And then shared folders stopped working...?

sure:
root@helium:~> $ rpm -qa|grep -i ^nethserver
nethserver-mail-server-1.10.4-1.ns7.noarch
nethserver-httpd-admin-2.0.4-1.ns7.noarch
nethserver-base-3.0.11-1.ns7.noarch
nethserver-dc-1.0.7-1.ns7.x86_64
nethserver-unbound-1.1.0-1.ns7.noarch
nethserver-dnsmasq-1.6.1-1.ns7.noarch
nethserver-nethforge-release-7-0.3.ns7.noarch
nethserver-spamd-1.0.0-1.ns7.noarch
nethserver-mail-filter-1.4.3-1.ns7.noarch
nethserver-restore-data-1.2.1-1.ns7.noarch
nethserver-ibays-3.0.2-1.ns7.noarch
nethserver-release-7-0.5.ns7.noarch
nethserver-lang-en-1.1.5-1.ns7.noarch
nethserver-hosts-1.2.1-1.ns7.noarch
nethserver-backup-config-1.5.1-1.ns7.noarch
nethserver-duc-1.4.0-1.ns7.noarch
nethserver-antivirus-1.2.0-1.ns7.noarch
nethserver-firewall-base-3.1.2-1.ns7.noarch
nethserver-ntp-1.1.0-1.ns7.noarch
nethserver-smartd-1.1.0-1.ns7.noarch
nethserver-virtualhosts-1.0.2-1.ns7.noarch
nethserver-getmail-1.0.0-1.ns7.noarch
nethserver-collectd-3.0.3-1.ns7.noarch
nethserver-cgp-2.1.1-1.ns7.noarch
nethserver-memcached-1.1.0-1.ns7.noarch
nethserver-lib-2.2.1-1.ns7.noarch
nethserver-samba-2.0.2-1.ns7.noarch
nethserver-samba-audit-1.1.1-1.ns7.noarch
nethserver-httpd-3.1.1-1.ns7.noarch
nethserver-mysql-1.1.0-1.ns7.noarch
nethserver-vsftpd-1.1.0-1.ns7.noarch
nethserver-openssh-1.2.0-1.ns7.noarch
nethserver-mail-smarthost-0.1.0-1.ns7.noarch
nethserver-mail-common-1.6.2-1.ns7.noarch
nethserver-roundcubemail-1.2.3-1.ns7.noarch
nethserver-sssd-1.0.8-1.ns7.noarch
nethserver-yum-1.4.1-1.ns7.noarch
nethserver-php-1.2.0-1.ns7.noarch
nethserver-firewall-base-ui-3.1.2-1.ns7.noarch
nethserver-letsencrypt-1.1.2-1.ns7.noarch
nethserver-phonehome-1.2.1-1.ns7.noarch
nethserver-backup-data-1.2.2-1.ns7.noarch
nethserver-lsm-1.2.0-1.ns7.noarch

More info needed?

I’m afraid this is a regression due to bugfix #5142.

This statement is a wet blanket:

If you require NTLM authentication or NetBIOS name lookup, use Winbind for accessing a CIFS share instead of SSSD.

https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Windows_Integration_Guide/sssd-ad-integration.html#CIFS-SSSD

Same music here:

If confirmed we have some decisions to make.

Can you try to access the share from a domain member workstation with AD SSO?

euh, przk, klmn, que?
I know my way around Linux, and have some basic Windows-knowledge. Can you please explain what I have to do exactly?
I have 2 W10 home-edition laptops, with local accounts. I only use samba to serve them some shared folders (family-pics). Does that suit the requirements for your question?

2 Likes

cosa? :joy:

Kerberos login

No, I learned here only Professional editions have the Kerberos support.

Thank you very much for the report @rolf. It seems you hit a “regression bug” caused by this fix

/cc @saitobenkei @fasttech

Loading the libwbclient library from sssd (instead of the one from Samba) fixes the ACLs management but (as the RHEL7 docs says) breaks the NTLM and NetBIOS support. Only kerberos auth works with it.

The workaround to Rolf’s problem is reverting the bugfix#5142 effects with the following commands:

alternatives --set libwbclient.so.0.12-64 /usr/lib64/samba/wbclient/libwbclient.so.0.12
systemctl restart smb

After these commands, ACLs can’t be set from Windows Pro workstations.

To show the current settings

alternatives --display libwbclient.so.0.12-64

Now that we’re aware of this limitation we must decide what to do. I see the following alternatives

  1. drop sssd libraries for samba and configure winbind
  2. turn this bug into a feature! Implement a switch in server-manager to choose what scenario NethServer must support: a) an AD domain where all clients are Kerberos clients (Win Pro), with full ACLs support, b) an AD domain with mixed clients (Home/Pro, NTLM/Kerberos) with the limitation on ACLs

The solution 1 is a big revolution in our configuration and I’d prefer not considering it.

The solution 2 is actually let the sysadmin to choose between living with the limitation on ACLs to support legacy clients, or support only Win Pro and fully leverage the upstream solution based on sssd.

What do you think? /cc @dev_team @quality_team

4 Likes

I vote for a radio button inside the web interface ;D

2 Likes

I agree, we could resume the “Windows network” page with that radio button and the input field for the workgroup name, requested by @flatspin here.

2 Likes

Thank you very much for the investigation and this workaround! Is that workaround ‘upgrade-proof’? Or should I monitor if there’s an upgrade to this file and the re-apply?

As for the choice of structural solution: I have no clue :wink:
What I can say, is that to my opinion the windows-integration is hard to understand, and not always well-documented. If a new radio-button is introduces, please make sure the online-help is clear to all win-no’s as me.

2 Likes

Windows network page would be stringent, I think. And for a “simple” workgroup setup it’s an acceptable limitation.

Otpion 1 is maybe a thought worth for V8?

1 Like

As usual I’d prefer following the upstream guidelines. Let’s wait for RHEL8! I hope in the meantime they’ll develop the NTLM support…

Yes it’s the alternatives mission. It sets symbolic links in a way consistent with RPMs. Once an alternative is set by the admin, it is not changed by the system, AFAIK.

I’d go with legacy support enabled by default. It seems the safest default, and would work in your case. If NTLM is not necessary and full ACLs control from windows clients is wanted, it can be enabled from the UI.

I want to point out that ACLs in “legacy” mode can be set from the Shared folder > ACL tab. I checked them out, they work.

2 Likes

Great, thanks for the effort and quick responses!
When I understand correctly, none of the actions performed by me (as described in the first post of this threat) was the trigger for not-functioning? Yet the upgrade of some packages was?

Exactly!

What exactly are those ACL limitations? As far as I remember, I’ve been able to specify per-user read/write flags for a directory in Samba, and for example this is quite sufficient for me, while gaining support for both Win Pro member clients and other clients.

Thanks

1 Like

This issue is now tracked on

A nethserver-samba testing package is available. It reverts the effects of the last 2.0.2 release, and restores the default wbclient library from the Samba project.

This means that by default, NTLM auth is still supported, but ACLs can’t be changed from domain workstations /cc @saitobenkei

To enable the support to ACLs from domain workstation (but disable NTLM authentication):

config setprop smb Libwbclient sssd
signal-event nethserver-samba-update

As said, this operation will be soon available from the Server Manager, in Windows file server page.

2 Likes

So, we can’t have “Ovo, Galina e Cul Caldo”…

:grinning:
(“Chicken and the egg” in English)

Sadly not, as for now.

Just released in nethserver-samba-2.0.3-1.ns7.noarch.rpm

https://github.com/NethServer/dev/issues/5160