Web lists-archives.com

Re: [Samba] chown: changing ownership of 'test': Invalid argument




Hi Louis,

Thank you for the very detailed reply. I was just on my way into the list
to update.

I have migrated the lxc container to a full on vm and now it works....

As part of the migration, I noticed that all the uid/gid's stored on disk
are moved up by 100000. As such, 0 (root) became 100000, 1000 (jeadmin)
became 1001000, etc.

I will be taking this discussion to the proxmox mailing list, as it seems
they might be doing something funny internally. Go figures.

Thank you Louis and Rowland for the replies. If anything else, this thread
might serve another user in the future.

On Thu, 11 Apr 2019 at 11:22, L.P.H. van Belle <belle@xxxxxxxxx> wrote:

> Hai, took a bit of time... but here you go.
>
> Ok, a few things i've noticed.. i've diff-ed the files  here are the
> results of that.
>
> < samba 4.5
> > samba 4.9
>
> < Collected config  --- 2019-04-11-09:30 -----------
> ---
> > Collected config  --- 2019-04-11-07:29 -----------
> Which means your time setup is not the same.  2 hours different?
> Check you timezone setup and setup ntp client that sync with the AD-DC's.
>
>
> < 10.10.100.12  ho-clm-ph-tempvisor01.jeoffice.jacklin.co.za
> ho-clm-ph-tempvisor01
> <
> < # The following lines are desirable for IPv6 capable hosts
> < ::1     localhost ip6-localhost ip6-loopback
> < ff02::1 ip6-allnodes
> < ff02::2 ip6-allrouters
> ---
> > ::1           localhost ip6-localhost ip6-loopback
> > ff02::1               ip6-allnodes
> > ff02::2               ip6-allrouters
> > # --- BEGIN PVE ---
> > 10.10.18.50 ho-vpn-ctx-ac01.jeoffice.jacklin.co.za ho-vpn-ctx-ac01
> > # --- END PVE ---
>
> the "netbios name" if not defined in smb.conf is taken from the systems
> hostname.
> But the netbios name has a restriction of max 15 ( +1) characters.
> ho-clm-ph-tempvisor01 << 21 chars.
> ho-vpn-ctx-ac01 << 15 chars
>
> i advice max 15, Or set the netbios name manualy.
> But is you set it manual, make sure this also correct in the DNS. or by
> CNAME or A/PTR.
>
> ah and here i see the settings in smb.conf both are correct but are these
> resolvable?
> 286,306c195,220
> <         netbios name = tempvisor1
> >         netbios name = ho-vpn-ctx-ac01
> Ok in 4.5, not used in 4.9+ anymore.
> <         winbind use default domain = true
> >        ( not found) ..
>
> >    winbind enum groups = true
> >    winbind enum users = true
> remove them, really not needed.  Test with, wbinfo -u, getent passwd
> user/group, id username
>
>
> while this is possible:
> <         idmap config * : backend = tdb
> <         idmap config * : range = 3000-7999
> <         idmap config JEOFFICE : backend = rid
> <         idmap config JEOFFICE : range = 100000-200000
>
> >    idmap config * : backend = tdb
> >    idmap config * : range = 70001-80000
> >    idmap config JEOFFICE : backend = rid
> >    idmap config JEOFFICE : range = 3200000-3300000
> I would preffer to see the same ranges here.
>
> <         winbind nss info = template
> <         template shell = /bin/bash
> <         template homedir = /home/%D/%U
>
> >    winbind nss info = template
> And the other part is missing, yes some are defaults, but again i advice
> to keep this the same as much as possible.
>
> 331,356c245,269
> < ii  attr                                 1:2.4.47-2+b2
> amd64        Utilities for manipulating filesystem extended attributes
>
> > ii  acl                            2.2.52-3+b1
> amd64        Access control list utilities
> > ii  attr                           1:2.4.47-2+b2
> amd64        Utilities for manipulating filesystem extended attributes
>
> Things not mentions are the same in setup, so now you need to fix these
> difference.
>
> 1)
> time setup, run: tzselect and make sure these are the same.
>
> 1a) setup ntp, multiple options here.
> https://wiki.samba.org/index.php/Time_Synchronisation
> Choose options 2 or 3 for the members.
> setup, reboot, check again.
>
> 2)
> primary the netbios hostnames, make sure these are resolvable and max 15
> Chars.
> And, netbios prefferes to have these in CAPS.
> dig -x ip_of_server
> dig a FQDN
> dig a netbiosname.FQDN.  ( which should be, in my optionion, a CNAME to
> the origianal name. )
>
>
> 3) install acl also on the 4.5 server.
>
> 4) smb.conf
> The rid ranges, setup the 4.9 as the 4.5 is.
> Why this way.. and not visaversa.
> The samba defaults start at ID 10000 thats why, nothing else.
>
> the 4.9 smb.conf , add : yes these might be defaults but if a default
> changes, your always safe because you definded them.
>          winbind nss info = template
>          template shell = /bin/bash
>          template homedir = /home/%D/%U
>
> Now, make these changes, preffered in this order.
>
> in addition for both smb.conf's.
> add this part:
>
>     winbind refresh tickets = yes
>
>     # For Windows ACL support on member file server, enabled globaly,
> OBLIGATED to be set.
>     # For a mixed setup of rights, put this per share!
>     vfs objects = acl_xattr
>     map acl inherit = yes
>     store dos attributes = yes
> you also missed.
>     # user Administrator workaround, without it you are unable to set
> privileges
>     * MailScanner heeft een e-mail met mogelijk een poging tot fraude
> gevonden van "wiki.samba.org" * #
> https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member#Mapping_the_Domain_Administrator_Account_to_the_Local_root_User
> <https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member#Mapping_the_Domain_Administrator_Account_to_the_Local_root_User>
>
>     username map = /etc/samba/samba_usermapping
>     # example : !root = JEOFFICE\Administrator JEOFFICE\administrator
> Set this up for both servers.
>
> Also, think about these to settings ( man smb.conf ) and optional apply
> them.
>     # enable offline logins
>     winbind offline logon = yes
>     #
>     winbind use default domain = yes
> # and small fix up in mkhomedir.
> echo "Name: Create homedir at login (mkhomedir)
> Default: yes
> Priority: 900
> Session-Type: Additional
> Session:
>         optional pam_mkhomedir.so umask=0022 skel=/etc/skel
> " > /usr/share/pam-configs/mkhomedir
>
> Run :
> pam-auth-update --package mkhomedir
> pam-auth-update
>
>
> once done, on both servers run :
> net cache flush
> reboot
>
> Now go check again.
>
>
> Greetz,
>
> Louis
>
> ------------------------------
> *Van:* Ian Coetzee [mailto:samba@xxxxxxxxxxxxxxxxx]
> *Verzonden:* donderdag 11 april 2019 9:41
> *Aan:* L.P.H. van Belle
> *Onderwerp:* Re: [Samba] chown: changing ownership of 'test': Invalid
> argument
>
> Hi Louis,
>
> Please see attached.
>
> Kind regards
>
> On Thu, 11 Apr 2019 at 09:22, L.P.H. van Belle via samba <
> samba@xxxxxxxxxxxxxxx> wrote:
>
>> Hai Ian,
>>
>> Can you run this one again on both servers and pm me both outputs.
>>
>> I'll have a good look.
>>
>> https://raw.githubusercontent.com/thctlo/samba4/master/samba-collect-debug-info.sh
>> I've updated the file, so do use the new one.
>>
>>
>> Greetz,
>>
>> Louis
>>
>>
>> > -----Oorspronkelijk bericht-----
>> > Van: samba [mailto:samba-bounces@xxxxxxxxxxxxxxx] Namens Ian
>> > Coetzee via samba
>> > Verzonden: donderdag 11 april 2019 9:03
>> > Aan: samba@xxxxxxxxxxxxxxx
>> > Onderwerp: Re: [Samba] chown: changing ownership of 'test':
>> > Invalid argument
>> >
>> > Hi all,
>> >
>> > I have been doing some additional tests. I am running the
>> > same command on
>> > two different servers, both joined to the domain. Then
>> > checking the logs on
>> > loglevel 20
>> >
>> > Server 1 - Barebones machine, Debian 9, Samba 4.5 (Debian Repo)
>> > $ getent passwd ianc
>> >
>> > [2019/04/11 08:51:50.574086,  1, pid=3265271, effective(0,
>> > 0), real(0, 0)]
>> > ../librpc/ndr/ndr.c:468(ndr_print_function_debug)
>> >        wbint_QueryUser: struct wbint_QueryUser
>> >           out: struct wbint_QueryUser
>> >               info                     : *
>> >                   info: struct wbint_userinfo
>> >                       acct_name                : *
>> >                           acct_name                : 'ianc'
>> >                       full_name                : *
>> >                           full_name                : 'Ian Coetzee'
>> >                       homedir                  : *
>> >                           homedir                  : '/home/%D/%U'
>> >                       shell                    : *
>> >                           shell                    : '/bin/bash'
>> >                       primary_gid              : 0x00000000ffffffff
>> > (4294967295)
>> >                       user_sid                 :
>> > S-1-5-21-2093009959-3443338361-3281248646-1407
>> >                       group_sid                :
>> > S-1-5-21-2093009959-3443338361-3281248646-513
>> >               result                   : NT_STATUS_OK
>> >
>> > Server 2 - LXC Container, Debian 9, Samba 4.9 (Louis' Repo)
>> > $ getent passwd ianc
>> >
>> > [2019/04/11 06:55:26.719755,  1, pid=16957, effective(0, 0),
>> > real(0, 0),
>> > class=rpc_parse] ../librpc/ndr/ndr.c:471(ndr_print_function_debug)
>> >        wbint_GetNssInfo: struct wbint_GetNssInfo
>> >           in: struct wbint_GetNssInfo
>> >               info                     : *
>> >                   info: struct wbint_userinfo
>> >                       domain_name              : *
>> >                           domain_name              : 'JEOFFICE'
>> >                       acct_name                : *
>> >                           acct_name                : 'ianc'
>> >                       full_name                : NULL
>> >                       homedir                  : *
>> >                           homedir                  : '/home/%D/%U'
>> >                       shell                    : *
>> >                           shell                    : '/bin/bash'
>> >                       uid                      : 0x000000000030d97f
>> > (3201407)
>> >                       primary_gid              : 0x00000000ffffffff
>> > (4294967295)
>> >                       primary_group_name       : NULL
>> >                       user_sid                 :
>> > S-1-5-21-2093009959-3443338361-3281248646-1407
>> >                       group_sid                :
>> > S-1-5-21-2093009959-3443338361-3281248646-513
>> > [2019/04/11 06:55:26.720941,  1, pid=16957, effective(0, 0),
>> > real(0, 0),
>> > class=rpc_parse] ../librpc/ndr/ndr.c:471(ndr_print_function_debug)
>> >        wbint_GetNssInfo: struct wbint_GetNssInfo
>> >           out: struct wbint_GetNssInfo
>> >               info                     : *
>> >                   info: struct wbint_userinfo
>> >                       domain_name              : *
>> >                           domain_name              : 'JEOFFICE'
>> >                       acct_name                : *
>> >                           acct_name                : 'ianc'
>> >                       full_name                : NULL
>> >                       homedir                  : *
>> >                           homedir                  : '/home/%D/%U'
>> >                       shell                    : *
>> >                           shell                    : '/bin/bash'
>> >                       uid                      : 0x000000000030d97f
>> > (3201407)
>> >                       primary_gid              : 0x00000000ffffffff
>> > (4294967295)
>> >                       primary_group_name       : NULL
>> >                       user_sid                 :
>> > S-1-5-21-2093009959-3443338361-3281248646-1407
>> >                       group_sid                :
>> > S-1-5-21-2093009959-3443338361-3281248646-513
>> >               result                   :
>> > NT_STATUS_REQUEST_NOT_ACCEPTED
>> >
>> > On Server 1 I can log in using domain credentials and
>> > chown|chgrp files and
>> > folders to domain users and groups. Server 2 is the server in
>> > this thread.
>> >
>> > A few things that I notice, is that the primary_gid is always
>> > 4294967295
>> > (weird, but ok, it works on Server 1)
>> >
>> > On Server 2 the full_name is returned as NULL, but not on Server 1
>> > (Possibly the issue?)
>> >
>> > My next step is to actually migrate this LXC container to a
>> > proper QEMU vm
>> > and test again, I can't help but shake the feeling that the
>> > apparmor on the
>> > Hypervisor is causing this issue. Although Server 1 is the hypervisor
>> > Server 2 is running on...
>> >
>> > I will revert my findings.
>> >
>> > Thank you for the advise so far.
>> >
>> > Kind regards
>> > --
>> > To unsubscribe from this list go to the following URL and read the
>> > instructions:  https://lists.samba.org/mailman/options/samba
>> >
>> >
>>
>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
>>
>
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba