Web lists-archives.com

Re: [Samba] chown: changing ownership of 'test': Invalid argument




Ok i've comment in between de debug logs. 
 
Check my comments and add the needed info. 
 

Van: Ian Coetzee [mailto:samba@xxxxxxxxxxxxxxxxx] 
Verzonden: woensdag 10 april 2019 10:17
Aan: L.P.H. van Belle
CC: samba@xxxxxxxxxxxxxxx
Onderwerp: Re: [Samba] chown: changing ownership of 'test': Invalid argument



Hi Louis,


Thank you. I will add those line and test. Will revert shortly



As requested. The output:


root@ho-vpn-ctx-ac01:~# cat /tmp/samba-debug-info.txt
Collected config  --- 2019-04-10-08:12 -----------

Hostname: ho-vpn-ctx-ac01
DNS Domain: jeoffice.jacklin.co.za
FQDN: ho-vpn-ctx-ac01.jeoffice.jacklin.co.za
ipaddress: 10.10.18.50 10.10.11.50 

Ok 2 ipadresses, and the primary is .10.50 ? for sure?  
#To MySelf, add routing checks in debugger. 
 
-----------

Samba is running as a Unix domain member

-----------
       Checking file: /etc/os-release

PRETTY_NAME="Debian GNU/Linux 9 (stretch)"
NAME="Debian GNU/Linux"
VERSION_ID="9"
VERSION="9 (stretch)"
ID=debian
HOME_URL="https://www.debian.org/";
SUPPORT_URL="https://www.debian.org/support";
BUG_REPORT_URL="https://bugs.debian.org/";

-----------


This computer is running Debian 9.8 x86_64

-----------
running command : ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet MailScanner warning: numerical links are often malicious: 127.0.0.1/8 scope host lo
    inet6 ::1/128 scope host 
44: native0@if45: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether 00:c1:2a:15:5c:fe brd ff:ff:ff:ff:ff:ff link-netnsid 0
    inet MailScanner warning: numerical links are often malicious: 10.10.18.50/24 brd 10.10.18.255 scope global native0
    inet6 fe80::2c1:2aff:fe15:5cfe/64 scope link 
46: dmz0@if47: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether 00:c1:b1:ea:6c:fe brd ff:ff:ff:ff:ff:ff link-netnsid 0
    inet MailScanner warning: numerical links are often malicious: 10.10.11.50/24 brd 10.10.11.255 scope global dmz0
    inet6 fe80::2c1:b1ff:feea:6cfe/64 scope link 

-----------
       Checking file: /etc/hosts

127.0.0.1    localhost
::1        localhost ip6-localhost ip6-loopback
ff02::1        ip6-allnodes
ff02::2        ip6-allrouters
# --- BEGIN PVE ---
10.10.18.50 ho-vpn-ctx-ac01.jeoffice.jacklin.co.za ho-vpn-ctx-ac01
# --- END PVE ---

Here run, to and check both PTR records.  
dig -x 10.10.18.50
dig -x 10.10.11.50 

Then check both A records with there FQDN 
#To Self, add A/PTR check when multiple ips are detected on hostname -I  

-----------

       Checking file: /etc/resolv.conf

# --- BEGIN PVE ---
search jeoffice.jacklin.co.za
nameserver 10.10.10.4
# --- END PVE ---
To make sure, the 10.10.10.4 is your DC? or is this a DNS proxy. 
 
#To Self, add PTR check on nameserver ip, add domain check of this is a DC. 
 
-----------

       Checking file: /etc/krb5.conf

[libdefaults]
    default_realm = JEOFFICE.JACKLIN.CO.ZA

# The following krb5.conf variables are only for MIT Kerberos.
    kdc_timesync = 1
    ccache_type = 4
    forwardable = true
    proxiable = true

# The following encryption type specification will be used by MIT Kerberos
# if uncommented.  In general, the defaults in the MIT Kerberos code are
# correct and overriding these specifications only serves to disable new
# encryption types as they are added, creating interoperability problems.
#
# The only time when you might need to uncomment these lines and change
# the enctypes is if you have local software that will break on ticket
# caches containing ticket encryption types it doesn't know about (such as
# old versions of Sun Java).

