Web lists-archives.com

Re: [Samba] chown: changing ownership of 'test': Invalid argument




Hi Louis,

I will address both your emails.

This server is auth only, ssh for the moment. Earmarked to turn into an
OpenVPN Access Concentrator once this issue is sorted.

root@ho-vpn-ctx-ac01:~# cat /etc/idmapd.conf
[General]

Verbosity = 0
Pipefs-Directory = /run/rpc_pipefs
# set your own domain here, if it differs from FQDN minus hostname
# Domain = localdomain

[Mapping]

Nobody-User = nobody
Nobody-Group = nogroup


Domain = jeoffice.jacklin.co.za
> Local-Realm = JEOFFICE.JACKLIN.CO.ZA
>

Should this added to the idmapd.conf file?

Rest of my replies inline

On Wed, 10 Apr 2019 at 11:10, L.P.H. van Belle via samba <
samba@xxxxxxxxxxxxxxx> wrote:
<SNIP>

>
> Hostname: ho-vpn-ctx-ac01
> DNS Domain: jeoffice.jacklin.co.za
> FQDN: ho-vpn-ctx-ac01.jeoffice.jacklin.co.za
> ipaddress: 10.10.18.50 10.10.11.50
>
> Ok 2 ipadresses, and the primary is .10.50 ? for sure?
>

Yes, 2 IP's. Primary ip is 10.10.11.50

<SNIP>

-----------
>        Checking file: /etc/hosts
>
> 127.0.0.1    localhost
> ::1        localhost ip6-localhost ip6-loopback
> ff02::1        ip6-allnodes
> ff02::2        ip6-allrouters
> # --- BEGIN PVE ---
> 10.10.18.50 ho-vpn-ctx-ac01.jeoffice.jacklin.co.za ho-vpn-ctx-ac01
> # --- END PVE ---
>
> Here run, to and check both PTR records.
> dig -x 10.10.18.50
> dig -x 10.10.11.50
>

Knee jerk reaction

root@ho-vpn-ctx-ac01:~# dig -x 10.10.18.50
> bash: dig: command not found
> root@ho-vpn-ctx-ac01:~# dig -x 10.10.11.50
> bash: dig: command not found
>

installed dnsutils package

>
> root@ho-vpn-ctx-ac01:~# dig -x 10.10.18.50
>
> ; <<>> DiG 9.10.3-P4-Debian <<>> -x 10.10.18.50
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 52870
> ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
>
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags:; udp: 4096
> ;; QUESTION SECTION:
> ;50.18.10.10.in-addr.arpa.    IN    PTR
>
> ;; AUTHORITY SECTION:
> 18.10.10.in-addr.arpa.    3600    IN    SOA
> ho-pri-vm-dc02.jeoffice.jacklin.co.za. hostmaster.jeoffice.jacklin.co.za.
> 23 900 600 86400 3600
>
> ;; Query time: 11 msec
> ;; SERVER: 10.10.10.4#53(10.10.10.4)
> ;; WHEN: Wed Apr 10 09:51:55 UTC 2019
> ;; MSG SIZE  rcvd: 137
>
> root@ho-vpn-ctx-ac01:~# dig -x 10.10.11.50
>
> ; <<>> DiG 9.10.3-P4-Debian <<>> -x 10.10.11.50
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 65439
> ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
>
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags:; udp: 4096
> ;; QUESTION SECTION:
> ;50.11.10.10.in-addr.arpa.    IN    PTR
>
> ;; AUTHORITY SECTION:
> 11.10.10.in-addr.arpa.    3600    IN    SOA
> ho-pri-vm-dc02.jeoffice.jacklin.co.za. hostmaster.jeoffice.jacklin.co.za.
> 2 900 600 86400 3600
>
> ;; Query time: 10 msec
> ;; SERVER: 10.10.10.4#53(10.10.10.4)
> ;; WHEN: Wed Apr 10 09:52:03 UTC 2019
> ;; MSG SIZE  rcvd: 137
>

