Web lists-archives.com

Re: [Samba] chown: changing ownership of 'test': Invalid argument




Hi Roland

On Wed, 10 Apr 2019 at 12:00, Rowland Penny <rpenny@xxxxxxxxx> wrote:

> On Wed, 10 Apr 2019 11:41:52 +0200
> Ian Coetzee <samba@xxxxxxxxxxxxxxxxx> wrote:
>
> > Ho Roland,
> >
> > Replies inline
> >
> > >
> > > > The only user I have is the jeadmin user which is the domain
> > > > admin as well as a local admin user.
> > >
> > > ER, no, that would be 'Administrator', is 'jeadmin' a member of
> > > 'Administrators', 'Domain Admins' or some other such administration
> > > group ?
> > >
> >
> > We have a group policy that renames Administrator to jeadmin
>
> OK, then where ever you see 'Administrator' on the Samba wiki etc,
> replace it with 'jeadmin'
>

Yup. I also normally log into the AD as myself which is part of the Domain
Admins group


>
> >
> >
> > >
> > > >
> > > > Should I try renaming the local user?
> > >
> > > Either that or delete the user from AD or /etc/passwd, you cannot
> > > have the same user in both. The user in /etc/password will normally
> > > be used on the Unix OS
> >
> >
> > Which is the intended course of action, so I can ssh into the servers
> > with the jeadmin account in case the domain is offline (debian ssh
> > denies root logins)
>
> Ever heard of sudo ?
> Log in as a normal user and then run everything with sudo, or become
> root with 'su -'
>

Yup, most definitely, use sudo everywhere.


>
> >
> > I will quickly drop the user and see if it makes a difference
> >
> >
> > > before the AD user and will be the opposite way around
> > > on Windows.
> > >
> >
> > Yup. and using .\jeadmin to log in as a local user
> >
> >
> > >
> > > Try adding this line to smb.conf:
> > >
> > > winbind enum users = yes, restart or reload Samba, then run 'getent
> > > passwd', this should return all users, local and domain.
> > >
> >
> > Oooh I sense a server overload ;-) (Lots of users in the AD)
>
> I did say remove it after the test, I just wondered if getent was
> working correctly.
>

Yes, yes you did.


>
> > I am quite confident that nss and winbind are talking to each other
> > quite nicely.
>
> Then why isn't working ?
>

This is the question leaving me perplexed as well


>
> Last things to try, start raising the Samba loglevel and see if
> anything pops out and check if Apparmor is stopping the chown.
>

I bumped the loglevel up to 10. What I can glean from the log is:

[2019/04/10 10:09:48.041065,  1, pid=15234, effective(0, 0), real(0, 0),
class=rpc_parse] ../librpc/ndr/ndr.c:471(ndr_print_function_debug)
       wbint_LookupSid: struct wbint_LookupSid
          in: struct wbint_LookupSid
              sid                      : *
                  sid                      : <RED>-1407
[2019/04/10 10:09:48.041888, 10, pid=15234, effective(0, 0), real(0, 0),
class=winbind] ../source3/winbindd/winbindd_cache.c:4803(wcache_store_ndr)
  could not fetch seqnum for domain JEOFFICE
[2019/04/10 10:09:48.041954,  1, pid=15234, effective(0, 0), real(0, 0),
class=rpc_parse] ../librpc/ndr/ndr.c:471(ndr_print_function_debug)
       wbint_LookupSid: struct wbint_LookupSid
          out: struct wbint_LookupSid
              type                     : *
                  type                     : SID_NAME_USER (1)
              domain                   : *
                  domain                   : *
                      domain                   : 'JEOFFICE'
              name                     : *
                  name                     : *
                      name                     : 'ianc'
              result                   : NT_STATUS_OK
[2019/04/10 10:09:48.042076,  1, pid=15234, effective(0, 0), real(0, 0),
class=rpc_parse] ../librpc/ndr/ndr.c:471(ndr_print_function_debug)
       wbint_GetNssInfo: struct wbint_GetNssInfo
          in: struct wbint_GetNssInfo
              info                     : *
                  info: struct wbint_userinfo
                      domain_name              : *
                          domain_name              : 'JEOFFICE'
                      acct_name                : *
                          acct_name                : 'ianc'
                      full_name                : NULL
                      homedir                  : *
                          homedir                  : '/home/%D/%U'
                      shell                    : *
                          shell                    : '/bin/bash'
                      uid                      : 0x000000000030d97f
(3201407)
                      primary_gid              : 0x00000000ffffffff
(4294967295)
                      primary_group_name       : NULL
                      user_sid                 : <RED>-1407
                      group_sid                : <RED>-513
[2019/04/10 10:09:48.043212,  1, pid=15234, effective(0, 0), real(0, 0),
class=rpc_parse] ../librpc/ndr/ndr.c:471(ndr_print_function_debug)
       wbint_GetNssInfo: struct wbint_GetNssInfo
          out: struct wbint_GetNssInfo
              info                     : *
                  info: struct wbint_userinfo
                      domain_name              : *
                          domain_name              : 'JEOFFICE'
                      acct_name                : *
                          acct_name                : 'ianc'
                      full_name                : NULL
                      homedir                  : *
                          homedir                  : '/home/%D/%U'
                      shell                    : *
                          shell                    : '/bin/bash'
                      uid                      : 0x000000000030d97f
(3201407)
                      primary_gid              : 0x00000000ffffffff
(4294967295)
                      primary_group_name       : NULL
                      user_sid                 : <RED>-1407
                      group_sid                : <RED>-513
              result                   : NT_STATUS_REQUEST_NOT_ACCEPTED

Is this last "NT_STATUS_REQUEST_NOT_ACCEPTED" maybe the problem?

I will quickly glance at apparmor



>
> Rowland
>
>
>
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba