OMV 5.5.17-3 Share ACL Owner (AD Domain\User) assignment failed (Invalid Username)

  • Hi,

    Am brand new to OMV. Have had installed a few months. Has been working great with everything as required. However, recent updates from Debian have broken (well, package updates were the only change before this happened) Samba SMB share AD Auth (SSSD). Syntax used was So, "was" working great. Now for the aftermath.

    For me, this format requirement of DOMAIN\user has only come about I've discovered, since Samba updates after 4.8 (running 2:4.9.5+dfsg-5+deb10u1) no longer need (or want) SSSD installed.

    Due to conflicts between SSSD Winbind libraries (libwbclient-sssd) and Samba Winbind (libwbclient0 2:4.9.5+dfsg-5+deb10u1), I'm led to believe after research that SSSD needs to go.

    I do have a backup, but as suggested if SSSD itself is being dropped going forward in Samba, then no point restoring.

    After several problems, (no ldap servers found, NT_STATUS_ACCESS_DENIED, NT_STATUS_NO_LOGON_SERVERS, PAM problems, realm join VS net ads join and unique issues for both etc..), I've reached the subject matter.

    Error when choosing domain user from drop down list in Owner ACL field comes back with:

    Failed to execute command 'export PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin; export LANG=C.UTF-8; chown DOMAIN\domainuser '/srv/dev-disk-by-id-scsi-2b26a877700d00000-part1/plex/' 2>&1': chown: invalid user: ‘DOMAINdomainuser’

    So, what happened to the \ ? I thought it would have to be either in quotes or DOMAIN\\domainuser syntax.

    I manually ran chown on the share but I still cannot connect to it from either a Windows 10 or Ubuntu 20.04 client. Access Denied.

    thanks for listening

  • Fixed it about a week ago.

    Chown problem from within OMV remains however a manual chown directly on the share bypasses this.

    OMV refuses to accept (or convert) the user syntax of DOMAIN\user to DOMAIN\\user when trying to set the files' ownership in the Extra Options of the share ACL. OMV continues to omit/drop the backslash.

    The User/Group Permissions in the ACL appears to function correctly though. That is to say it lists the enumerated domain users as DOMAIN\user and when selected and applied, the selected users list correctly as allowed and the format applied is DOMAIN\\user. Note the dual backslashes.

    The Privileges part of the share is also working correctly, though it shows only the DOMAIN\user syntax, no dual backslashes, but works and applies and can be seen in the share info in smb.conf.

    Original problem fixed, in summary,

    - incorrectly purged/removed sssd binaries, libraries etc..

    - missing a couple of winbind/PAM essentials such as libnss and libpam

    - fix up nsswitch.conf from sss to winbind requirements

    - changed idmap config backend from sss to rid in smb.conf.

    User syntax for user@DOMAIN and DOMAIN\user depends on function performed, i.e. realm join uses one format, and net ads join uses the other. This is a basic difference between sssd operations and winbind it would appear.

    Some operations may be interchangable but not from what I could find. Smbclient and usermod commands required the DOMAIN\\user dual slashes in this case to work.

    Successfully tested against same original AD joined Win10 and Ubuntu 20.04 clients.

  • aaronb

    Added the Label resolved

Participate now!

Don’t have an account yet? Register yourself now and be a part of our community!