Strange....

root@ho-vpn-ctx-ac01:~# net ads dns register
> Successfully registered hostname with DNS
> root@ho-vpn-ctx-ac01:~# dig -x 10.10.11.50 +short
> root@ho-vpn-ctx-ac01:~#
> root@ho-vpn-ctx-ac01:~# samba-tool dns zoneinfo
> ho-pri-vm-dc02.jeoffice.jacklin.co.za 11.10.10.in-addr.arpa
>   pszZoneName                 : 11.10.10.in-addr.arpa
>   dwZoneType                  : DNS_ZONE_TYPE_PRIMARY
>   fReverse                    : TRUE
>   fAllowUpdate                : DNS_ZONE_UPDATE_SECURE
>   fPaused                     : FALSE
>   fShutdown                   : FALSE
>   fAutoCreated                : FALSE
>   fUseDatabase                : TRUE
>   pszDataFile                 : None
>   aipMasters                  : []
>   fSecureSecondaries          : DNS_ZONE_SECSECURE_NO_XFER
>   fNotifyLevel                : DNS_ZONE_NOTIFY_LIST_ONLY
>   aipSecondaries              : []
>   aipNotify                   : []
>   fUseWins                    : FALSE
>   fUseNbstat                  : FALSE
>   fAging                      : FALSE
>   dwNoRefreshInterval         : 168
>   dwRefreshInterval           : 168
>   dwAvailForScavengeTime      : 0
>   aipScavengeServers          : []
>   dwRpcStructureVersion       : 0x2
>   dwForwarderTimeout          : 0
>   fForwarderSlave             : 0
>   aipLocalMasters             : []
>   dwDpFlags                   : DNS_DP_AUTOCREATED DNS_DP_DOMAIN_DEFAULT
> DNS_DP_ENLISTED
>   pszDpFqdn                   : DomainDnsZones.jeoffice.jacklin.co.za
>   pwszZoneDn                  :
> DC=11.10.10.in-addr.arpa,CN=MicrosoftDNS,DC=DomainDnsZones,DC=jeoffice,DC=jacklin,DC=co,DC=za
>   dwLastSuccessfulSoaCheck    : 0
>   dwLastSuccessfulXfr         : 0
>   fQueuedForBackgroundLoad    : FALSE
>   fBackgroundLoadInProgress   : FALSE
>   fReadOnlyZone               : FALSE
>   dwLastXfrAttempt            : 0
>   dwLastXfrResult             : 0
>

Do you think maybe a possible cause?


>
> Then check both A records with there FQDN
> #To Self, add A/PTR check when multiple ips are detected on hostname -I
>
> -----------
>
>        Checking file: /etc/resolv.conf
>
> # --- BEGIN PVE ---
> search jeoffice.jacklin.co.za
> nameserver 10.10.10.4
> # --- END PVE ---
> To make sure, the 10.10.10.4 is your DC? or is this a DNS proxy.
>

Yes, 10.10.10.4 is one of the DC's

<SNIP>


>        Checking file: /etc/samba/smb.conf
>
> [global]
>    workgroup = JEOFFICE
>    realm = JEOFFICE.JACKLIN.CO.ZA
>    security = ADS
>    template homedir = /home/%D/%U
>    template shell = /bin/bash
>    kerberos method = secrets only
>    winbind use default domain = true
> #   winbind offline logon = true
>    winbind enum groups = true
> You can set the enu user and group  = false.
> handy for testing yes, but it slows down your server.
>

