Web lists-archives.com

Re: [Samba] chown: changing ownership of 'test': Invalid argument




Hai, took a bit of time... but here you go. 
 
Ok, a few things i've noticed.. i've diff-ed the files  here are the results of that. 
 
< samba 4.5
> samba 4.9 
 
< Collected config  --- 2019-04-11-09:30 -----------
---
> Collected config  --- 2019-04-11-07:29 -----------

Which means your time setup is not the same.  2 hours different? 
Check you timezone setup and setup ntp client that sync with the AD-DC's. 
 
 
< 10.10.100.12  ho-clm-ph-tempvisor01.jeoffice.jacklin.co.za    ho-clm-ph-tempvisor01
<
< # The following lines are desirable for IPv6 capable hosts
< ::1     localhost ip6-localhost ip6-loopback
< ff02::1 ip6-allnodes
< ff02::2 ip6-allrouters
---
> ::1           localhost ip6-localhost ip6-loopback
> ff02::1               ip6-allnodes
> ff02::2               ip6-allrouters
> # --- BEGIN PVE ---
> 10.10.18.50 ho-vpn-ctx-ac01.jeoffice.jacklin.co.za ho-vpn-ctx-ac01
> # --- END PVE ---

 
the "netbios name" if not defined in smb.conf is taken from the systems hostname. 
But the netbios name has a restriction of max 15 ( +1) characters. 
ho-clm-ph-tempvisor01 << 21 chars.
ho-vpn-ctx-ac01 << 15 chars 
 
i advice max 15, Or set the netbios name manualy. 
But is you set it manual, make sure this also correct in the DNS. or by CNAME or A/PTR. 
 
ah and here i see the settings in smb.conf both are correct but are these resolvable? 
286,306c195,220
<         netbios name = tempvisor1
>         netbios name = ho-vpn-ctx-ac01

Ok in 4.5, not used in 4.9+ anymore. 
<         winbind use default domain = true
>        ( not found) ..
 
>    winbind enum groups = true
>    winbind enum users = true
remove them, really not needed.  Test with, wbinfo -u, getent passwd user/group, id username 
 
 
while this is possible: 
<         idmap config * : backend = tdb
<         idmap config * : range = 3000-7999
<         idmap config JEOFFICE : backend = rid
<         idmap config JEOFFICE : range = 100000-200000

>    idmap config * : backend = tdb
>    idmap config * : range = 70001-80000
>    idmap config JEOFFICE : backend = rid
>    idmap config JEOFFICE : range = 3200000-3300000

I would preffer to see the same ranges here. 
 
<         winbind nss info = template
<         template shell = /bin/bash
<         template homedir = /home/%D/%U

>    winbind nss info = template
And the other part is missing, yes some are defaults, but again i advice to keep this the same as much as possible. 
 
331,356c245,269
< ii  attr                                 1:2.4.47-2+b2                  amd64        Utilities for manipulating filesystem extended attributes

> ii  acl                            2.2.52-3+b1                    amd64        Access control list utilities
> ii  attr                           1:2.4.47-2+b2                  amd64        Utilities for manipulating filesystem extended attributes

 
Things not mentions are the same in setup, so now you need to fix these difference. 
 
1) 
time setup, run: tzselect and make sure these are the same. 
 
1a) setup ntp, multiple options here. 
https://wiki.samba.org/index.php/Time_Synchronisation ;
Choose options 2 or 3 for the members. 
setup, reboot, check again. 
 
2) 
primary the netbios hostnames, make sure these are resolvable and max 15 Chars. 
And, netbios prefferes to have these in CAPS. 
dig -x ip_of_server
dig a FQDN 
dig a netbiosname.FQDN.  ( which should be, in my optionion, a CNAME to the origianal name. ) 
 
 
3) install acl also on the 4.5 server. 
 
4) smb.conf
The rid ranges, setup the 4.9 as the 4.5 is. 
Why this way.. and not visaversa. 
The samba defaults start at ID 10000 thats why, nothing else. 
 
the 4.9 smb.conf , add : yes these might be defaults but if a default changes, your always safe because you definded them. 
         winbind nss info = template
         template shell = /bin/bash
         template homedir = /home/%D/%U
 
Now, make these changes, preffered in this order. 
 
in addition for both smb.conf's. 
add this part: 
 
    winbind refresh tickets = yes
 
    # For Windows ACL support on member file server, enabled globaly, OBLIGATED to be set. 
    # For a mixed setup of rights, put this per share!
    vfs objects = acl_xattr
    map acl inherit = yes
    store dos attributes = yes

you also missed. 
    # user Administrator workaround, without it you are unable to set privileges
    # https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member#Mapping_the_Domain_Administrator_Account_to_the_Local_root_User ;
    username map = /etc/samba/samba_usermapping
    # example : !root = JEOFFICE\Administrator JEOFFICE\administrator

Set this up for both servers. 
 
Also, think about these to settings ( man smb.conf ) and optional apply them. 
    # enable offline logins
    winbind offline logon = yes
    # 
    winbind use default domain = yes

# and small fix up in mkhomedir.
echo "Name: Create homedir at login (mkhomedir)
Default: yes
Priority: 900
Session-Type: Additional
Session:
        optional pam_mkhomedir.so umask=0022 skel=/etc/skel
" > /usr/share/pam-configs/mkhomedir
 
Run : 
pam-auth-update --package mkhomedir
pam-auth-update
 
 
once done, on both servers run : 

net cache flush
reboot
 
Now go check again. 
 