#    default_tgs_enctypes = des3-hmac-sha1
#    default_tkt_enctypes = des3-hmac-sha1
#    permitted_enctypes = des3-hmac-sha1

# The following libdefaults parameters are only for Heimdal Kerberos.
    fcc-mit-ticketflags = true

[realms]
    ATHENA.MIT.EDU = {
        kdc = kerberos.mit.edu
        kdc = kerberos-1.mit.edu
        kdc = kerberos-2.mit.edu:88
        admin_server = kerberos.mit.edu
        default_domain = mit.edu
    }
    ZONE.MIT.EDU = {
        kdc = casio.mit.edu
        kdc = seiko.mit.edu
        admin_server = casio.mit.edu
    }
    CSAIL.MIT.EDU = {
        admin_server = kerberos.csail.mit.edu
        default_domain = csail.mit.edu
    }
    IHTFP.ORG = {
        kdc = kerberos.ihtfp.org
        admin_server = kerberos.ihtfp.org
    }
    1TS.ORG = {
        kdc = kerberos.1ts.org
        admin_server = kerberos.1ts.org
    }
    ANDREW.CMU.EDU = {
        admin_server = kerberos.andrew.cmu.edu
        default_domain = andrew.cmu.edu
    }
        CS.CMU.EDU = {
                kdc = kerberos-1.srv.cs.cmu.edu
                kdc = kerberos-2.srv.cs.cmu.edu
                kdc = kerberos-3.srv.cs.cmu.edu
                admin_server = kerberos.cs.cmu.edu
        }
    DEMENTIA.ORG = {
        kdc = kerberos.dementix.org
        kdc = kerberos2.dementix.org
        admin_server = kerberos.dementix.org
    }
    stanford.edu = {
        kdc = krb5auth1.stanford.edu
        kdc = krb5auth2.stanford.edu
        kdc = krb5auth3.stanford.edu
        master_kdc = krb5auth1.stanford.edu
        admin_server = krb5-admin.stanford.edu
        default_domain = stanford.edu
    }
        UTORONTO.CA = {
                kdc = kerberos1.utoronto.ca
                kdc = kerberos2.utoronto.ca
                kdc = kerberos3.utoronto.ca
                admin_server = kerberos1.utoronto.ca
                default_domain = utoronto.ca
    }

[domain_realm]
    .mit.edu = ATHENA.MIT.EDU
    mit.edu = ATHENA.MIT.EDU
    .media.mit.edu = MEDIA-LAB.MIT.EDU
    media.mit.edu = MEDIA-LAB.MIT.EDU
    .csail.mit.edu = CSAIL.MIT.EDU
    csail.mit.edu = CSAIL.MIT.EDU
    .whoi.edu = ATHENA.MIT.EDU
    whoi.edu = ATHENA.MIT.EDU
    .stanford.edu = stanford.edu
    .slac.stanford.edu = SLAC.STANFORD.EDU
        .toronto.edu = UTORONTO.CA
        .utoronto.ca = UTORONTO.CA

-----------

       Checking file: /etc/nsswitch.conf

# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.

passwd:         compat winbind
group:          compat winbind 
 
#to Self, Buster changes compat to file. 
 
shadow:         compat
gshadow:        files 
 

hosts:          files dns
networks:       files

protocols:      db files
services:       db files
ethers:         db files
rpc:            db files

netgroup:       nis

-----------

       Checking file: /etc/samba/smb.conf

[global]
   workgroup = JEOFFICE
   realm = JEOFFICE.JACKLIN.CO.ZA
   security = ADS
   template homedir = /home/%D/%U
   template shell = /bin/bash
   kerberos method = secrets only
   winbind use default domain = true
#   winbind offline logon = true
   winbind enum groups = true 
You can set the enu user and group  = false. 
handy for testing yes, but it slows down your server.  

   netbios name = ho-vpn-ctx-ac01

   log file = /var/log/samba/%m.log
   log level = 1

   # Default ID mapping configuration for local BUILTIN accounts
   # and groups on a domain member. The default (*) domain:
   # - must not overlap with any domain ID mapping configuration!
   # - must use an read-write-enabled back end, such as tdb.
   idmap config * : backend = tdb
   idmap config * : range = 70001-80000
   idmap config JEOFFICE : backend = rid
   idmap config JEOFFICE : range = 3200000-3300000

   winbind nss info = template
 
-----------

Running as Unix domain member and no user.map detected.
 
-----------

Installed packages:
ii  acl                            2.2.52-3+b1                    amd64        Access control list utilities
ii  attr                           1:2.4.47-2+b2                  amd64        Utilities for manipulating filesystem extended attributes
ii  krb5-config                    2.6                            all          Configuration files for Kerberos Version 5
ii  krb5-locales                   1.15-1+deb9u1                  all          internationalization support for MIT Kerberos
ii  krb5-user                      1.15-1+deb9u1                  amd64        basic programs to authenticate using MIT Kerberos
ii  libacl1:amd64                  2.2.52-3+b1                    amd64        Access control list shared library
ii  libacl1-dev                    2.2.52-3+b1                    amd64        Access control list static libraries and headers
ii  libattr1:amd64                 1:2.4.47-2+b2                  amd64        Extended attribute shared library
ii  libattr1-dev:amd64             1:2.4.47-2+b2                  amd64        Extended attribute static libraries and headers
ii  libgssapi-krb5-2:amd64         1.15-1+deb9u1                  amd64        MIT Kerberos runtime libraries - krb5 GSS-API Mechanism
ii  libkrb5-3:amd64                1.15-1+deb9u1                  amd64        MIT Kerberos runtime libraries
ii  libkrb5support0:amd64          1.15-1+deb9u1                  amd64        MIT Kerberos runtime libraries - Support library
ii  libnss-winbind:amd64           2:4.9.6+nmu-1.0debian1         amd64        Samba nameservice integration plugins
ii  libpam-winbind:amd64           2:4.9.6+nmu-1.0debian1         amd64        Windows domain authentication integration plugin
ii  libwbclient0:amd64             2:4.9.6+nmu-1.0debian1         amd64        Samba winbind client library
ii  python-samba                   2:4.9.6+nmu-1.0debian1         amd64        Python bindings for Samba
ii  samba                          2:4.9.6+nmu-1.0debian1         amd64        SMB/CIFS file, print, and login server for Unix
ii  samba-common                   2:4.9.6+nmu-1.0debian1         all          common files used by both the Samba server and client
ii  samba-common-bin               2:4.9.6+nmu-1.0debian1         amd64        Samba common files used by both the server and the client
ii  samba-dsdb-modules:amd64       2:4.9.6+nmu-1.0debian1         amd64        Samba Directory Services Database
ii  samba-libs:amd64               2:4.9.6+nmu-1.0debian1         amd64        Samba core libraries
ii  samba-vfs-modules:amd64        2:4.9.6+nmu-1.0debian1         amd64        Samba Virtual FileSystem plugins
ii  winbind                        2:4.9.6+nmu-1.0debian1         amd64        service to resolve user and group information from Windows NT servers
 
#To Self, Workin on now, change/fix some detecton on packages. 
# in case of a auth-only setup, (no smbd ) 
 
-----------
that looks fine, execpt, smb.conf, your only using the server for authentication, no shares? 
then we can reduce the install a bit. 
for example, my "auth only" vpn server only had this installed for samba.  
Here i login with SSO on a NFSv4 (kerberized)  mounted home dir and all i use ( not shown the nfs packages ) 
 
Installed packages:
ii  acl                                   2.2.52-3+b1                    amd64        Access control list utilities
ii  krb5-config                           2.6                            all          Configuration files for Kerberos Version 5
ii  krb5-locales                          1.15-1+deb9u1                  all          internationalization support for MIT Kerberos
ii  krb5-user                             1.15-1+deb9u1                  amd64        basic programs to authenticate using MIT Kerberos
ii  libacl1:amd64                         2.2.52-3+b1                    amd64        Access control list shared library
ii  libattr1:amd64                        1:2.4.47-2+b2                  amd64        Extended attribute shared library
ii  libgssapi-krb5-2:amd64                1.15-1+deb9u1                  amd64        MIT Kerberos runtime libraries - krb5 GSS-API Mechanism
ii  libkrb5-3:amd64                       1.15-1+deb9u1                  amd64        MIT Kerberos runtime libraries
ii  libkrb5support0:amd64                 1.15-1+deb9u1                  amd64        MIT Kerberos runtime libraries - Support library
ii  libpam-krb5:amd64                     4.7-4                          amd64        PAM module for MIT Kerberos
ii  nfs4-acl-tools                        0.3.3-3                        amd64        Commandline and GUI ACL utilities for the NFSv4 client
ii  python3-xattr                         0.9.1-1                        amd64        module for manipulating filesystem extended attributes - Python 3
ii  xattr                                 0.9.1-1                        amd64        tool for manipulating filesystem extended attributes
ii  libnss-winbind:amd64                  2:4.10.2+nmu-1debian1          amd64        Samba nameservice integration plugins
ii  libwbclient0:amd64                    2:4.10.2+nmu-1debian1          amd64        Samba winbind client library
ii  winbind                               2:4.10.2+nmu-1debian1          amd64        service to resolve user and group information from Windows NT servers





On Wed, 10 Apr 2019 at 09:37, L.P.H. van Belle via samba <samba@xxxxxxxxxxxxxxx> wrote:

Hai Ian, 

Can you run my setup debugger..  

https://raw.githubusercontent.com/thctlo/samba4/master/samba-collect-debug-info.sh 
Anonimize where needed and post output. 

Because when i run this, it works fine. 
chown -v username test-own.txt
changed ownership of 'test-own.txt' from root to username 
And yes, this user only exist in AD. 

Check if attr and acl are installed also. 

And if the smb.conf below is complete then your missing: 
    # For ACL support on member servers with shares
    vfs objects = acl_xattr
    map acl inherit = Yes
    store dos attributes = Yes


The difference between you and me, in smb.conf as far i can tell now. 

Me backend AD. You RID.
Me 
    kerberos method = secrets and keytab
    dedicated keytab file = /etc/krb5.keytab
    winbind refresh tickets = yes

You ( only secrets ) 

I've just tested these versions because today my vpn needed the upgrades of samba also. 
I've tested and upgraded from 4.8.9 upto 4.8.11, 4.9.6 and 4.10.2 

It still might be a bug, but i need more info. 


Greetz, 

Louis


> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces@xxxxxxxxxxxxxxx] Namens Ian 
> Coetzee via samba
> Verzonden: woensdag 10 april 2019 9:04
> Aan: Samba List
> Onderwerp: [Samba] chown: changing ownership of 'test': 
> Invalid argument
> 
> Hi All,
> 
> I have a very weird issue on one of my servers. I think I 
> might just be
> missing something quite obviously... I will post the config 
> files at the
> bottom
> 
> I have a brand new Debian server running as an LXC container
> 
> > root@ho-vpn-ctx-ac01:~# lsb_release -a
> > No LSB modules are available.
> > Distributor ID:    Debian
> > Description:    Debian GNU/Linux 9.8 (stretch)
> > Release:    9.8
> > Codename:    stretch
> > root@ho-vpn-ctx-ac01:~# uname -a
> > Linux ho-vpn-ctx-ac01 4.15.18-12-pve #1 SMP PVE 4.15.18-35 
> (Wed, 13 Mar
> > 2019 08:24:42 +0100) x86_64 GNU/Linux
> > root@ho-vpn-ctx-ac01:~#
> >
> 
> I am running said server as a domain member using the latest 
> packages in
> Louis' 4.9 branch
> 
> > root@ho-vpn-ctx-ac01:~# net -V
> > Version 4.9.6-Debian
> > root@ho-vpn-ctx-ac01:~# net ads testjoin
> > Join is OK
> >
> 
> The join seems to be good, nsswitch is working
> 
> > root@ho-vpn-ctx-ac01:~# wbinfo -i ianc
> > ianc:*:3201407:3200513::/home/JEOFFICE/ianc:/bin/bash
> > root@ho-vpn-ctx-ac01:~# getent passwd ianc
> > ianc:*:3201407:3200513::/home/JEOFFICE/ianc:/bin/bash
> >
> 
>  Yet when I try to change the ownership of a file to a domain user, it
> fails with "Invalid argument"
> 
> > root@ho-vpn-ctx-ac01:~# chown -v ianc test
> > chown: changing ownership of 'test': Invalid argument
> > failed to change ownership of 'test' from root to ianc
> > root@ho-vpn-ctx-ac01:~# chown -v jeadmin test
> > changed ownership of 'test' from root to jeadmin
> > root@ho-vpn-ctx-ac01:~# getent passwd jeadmin
> > jeadmin:x:1000:27::/home/jeadmin:/bin/bash
> >
> 
> It works however when changing to a local user. So it looks 
> like the issue
> might be in samba. This is the first time I have had this 
> problem after
> quite a few other servers (a mix between CentOS, Debian and 
> Ubuntu) has
> already been joined to the domain using the exact same smb.conf.
> 
> On a side note, I am also unable to log into the server using domain
> credentials, which I am currently attributing to the same cause.
> 
> Can you guys maybe point me in the right direction where I 
> might start to
> troubleshoot further?
> 
> Kind regards
> Ian
> 
> Configs:
> 
> root@ho-vpn-ctx-ac01:~# cat /etc/samba/smb.conf
> [global]
>    workgroup = JEOFFICE
>    realm = JEOFFICE.JACKLIN.CO.ZA
>    security = ADS
>    template homedir = /home/%D/%U
>    template shell = /bin/bash
>    kerberos method = secrets only
>    winbind use default domain = true
> #   winbind offline logon = true
>    winbind enum groups = true
> 
>    netbios name = ho-vpn-ctx-ac01
> 
>    log file = /var/log/samba/%m.log
>    log level = 1
> 
>    # Default ID mapping configuration for local BUILTIN accounts
>    # and groups on a domain member. The default (*) domain:
>    # - must not overlap with any domain ID mapping configuration!
>    # - must use an read-write-enabled back end, such as tdb.
>    idmap config * : backend = tdb
>    idmap config * : range = 70001-80000
>    idmap config JEOFFICE : backend = rid
>    idmap config JEOFFICE : range = 3200000-3300000
> 
>    winbind nss info = template
> root@ho-vpn-ctx-ac01:~# cat /etc/nsswitch.conf
> # /etc/nsswitch.conf
> #
> # Example configuration of GNU Name Service Switch functionality.
> # If you have the `glibc-doc-reference' and `info' packages 
> installed, try:
> # `info libc "Name Service Switch"' for information about this file.
> 
> passwd:         compat winbind
> group:          compat winbind
> shadow:         compat
> gshadow:        files
> 
> hosts:          files dns
> networks:       files
> 
> protocols:      db files
> services:       db files
> ethers:         db files
> rpc:            db files
> 
> netgroup:       nis
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
> 
> 


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba