs2 ~]# wbinfo -i gdickie
> gdickie:*:1014:1000:Dickie, Greg:/home/gdickie:/bin/bash
> [root at srvlxfs2 ~]# wbinfo --gid-info=1000
> engineering access:x:1000:
> [root at srvlxfs2 ~]# id gdickie
> uid=1014(gdickie) gid=1000(fpga) groups=1000(fpga)
> [root at srvlxfs2 ~]#
Does the Domain Users group have a gidNumber, even though you are using
a different user primarygroupid, Domain Users needs a gidNumber.
>
> Again, this has all been working 99% except for a few select users at
> some times. And at those times the uid as shown in smbstatus is correct.
>
> I don't suppose you want to see the level 10 debug log?
No, perhaps later.
Rowland
More information about the samba
mailing list