Web lists-archives.com

[Samba] Writing rights not staying




I experienced several problems with my samba nas servers.
Everything was good untill i recently changed the san disks bays (that are connected to the 2 nas servers). At this time i think that i also deleted the links to the old LDAP server that was not used. 
note : all my users are created on both nas locally and added to a specific group

Doing only minor changes to the conf files makes it work again, at first i thought that the changes i did were good, but the next day when the write error came back, i knew that it was just restarting samba service a few times that did the trick...

I then decided to upgrade both kernell and samba version of the 2 nas and clean the conf file from the old setups lines. 
But still i got clients with write rights errors happening every few days. 

Here is my smb.conf file :
#======================= Global Settings =======================

[global]
    #workgroup = WORKGROUP
    dns proxy = no
    log file = /var/log/samba/log.%m
    log level = 3
    max log size = 1000
    syslog = 0
    force group = baylab.lab
    ntlm auth = yes
    client ntlmv2 auth = yes
    panic action = /usr/share/samba/panic-action %d
    server role = standalone server
    security = user
    passdb backend = tdbsam
    obey pam restrictions = yes
    unix password sync = yes
    passwd program = /usr/bin/passwd %u
    passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
    pam password change = yes
    map to guest = bad user
    strict allocate = Yes
    allocation roundup size = 4096
    read raw = Yes
    server signing = No
    write raw = Yes
    strict locking = No
    min receivefile size = 16384
    use sendfile = Yes
    aio write size = 16384
    aio read size = 16384
    socket options = TCP_NODELAY IPTOS_LOWDELAY SO_RCVBUF=131072 SO_SNDBUF=131072



    

#======================= Share Definitions =======================

######################## Full Access #############################

# BAY1 full
[BAY1]
    comment                       = SAN BAY1
    path                          = /mnt/BAY1
    writeable              = yes
    browseable                    = no
    read only                     = no
    valid users                   = linuxop01,linuxop04,lab01,rapid01,rapid02,dms2000,dcp01,dcp02,dcp03,dcp04,dcp05,dcp06,master01,master03,linuxop03
    write list               = linuxop01,linuxop03,linuxop04,lab01,rapid01,rapid02,dms2000,dcp01,dcp02,dcp03,dcp04,dcp05,dcp06,master01,master03
    force group                   = baylab.lab
    inherit permissions           = yes
    create mask                   = 0775
    force create mode             = 0775
    directory mask                = 0775
    force directory mode          = 0775


# BAY2 full
[BAY2]
    comment                       = SAN BAY2
    path                          = /mnt/BAY1/BAY2
    browseable                    = yes
    read only                     = no
    valid users                   = linuxop01,linuxop04,lab01,rapid01,rapid02,dms2000,dcp01,dcp02,dcp03,dcp04,dcp05,dcp06,master01,master03,linuxop03
    force group                   = baylab.lab
    inherit permissions           = yes
    create mask                   = 0775
    force create mode             = 0775
    directory mask                = 0775
    force directory mode          = 0775

# BAY3 full
[BAY3]
    comment                       = SAN BAY3
    path                          = /mnt/BAY3
    browseable                    = yes
    read only                     = no
    valid users                   = linuxop01,linuxop04,lab01,rapid01,rapid02,dms2000,dcp01,dcp02,dcp03,dcp04,dcp05,dcp06,master01,master03,linuxop03
    force group                   = baylab.lab
    inherit permissions           = yes
    create mode                   = 0775
    force create mode             = 0775
    directory mode                = 0775
    force directory mode          = 0775


####################### Specific Access #############################

###################### BAY1 ############################

# BAY1 WORKDATA 
[Mastering_Workdata]
    comment                       = BAY1 Workdata folder
    path                          = /mnt/BAY1/WORKDATA
    browseable                    = yes
    read only                     = no
    valid users                   = dcp01,dcp02,dcp03,dcp04,dcp05,linuxop01
    force group                   = baylab.lab
    inherit permissions           = yes
    create mode                   = 0775
    force create mode             = 0775
    directory mode                = 0775
    force directory mode          = 0775

# BAY1 In_IO
[In_IO]
    comment                       = BAY1 In_IO folder
    path                          = /mnt/BAY1/INPUT/
    browseable                    = yes
    read only                     = no
    valid users                   = linuxio01, linuxio02, linuxio03, ingest01, ingest02, ingest03, stormmac01, render01, rendervod01, render02, render03, render04, render05, render06, render07, render08, render09, render10, render11, render12, render13, render14, render15, render16, render17, render18, render19, render20, linuxop03
    force group                   = baylab.lab
    inherit permissions           = yes
    create mask                   = 0775
    force create mode             = 0775
    directory mask                = 0775
    force directory mode          = 0775


######################## BAY2 #################################

# BAY2 BAY2
[Delivery_Workdata]
    comment                       = BAY2 folder
    path                          = /mnt/BAY1/BAY2/BAY2
    browseable                    = yes
    read only                     = no
    valid users                   = dcp01,dcp02,dcp03,dcp04,dcp05
    force group                   = baylab.lab
    inherit permissions           = yes
    create mode                   = 0775
    force create mode             = 0775
    directory mode                = 0775
    force directory mode          = 0775

# BAY2 OUTPUT IO
[Output_IO]
    comment                       = BAY2 Output_IO folder
    path                          = /mnt/BAY1/BAY2/OUTPUT/
    browseable                    = yes
    read only                     = no
    valid users                   = linuxio01,linuxio02,linuxio03,ingest01,ingest02,ingest03,stormmac01,render01,rendervod01,render02,render03,render04,render05,render06,render07,render08,render09,render10,render11,render12,render13,render14,render15,render16,render17,render18,render19,render20
    force group                   = baylab.lab
    inherit permissions           = yes
    create mode                   = 0775
    force create mode             = 0775
    directory mode                = 0775
    force directory mode          = 0775





Every user is from group baylab.lab and baylab.lab group own every folder (each is 0775), so that all the users from the valid users parameter that have access to the folder can write on files and folders not created by them, as long as they are part of the baylab.lab group, wich is the case for every user i created like this :

- useradd theuser- smbpasswd -a theuser- usermod -G baylab.lab theuser

here is the output of smbstatus -p :
Samba version 4.5.8-Debian
PID     Username     Group        Machine                                   Protocol Version  Encryption           Signing
----------------------------------------------------------------------------------------------------------------------------------------
25603   linuxio02    linuxio02    10.20.108.12 (ipv4:10.20.108.12:46830)    NT1               -                    -
25695   master03     master03     christie-pc (ipv4:192.168.20.126:36954)   NT1               -                    -
25691   master03     master03     christie-pc (ipv4:192.168.20.126:36952)   NT1               -                    -
25601   render08     render08     10.20.88.108 (ipv4:10.20.88.108:49541)    SMB2_10           -                    -
25602   lab01        lab01        10.20.148.92 (ipv4:10.20.148.92:16129)    SMB2_10           -                    -
25685   linuxio03    linuxio03    10.20.108.13 (ipv4:10.20.108.13:35480)    NT1               -                    -
25680   linuxio03    linuxio03    10.20.108.13 (ipv4:10.20.108.13:35478)    NT1               -                    -

and a small output of smbstatus :Pid          Uid        DenyMode   Access      R/W        Oplock           SharePath   Name   Time
--------------------------------------------------------------------------------------------------
25601        40170      DENY_NONE  0x120089    RDONLY     LEASE(RWH)       /mnt/MASTERING/DELIVERY/OUTPUT   IO/TEST/TEST01/TEST01_03_audio.mxf   Mon Jul 24 17:15:57 2017
25601        40170      DENY_NONE  0x120089    RDONLY     LEASE(RWH)       /mnt/MASTERING/DELIVERY/OUTPUT   IO/TEST/TEST01/TEST01_08.mxf   Mon Jul 24 17:15:41 2017
25601        40170      DENY_NONE  0x120089    RDONLY     LEASE(RWH)       /mnt/MASTERING/DELIVERY/OUTPUT   IO/TEST/TEST01/TEST01_09.mxf   Mon Jul 24 17:16:04 2017
25601        40170      DENY_NONE  0x120089    RDONLY     LEASE(RWH)       /mnt/MASTERING/DELIVERY/OUTPUT   IO/TEST/TEST01/TEST01_09_audio.mxf   Mon Jul 24 17:15:48 2017
25601        40170      DENY_NONE  0x120089    RDONLY     LEASE(RWH)       /mnt/MASTERING/DELIVERY/OUTPUT   IO/TEST/TEST01/TEST01_08_audio.mxf   Mon Jul 24 17:15:50 2017
25601        40170      DENY_NONE  0x120089    RDONLY     LEASE(RWH)       /mnt/MASTERING/DELIVERY/OUTPUT   IO/TEST/TEST01/ASSETMAP.xml   Mon Jul 24 17:15:53 2017
25601        40170      DENY_NONE  0x120089    RDONLY     LEASE(RWH)       /mnt/MASTERING/DELIVERY/OUTPUT   IO/TEST/TEST01/TEST01_03.mxf   Mon Jul 24 17:16:08 2017
25601        40170      DENY_NONE  0x120089    RDONLY     LEASE(RWH)       /mnt/MASTERING/DELIVERY/OUTPUT   IO/TEST/TEST01/PKL_a7eab518-13e6-47d4-abf7-5db3d550e1e6.xml   Mon Jul 24 17:15:50 2017
25601        40170      DENY_NONE  0x120089    RDONLY     LEASE(RWH)       /mnt/MASTERING/DELIVERY/OUTPUT   IO/TEST/TEST01/TEST01_04_sub.mxf   Mon Jul 24 17:15:56 2017
25601        40170      DENY_NONE  0x120089    RDONLY     LEASE(RWH)       /mnt/MASTERING/DELIVERY/OUTPUT   IO/TEST/TEST01/TEST01_06_audio.mxf   Mon Jul 24 17:15:55 2017
25601        40170      DENY_NONE  0x120089    RDONLY     LEASE(RWH)       /mnt/MASTERING/DELIVERY/OUTPUT   IO/TEST/TEST01/TEST01_02_audio.mxf   Mon Jul 24 17:15:58 2017
25601        40170      DENY_NONE  0x120089    RDONLY     LEASE(RWH)       /mnt/MASTERING/DELIVERY/OUTPUT   IO/TEST/TEST01/TEST01_05.mxf   Mon Jul 24 17:16:00 2017
25601        40170      DENY_NONE  0x120089    RDONLY     LEASE(RWH)       /mnt/MASTERING/DELIVERY/OUTPUT   IO/TEST/TEST01/TEST01_01_audio.mxf   Mon Jul 24 17:16:06 2017
25601        40170      DENY_NONE  0x120089    RDONLY     LEASE(RWH)       /mnt/MASTERING/DELIVERY/OUTPUT   IO/TEST/TEST01/TEST01_05_sub.mxf   Mon Jul 24 17:16:06 2017
25601        40170      DENY_NONE  0x120089    RDONLY     LEASE(RWH)       /mnt/MASTERING/DELIVERY/OUTPUT   IO/TEST/TEST01/TEST01_04.mxf   Mon Jul 24 17:15:45 2017
25601        40170      DENY_NONE  0x120089    RDONLY     LEASE(RWH)       /mnt/MASTERING/DELIVERY/OUTPUT   IO/TEST/TEST01/TEST01_06_sub.mxf   Mon Jul 24 17:15:53 2017
25601        40170      DENY_NONE  0x120089    RDONLY     LEASE(RWH)       /mnt/MASTERING/DELIVERY/OUTPUT   IO/TEST/TEST01/VOLINDEX.xml   Mon Jul 24 17:15:57 2017
25601        40170      DENY_NONE  0x120089    RDONLY     LEASE(RWH)       /mnt/MASTERING/DELIVERY/OUTPUT   IO/TEST/TEST01/TEST01_07_audio.mxf   Mon Jul 24 17:15:53 2017
25601        40170      DENY_NONE  0x120089    RDONLY     LEASE(RWH)       /mnt/MASTERING/DELIVERY/OUTPUT   IO/TEST/TEST01/TEST01_06.mxf   Mon Jul 24 17:16:06 2017
25601        40170      DENY_NONE  0x120089    RDONLY     LEASE(RWH)       /mnt/MASTERING/DELIVERY/OUTPUT   IO/TEST/TEST01/TEST01_02_sub.mxf   Mon Jul 24 17:15:53 2017
25601        40170      DENY_NONE  0x120089    RDONLY     LEASE(RWH)       /mnt/MASTERING/DELIVERY/OUTPUT   IO/TEST/TEST01/TEST01_10_audio.mxf   Mon Jul 24 17:15:56 2017
25601        40170      DENY_NONE  0x120089    RDONLY     LEASE(RWH)       /mnt/MASTERING/DELIVERY/OUTPUT   IO/TEST/TEST01/TEST01_07.mxf   Mon Jul 24 17:15:43 2017
25601        40170      DENY_NONE  0x120089    RDONLY     LEASE(RWH)       /mnt/MASTERING/DELIVERY/OUTPUT   IO/TEST/TEST01/CPL_9eca949b-3e21-4400-bf89-00d4b7598c2f.xml   Mon Jul 24 17:15:53 2017
25601        40170      DENY_NONE  0x120089    RDONLY     LEASE(RWH)       /mnt/MASTERING/DELIVERY/OUTPUT   IO/TEST/TEST01/TEST01_10.mxf   Mon Jul 24 17:16:03 2017
25685        40143      DENY_NONE  0x89        RDONLY     EXCLUSIVE        /mnt/MASTERING/DELIVERY/OUTPUT_IO/TEST02/TEST03/TEST03_03.mxf   Mon Jul 24 17:32:48 2017
25602        40122      DENY_NONE  0x100081    RDONLY     NONE             /mnt/MASTERING/DELIVERY/DELIVERY/TEST04/01_FTR   Mon Jul 24 17:14:23 2017



So why / how is it possible that the writing rights sometimes don't work and that i need to modify smb.conf and reload samba service a few times for the writing rights to come back ? Strange behaviour no? It's like suddenly the force group setting is not working anymore or the user is not from the group anymore. 

This happens with all kind of clients, from windows 7 / 10 to linux and mac os.
Thanks!

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba