SABMA connected to AD, uid changed in time... users home share deny

lexxai

Dabbler
Joined
Nov 9, 2016
Messages
33
FreeNAS 11.2-U2.1
SABMA connected to external Active Directory.
ZFS pool poolz2/samba/users/ used for general purpose as home of users.
getfacl /mnt/poolz2/samba/users/user1
..
group:21106:rwxpDdaARWcCo-:fd-----:allow

All work Ok. User have acces to home folder.
/var/log/samba4/log.smbd
connect to service storage initially as user EDOMAIN\user1 (uid=21106, gid=20513)
in time can see changes of GID for group.
connect to service storage initially as user EDOMAIN\user1 (uid=21106, gid=90000015)
and later changes of UID for user.
connect to service storage initially as user EDOMAIN\user1 (uid=90000012, gid=90000015)

And now user haven't access to their home folder, since it other ID.

wbinfo -i EDOMAIN\\user1
EDOMAIN\user1:*:90000012:90000015:test user:/home/EDOMAIN/user1:/bin/sh


net usersidlist
EDOMAIN\user1

S-1-5-21-1000237325-705069941-1001383582-1106

Reload service not help. Only reboot of FreeNAS server help, and all work some time.
but user still haven't access to their home folder

But if clear cache 'net cache flush', then
wbinfo -i EDOMAIN\\user1
EDOMAIN\user1:*:21106:20513:test user:/home/EDOMAIN/user1:/bin/sh

And reload /etc/ix.rc.d/ix-activedirectory restart
Then if user unmap user home disk z: and remap again now OK.


1. How detect problem zone.
2. How recover w/o reboot FreeNAS.

For now I start use script that monitor users uid.
Code:
#!/bin/sh
wbinfoexe=/usr/local/bin/wbinfo
for user in $(${wbinfoexe} -u)
do
 uid=$(${wbinfoexe} -i "$user" | awk -F: '{print $3}' | egrep "^900")
 if [ ! -z "${uid}" ];then
  echo "Abnormal user is $user $uid"
  ${wbinfoexe} --logoff-user="${user}"
  net cache flush
  /etc/ix.rc.d/ix-activedirectory restart
  break
 fi
done
 
Last edited:

lexxai

Dabbler
Joined
Nov 9, 2016
Messages
33
Post your smb4.conf
Code:
[global]
    server min protocol = SMB2_02
    server max protocol = SMB3
    encrypt passwords = yes
    dns proxy = no
    strict locking = no
    oplocks = yes
    deadtime = 15
    max log size = 51200
    max open files = 940439
    logging = file
    load printers = no
    printing = bsd
    printcap name = /dev/null
    disable spoolss = yes
    getwd cache = yes
    guest account = nobody
    obey pam restrictions = no
    ntlm auth = no
    directory name cache size = 0
    kernel change notify = no
    panic action = /usr/local/libexec/samba/samba-backtrace
    nsupdate command = /usr/local/bin/samba-nsupdate -g
    server string = FreeNAS Server
    ea support = yes
    store dos attributes = yes
    lm announce = yes
    unix extensions = no
    acl allow execute always = false
    dos filemode = yes
    multicast dns register = no
    domain logons = no
    idmap config *: backend = tdb
    idmap config *: range = 90000001-100000000
    server role = member server
    workgroup = EDOMAIN
    realm = EDOMAIN.LOCAL
    security = ADS
    client use spnego = yes
    local master = no
    domain master = no
    preferred master = no
    ads dns update = no
    winbind cache time = 7200
    winbind offline logon = yes
    winbind enum users = yes
    winbind enum groups = yes
    winbind nested groups = yes
    winbind use default domain = no
    winbind refresh tickets = yes
    idmap config EDOMAIN: backend = rid
    idmap config EDOMAIN: range = 20000-90000000
    allow trusted domains = no
    client ldap sasl wrapping = plain
    template shell = /bin/sh
    template homedir = /home/%D/%U
    netbios name = NAS
    netbios aliases = NAS
    create mask = 0600
    directory mask = 0700
    client ntlmv2 auth = yes
    dos charset = CP1251
    unix charset = UTF-8
    log level = 2

[install]
    path = "/mnt/poolz2/samba/install"
    printable = no
    veto files = /.snapshot/.windows/.mac/.zfs/
    writeable = yes
    browseable = yes
    access based share enum = no
    shadow:snapdir = .zfs/snapshot
    shadow:sort = desc
    shadow:localtime = yes
    shadow:format = auto-%Y%m%d.%H%M-1m
    shadow:snapdirseverywhere = yes
    vfs objects = shadow_copy2 ixnas streams_xattr
    hide dot files = yes
    guest ok = no
    nfs4:mode = special
    nfs4:acedup = merge
    nfs4:chown = true
    zfsacl:acesort = dontcare

[storage]
    path = "/mnt/poolz2/samba/storage"
    printable = no
    veto files = /.snapshot/.windows/.mac/.zfs/
    writeable = yes
    browseable = yes
    access based share enum = no
    shadow:snapdir = .zfs/snapshot
    shadow:sort = desc
    shadow:localtime = yes
    shadow:format = auto-%Y%m%d.%H%M-2w
    shadow:snapdirseverywhere = yes
    vfs objects = shadow_copy2 ixnas streams_xattr
    hide dot files = yes
    guest ok = no
    nfs4:mode = special
    nfs4:acedup = merge
    nfs4:chown = true
    zfsacl:acesort = dontcare

[users]
    path = "/mnt/poolz2/samba/users"
    printable = no
    veto files = /.snapshot/.windows/.mac/.zfs/
    writeable = yes
    browseable = yes
    access based share enum = yes
    shadow:snapdir = .zfs/snapshot
    shadow:sort = desc
    shadow:localtime = yes
    shadow:format = auto-%Y%m%d.%H%M-2w
    shadow:snapdirseverywhere = yes
    vfs objects = shadow_copy2 ixnas streams_xattr
    hide dot files = yes
    guest ok = no
    nfs4:mode = special
    nfs4:acedup = merge
    nfs4:chown = true
    zfsacl:acesort = dontcare
    ixnas:base_user_quota = 80G

 

anodos

Sambassador
iXsystems
Joined
Mar 6, 2014
Messages
9,543
Check the contents of winbindd_idmap.tdb tdbdump /var/db/samba4/winbindd_idmap.tdb to make sure you don't have entries there for your AD users. If you do, then stop samba, delete the file, and restart samba.
 

lexxai

Dabbler
Joined
Nov 9, 2016
Messages
33
Check the contents of winbindd_idmap.tdb tdbdump /var/db/samba4/winbindd_idmap.tdb to make sure you don't have entries there for your AD users. If you do, then stop samba, delete the file, and restart samba.
was here.
deleted.

now i see it
[2019/03/15 13:36:26.014330, 0] ../source3/smbd/uid.c:386(change_to_user_internal)
change_to_user_internal: chdir_current_service() failed!


[2019/03/15 13:53:12.717885, 2] ../source3/smbd/vfs.c:1305(check_reduced_name)
check_reduced_name: Bad access attempt: . is a symlink outside the share path
conn_rootdir =/mnt/poolz2/samba/users
resolved_name=/var/tmp
 
Last edited:

lexxai

Dabbler
Joined
Nov 9, 2016
Messages
33
was reboot and it :

Code:
service samba_server stop
service ix-pre-samba start
service samba_server start
wbinfo -t

wbinfo -t
checking the trust secret for domain EDOMAIN via RPC calls succeeded


But still error access
[2019/03/15 13:56:13.492694, 2] ../source3/smbd/vfs.c:1305(check_reduced_name)
check_reduced_name: Bad access attempt: . is a symlink outside the share path
conn_rootdir =/mnt/poolz2/samba/users
resolved_name=/


when I revert previous /var/db/samba4/winbindd_idmap.tdb and remove cache - winbindd_cache.tdb and restart sabma all ok

but tdbdump /var/db/samba4/winbindd_idmap.tdb :
{
key(13) = "UID 90000012\00"
data(46) = "S-1-5-21-1000237325-705069941-1001383582-1106\00"
}
 
Last edited:
Top