 
Greetz, 
 
Louis

Van: Ian Coetzee [mailto:samba@xxxxxxxxxxxxxxxxx] 
Verzonden: donderdag 11 april 2019 9:41
Aan: L.P.H. van Belle
Onderwerp: Re: [Samba] chown: changing ownership of 'test': Invalid argument



Hi Louis,


Please see attached.


Kind regards



On Thu, 11 Apr 2019 at 09:22, L.P.H. van Belle via samba <samba@xxxxxxxxxxxxxxx> wrote:

Hai Ian,

Can you run this one again on both servers and pm me both outputs. 

I'll have a good look. 
https://raw.githubusercontent.com/thctlo/samba4/master/samba-collect-debug-info.sh 
I've updated the file, so do use the new one. 


Greetz, 

Louis


> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces@xxxxxxxxxxxxxxx] Namens Ian 
> Coetzee via samba
> Verzonden: donderdag 11 april 2019 9:03
> Aan: samba@xxxxxxxxxxxxxxx
> Onderwerp: Re: [Samba] chown: changing ownership of 'test': 
> Invalid argument
> 
> Hi all,
> 
> I have been doing some additional tests. I am running the 
> same command on
> two different servers, both joined to the domain. Then 
> checking the logs on
> loglevel 20
> 
> Server 1 - Barebones machine, Debian 9, Samba 4.5 (Debian Repo)
> $ getent passwd ianc
> 
> [2019/04/11 08:51:50.574086,  1, pid=3265271, effective(0, 
> 0), real(0, 0)]
> ../librpc/ndr/ndr.c:468(ndr_print_function_debug)
>        wbint_QueryUser: struct wbint_QueryUser
>           out: struct wbint_QueryUser
>               info                     : *
>                   info: struct wbint_userinfo
>                       acct_name                : *
>                           acct_name                : 'ianc'
>                       full_name                : *
>                           full_name                : 'Ian Coetzee'
>                       homedir                  : *
>                           homedir                  : '/home/%D/%U'
>                       shell                    : *
>                           shell                    : '/bin/bash'
>                       primary_gid              : 0x00000000ffffffff
> (4294967295)
>                       user_sid                 :
> S-1-5-21-2093009959-3443338361-3281248646-1407
>                       group_sid                :
> S-1-5-21-2093009959-3443338361-3281248646-513
>               result                   : NT_STATUS_OK
> 
> Server 2 - LXC Container, Debian 9, Samba 4.9 (Louis' Repo)
> $ getent passwd ianc
> 
> [2019/04/11 06:55:26.719755,  1, pid=16957, effective(0, 0), 
> real(0, 0),
> class=rpc_parse] ../librpc/ndr/ndr.c:471(ndr_print_function_debug)
>        wbint_GetNssInfo: struct wbint_GetNssInfo
>           in: struct wbint_GetNssInfo
>               info                     : *
>                   info: struct wbint_userinfo
>                       domain_name              : *
>                           domain_name              : 'JEOFFICE'
>                       acct_name                : *
>                           acct_name                : 'ianc'
>                       full_name                : NULL
>                       homedir                  : *
>                           homedir                  : '/home/%D/%U'
>                       shell                    : *
>                           shell                    : '/bin/bash'
>                       uid                      : 0x000000000030d97f
> (3201407)
>                       primary_gid              : 0x00000000ffffffff
> (4294967295)
>                       primary_group_name       : NULL
>                       user_sid                 :
> S-1-5-21-2093009959-3443338361-3281248646-1407
>                       group_sid                :
> S-1-5-21-2093009959-3443338361-3281248646-513
> [2019/04/11 06:55:26.720941,  1, pid=16957, effective(0, 0), 
> real(0, 0),
> class=rpc_parse] ../librpc/ndr/ndr.c:471(ndr_print_function_debug)
>        wbint_GetNssInfo: struct wbint_GetNssInfo
>           out: struct wbint_GetNssInfo
>               info                     : *
>                   info: struct wbint_userinfo
>                       domain_name              : *
>                           domain_name              : 'JEOFFICE'
>                       acct_name                : *
>                           acct_name                : 'ianc'
>                       full_name                : NULL
>                       homedir                  : *
>                           homedir                  : '/home/%D/%U'
>                       shell                    : *
>                           shell                    : '/bin/bash'
>                       uid                      : 0x000000000030d97f
> (3201407)
>                       primary_gid              : 0x00000000ffffffff
> (4294967295)
>                       primary_group_name       : NULL
>                       user_sid                 :
> S-1-5-21-2093009959-3443338361-3281248646-1407
>                       group_sid                :
> S-1-5-21-2093009959-3443338361-3281248646-513
>               result                   : 
> NT_STATUS_REQUEST_NOT_ACCEPTED
> 
> On Server 1 I can log in using domain credentials and 
> chown|chgrp files and
> folders to domain users and groups. Server 2 is the server in 
> this thread.
> 
> A few things that I notice, is that the primary_gid is always 
> 4294967295
> (weird, but ok, it works on Server 1)
> 
> On Server 2 the full_name is returned as NULL, but not on Server 1
> (Possibly the issue?)
> 
> My next step is to actually migrate this LXC container to a 
> proper QEMU vm
> and test again, I can't help but shake the feeling that the 
> apparmor on the
> Hypervisor is causing this issue. Although Server 1 is the hypervisor
> Server 2 is running on...
> 
> I will revert my findings.
> 
> Thank you for the advise so far.
> 
> Kind regards
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
> 
> 


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba