Samba user quota implementation question
Rowland penny
rpenny at samba.org
Thu May 28 07:11:58 UTC 2020
On 28/05/2020 02:27, Krishna Harathi wrote:
>
> Andrew – Tried with "winbind enum users = yes" and "winbind enum
> groups = yes" configuration, no change or improvement.
>
> Rowland – smb.conf attached.
>
> Regards.
>
> Krishna Harathi
>
> *From: *Andrew Walker <awalker at ixsystems.com>
> *Date: *Wednesday, May 27, 2020 at 4:45 PM
> *To: *Krishna Harathi <krishna.harathi at storagecraft.com>
> *Cc: *Rowland penny <rpenny at samba.org>, Isaac Boukris via
> samba-technical <samba-technical at lists.samba.org>
> *Subject: *Re: Samba user quota implementation question
>
> ****EXTERNAL SENDER. Only open links and attachments from known
> senders. DO NOT provide your username or password.****
>
> Depending on the situation, you may need "winbind enum users = yes"
> and "winbind enum groups = yes" in your smb.conf for AD user quotas to
> be enumerated. It might be nice to have some mechanism to override the
> default user quota enumeration method in Samba. For example "zfs
> userspace <dataset>" and "zfs groupspace <dataset>" will enumerate
> user / group quotas on a given dataset (and the equivalent can be
> obtained (though not trivially easily) through libzfs.
>
> Andrew
>
> On Wed, May 27, 2020 at 6:17 PM Krishna Harathi via samba-technical
> <samba-technical at lists.samba.org
> <mailto:samba-technical at lists.samba.org>> wrote:
>
> On the contrary; normally, there is no passwd entry made for a AD
> user in the local password file.
>
> The set user-quota (for a user user-quota was not set before) is
> working fine as intended without any manual addition to local
> password file.
>
> I have to manually add the uid/gid entry of the SID/GID of the
> user authenticated/authorized by AD, in order for the windows
> client to list/show the user that has user-quota already set.
>
> My question is - is it expected to find the subset of AD users
> with user-quota set in the local password file ?
> I am trying to figure out if there is any other way to accomplish
> windows client listing existing quota without this manual
> intervention.
> But if this is expected, I will find a way to make those entries
> in the local password file when a quota for a new user is set.
>
> Hope this explanation helps to describe the problem more. I will
> post the actual smb.conf file asap (not available at this moment).
> We have the "get quota command" and "set quota command" values and
> AD server with idmap "backend = autorid" and range configured.
>
> Regards.
> Krishna Harathi
>
>
> On 5/27/20, 12:53 PM, "samba-technical on behalf of Rowland penny
> via samba-technical" <samba-technical-bounces at lists.samba.org
> <mailto:samba-technical-bounces at lists.samba.org> on behalf of
> samba-technical at lists.samba.org
> <mailto:samba-technical at lists.samba.org>> wrote:
>
> ***EXTERNAL SENDER. Only open links and attachments from known
> senders. DO NOT provide your username or password.***
>
> On 27/05/2020 20:42, Krishna Harathi via samba-technical wrote:
> > Our OneXafe FS supports share/fs level quota using smb.conf
> “set quota command” and “get quota command”.
> >
> > We are currently extending support to user-level quotas
> using the same interface, when Samba smbd is an AD DC member.
> >
> > Setting user quota from a windows client is working as
> expected. But once quota is set, none of the users are listed in
> the quota’s pop-up window, so cannot delete or modify quota
> properties. Moreover, creating a new quota entry for the same user
> is generating a “quota entry already exists for this user” error.
> >
> > By tracing get/set requests to our file server, I see that
> our FS server is receiving a get request for Samba for every user
> entry in the local password file, but none for the UID of the DC
> member user. But I do see a default quota get request for the
> group GID.
> >
> > The problem seems to be that the get/set command interface
> does not obviously support a “list” user quota api to the hosting FS.
> >
> > Questions on this – We can post and manage user entry
> (host-local uid/gid) corresponding to the DC user sid/gid whenever
> a “set user quota” is received. I did verify that when an entry is
> made manually, windows user quota workflow behaves as expected. Is
> the problem assumption correct and is this a way to implement? Is
> there a better way, given the constraints?
> >
> > We are using Samba 4.7.11 patched with
> https://nam03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fbugzilla.samba.org%2Fshow_bug.cgi%3Fid%3D13553%23c17&data=01%7C01%7Ckrishna.harathi%40storagecraft.com%7Cb00f68c028324ea5ece308d80277a7c3%7C99f4e3c9bed5443dbd532b3f22d4eddf%7C0&sdata=T6FbBy04TqSxJ%2FFx%2BZ3nVF29h%2BoHdNEqqIwuZXzm0hY%3D&reserved=0
> <https://nam03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fbugzilla.samba.org%2Fshow_bug.cgi%3Fid%3D13553%23c17&data=01%7C01%7Ckrishna.harathi%40storagecraft.com%7Cebaa380afa4b42ec029108d802980280%7C99f4e3c9bed5443dbd532b3f22d4eddf%7C0&sdata=JMjlHIwI3IZb3S6JW8ON0%2FdTpRg7LBFwi6INMjLAvYQ%3D&reserved=0>
> fix for 4.7.
> >
> > Any help is this issue is much appreciated in advance.
> >
> > Regards.
> > Krishna Harathi
>
> From reading the above, it looks like you are saying that you
> have the
> same users in /etc/passwd and AD, is this correct ?
>
> Can you also please post the entire smb.conf you are using on
> the OneXafe.
>
> Rowland
>
>
>
Is this computer a member of a CTDB cluster, if not, remove 'clustering
= yes'
You have:
idmap config * : backend = tdb
idmap config * : range = 2000000-2999999
And:
idmap config *: backend = autorid
idmap config *: range = 10000000-2020000000
idmap config *: rangesize = 100000000
You cannot have both ;-)
I would suggest you remove the first two lines.
You have a share called 'Public' with 'guest ok = yes' and presumably it
is supposed to be a public share, it isn't, because you do not have 'map
to guest = bad user' set in '[global]'. I also cannot see how quota is
going to work on a share where everything is going to end up belonging
to nobody:nogroup.
Finally if 'path = /exports/Public' and 'path = /exports/TestQ' means
that you are sharing NFS shares via Samba, then this is never a good idea.
Rowland
More information about the samba-technical
mailing list