Agreed, added for testing purposes


>    netbios name = ho-vpn-ctx-ac01
>
>    log file = /var/log/samba/%m.log
>    log level = 1
>
>    # Default ID mapping configuration for local BUILTIN accounts
>    # and groups on a domain member. The default (*) domain:
>    # - must not overlap with any domain ID mapping configuration!
>    # - must use an read-write-enabled back end, such as tdb.
>    idmap config * : backend = tdb
>    idmap config * : range = 70001-80000
>    idmap config JEOFFICE : backend = rid
>    idmap config JEOFFICE : range = 3200000-3300000
>
>    winbind nss info = template
>
> -----------
>
> Running as Unix domain member and no user.map detected.
>
> -----------
>
> Installed packages:
> ii  acl                            2.2.52-3+b1
> amd64        Access control list utilities
> ii  attr                           1:2.4.47-2+b2
> amd64        Utilities for manipulating filesystem extended attributes
> ii  krb5-config                    2.6
> all          Configuration files for Kerberos Version 5
> ii  krb5-locales                   1.15-1+deb9u1
> all          internationalization support for MIT Kerberos
> ii  krb5-user                      1.15-1+deb9u1
> amd64        basic programs to authenticate using MIT Kerberos
> ii  libacl1:amd64                  2.2.52-3+b1
> amd64        Access control list shared library
> ii  libacl1-dev                    2.2.52-3+b1
> amd64        Access control list static libraries and headers
> ii  libattr1:amd64                 1:2.4.47-2+b2
> amd64        Extended attribute shared library
> ii  libattr1-dev:amd64             1:2.4.47-2+b2
> amd64        Extended attribute static libraries and headers
> ii  libgssapi-krb5-2:amd64         1.15-1+deb9u1
> amd64        MIT Kerberos runtime libraries - krb5 GSS-API Mechanism
> ii  libkrb5-3:amd64                1.15-1+deb9u1
> amd64        MIT Kerberos runtime libraries
> ii  libkrb5support0:amd64          1.15-1+deb9u1
> amd64        MIT Kerberos runtime libraries - Support library
> ii  libnss-winbind:amd64           2:4.9.6+nmu-1.0debian1
> amd64        Samba nameservice integration plugins
> ii  libpam-winbind:amd64           2:4.9.6+nmu-1.0debian1
> amd64        Windows domain authentication integration plugin
> ii  libwbclient0:amd64             2:4.9.6+nmu-1.0debian1
> amd64        Samba winbind client library
> ii  python-samba                   2:4.9.6+nmu-1.0debian1
> amd64        Python bindings for Samba
> ii  samba                          2:4.9.6+nmu-1.0debian1
> amd64        SMB/CIFS file, print, and login server for Unix
> ii  samba-common                   2:4.9.6+nmu-1.0debian1
> all          common files used by both the Samba server and client
> ii  samba-common-bin               2:4.9.6+nmu-1.0debian1
> amd64        Samba common files used by both the server and the client
> ii  samba-dsdb-modules:amd64       2:4.9.6+nmu-1.0debian1
> amd64        Samba Directory Services Database
> ii  samba-libs:amd64               2:4.9.6+nmu-1.0debian1
> amd64        Samba core libraries
> ii  samba-vfs-modules:amd64        2:4.9.6+nmu-1.0debian1
> amd64        Samba Virtual FileSystem plugins
> ii  winbind                        2:4.9.6+nmu-1.0debian1
> amd64        service to resolve user and group information from Windows NT
> servers
>
> #To Self, Workin on now, change/fix some detecton on packages.
> # in case of a auth-only setup, (no smbd )
>
> -----------
> that looks fine, execpt, smb.conf, your only using the server for
> authentication, no shares?
> then we can reduce the install a bit.
> for example, my "auth only" vpn server only had this installed for samba.
> Here i login with SSO on a NFSv4 (kerberized)  mounted home dir and all i
> use ( not shown the nfs packages )
>
> Installed packages:
> ii  acl                                   2.2.52-3+b1
> amd64        Access control list utilities
> ii  krb5-config                           2.6
> all          Configuration files for Kerberos Version 5
> ii  krb5-locales                          1.15-1+deb9u1
> all          internationalization support for MIT Kerberos
> ii  krb5-user                             1.15-1+deb9u1
> amd64        basic programs to authenticate using MIT Kerberos
> ii  libacl1:amd64                         2.2.52-3+b1
> amd64        Access control list shared library
> ii  libattr1:amd64                        1:2.4.47-2+b2
> amd64        Extended attribute shared library
> ii  libgssapi-krb5-2:amd64                1.15-1+deb9u1
> amd64        MIT Kerberos runtime libraries - krb5 GSS-API Mechanism
> ii  libkrb5-3:amd64                       1.15-1+deb9u1
> amd64        MIT Kerberos runtime libraries
> ii  libkrb5support0:amd64                 1.15-1+deb9u1
> amd64        MIT Kerberos runtime libraries - Support library
> ii  libpam-krb5:amd64                     4.7-4
> amd64        PAM module for MIT Kerberos
> ii  nfs4-acl-tools                        0.3.3-3
> amd64        Commandline and GUI ACL utilities for the NFSv4 client
> ii  python3-xattr                         0.9.1-1
> amd64        module for manipulating filesystem extended attributes -
> Python 3
> ii  xattr                                 0.9.1-1
> amd64        tool for manipulating filesystem extended attributes
> ii  libnss-winbind:amd64                  2:4.10.2+nmu-1debian1
> amd64        Samba nameservice integration plugins
> ii  libwbclient0:amd64                    2:4.10.2+nmu-1debian1
> amd64        Samba winbind client library
> ii  winbind                               2:4.10.2+nmu-1debian1
> amd64        service to resolve user and group information from Windows NT
> servers
>
>
>
>
>
> On Wed, 10 Apr 2019 at 09:37, L.P.H. van Belle via samba <
> samba@xxxxxxxxxxxxxxx> wrote:
>
> Hai Ian,
>
> Can you run my setup debugger..
>
>
> https://raw.githubusercontent.com/thctlo/samba4/master/samba-collect-debug-info.sh
> Anonimize where needed and post output.
>
> Because when i run this, it works fine.
> chown -v username test-own.txt
> changed ownership of 'test-own.txt' from root to username
> And yes, this user only exist in AD.
>
> Check if attr and acl are installed also.
>
> And if the smb.conf below is complete then your missing:
>     # For ACL support on member servers with shares
>     vfs objects = acl_xattr
>     map acl inherit = Yes
>     store dos attributes = Yes
>
>
> The difference between you and me, in smb.conf as far i can tell now.
>
> Me backend AD. You RID.
> Me
>     kerberos method = secrets and keytab
>     dedicated keytab file = /etc/krb5.keytab
>     winbind refresh tickets = yes
>
> You ( only secrets )
>
> I've just tested these versions because today my vpn needed the upgrades
> of samba also.
> I've tested and upgraded from 4.8.9 upto 4.8.11, 4.9.6 and 4.10.2
>
> It still might be a bug, but i need more info.
>
>
> Greetz,
>
> Louis
>
>
> > -----Oorspronkelijk bericht-----
> > Van: samba [mailto:samba-bounces@xxxxxxxxxxxxxxx] Namens Ian
> > Coetzee via samba
> > Verzonden: woensdag 10 april 2019 9:04
> > Aan: Samba List
> > Onderwerp: [Samba] chown: changing ownership of 'test':
> > Invalid argument
> >
> > Hi All,
> >
> > I have a very weird issue on one of my servers. I think I
> > might just be
> > missing something quite obviously... I will post the config
> > files at the
> > bottom
> >
> > I have a brand new Debian server running as an LXC container
> >
> > > root@ho-vpn-ctx-ac01:~# lsb_release -a
> > > No LSB modules are available.
> > > Distributor ID:    Debian
> > > Description:    Debian GNU/Linux 9.8 (stretch)
> > > Release:    9.8
> > > Codename:    stretch
> > > root@ho-vpn-ctx-ac01:~# uname -a
> > > Linux ho-vpn-ctx-ac01 4.15.18-12-pve #1 SMP PVE 4.15.18-35
> > (Wed, 13 Mar
> > > 2019 08:24:42 +0100) x86_64 GNU/Linux
> > > root@ho-vpn-ctx-ac01:~#
> > >
> >
> > I am running said server as a domain member using the latest
> > packages in
> > Louis' 4.9 branch
> >
> > > root@ho-vpn-ctx-ac01:~# net -V
> > > Version 4.9.6-Debian
> > > root@ho-vpn-ctx-ac01:~# net ads testjoin
> > > Join is OK
> > >
> >
> > The join seems to be good, nsswitch is working
> >
> > > root@ho-vpn-ctx-ac01:~# wbinfo -i ianc
> > > ianc:*:3201407:3200513::/home/JEOFFICE/ianc:/bin/bash
> > > root@ho-vpn-ctx-ac01:~# getent passwd ianc
> > > ianc:*:3201407:3200513::/home/JEOFFICE/ianc:/bin/bash
> > >
> >
> >  Yet when I try to change the ownership of a file to a domain user, it
> > fails with "Invalid argument"
> >
> > > root@ho-vpn-ctx-ac01:~# chown -v ianc test
> > > chown: changing ownership of 'test': Invalid argument
> > > failed to change ownership of 'test' from root to ianc
> > > root@ho-vpn-ctx-ac01:~# chown -v jeadmin test
> > > changed ownership of 'test' from root to jeadmin
> > > root@ho-vpn-ctx-ac01:~# getent passwd jeadmin
> > > jeadmin:x:1000:27::/home/jeadmin:/bin/bash
> > >
> >
> > It works however when changing to a local user. So it looks
> > like the issue
> > might be in samba. This is the first time I have had this
> > problem after
> > quite a few other servers (a mix between CentOS, Debian and
> > Ubuntu) has
> > already been joined to the domain using the exact same smb.conf.
> >
> > On a side note, I am also unable to log into the server using domain
> > credentials, which I am currently attributing to the same cause.
> >
> > Can you guys maybe point me in the right direction where I
> > might start to
> > troubleshoot further?
> >
> > Kind regards
> > Ian
> >
> > Configs:
> >
> > root@ho-vpn-ctx-ac01:~# cat /etc/samba/smb.conf
> > [global]
> >    workgroup = JEOFFICE
> >    realm = JEOFFICE.JACKLIN.CO.ZA
> >    security = ADS
> >    template homedir = /home/%D/%U
> >    template shell = /bin/bash
> >    kerberos method = secrets only
> >    winbind use default domain = true
> > #   winbind offline logon = true
> >    winbind enum groups = true
> >
> >    netbios name = ho-vpn-ctx-ac01
> >
> >    log file = /var/log/samba/%m.log
> >    log level = 1
> >
> >    # Default ID mapping configuration for local BUILTIN accounts
> >    # and groups on a domain member. The default (*) domain:
> >    # - must not overlap with any domain ID mapping configuration!
> >    # - must use an read-write-enabled back end, such as tdb.
> >    idmap config * : backend = tdb
> >    idmap config * : range = 70001-80000
> >    idmap config JEOFFICE : backend = rid
> >    idmap config JEOFFICE : range = 3200000-3300000
> >
> >    winbind nss info = template
> > root@ho-vpn-ctx-ac01:~# cat /etc/nsswitch.conf
> > # /etc/nsswitch.conf
> > #
> > # Example configuration of GNU Name Service Switch functionality.
> > # If you have the `glibc-doc-reference' and `info' packages
> > installed, try:
> > # `info libc "Name Service Switch"' for information about this file.
> >
> > passwd:         compat winbind
> > group:          compat winbind
> > shadow:         compat
> > gshadow:        files
> >
> > hosts:          files dns
> > networks:       files
> >
> > protocols:      db files
> > services:       db files
> > ethers:         db files
> > rpc:            db files
> >
> > netgroup:       nis
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions:  https://lists.samba.org/mailman/options/samba
> >
> >
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba