[Samba] smb_set_file_dosmode error: BUG after update to samba4-4.4.2

[Robert K. Nelson]

We are using samba4 as an AD controller under OpenSuSE 13.2 using the
repository at:

http://download.opensuse.org/repositories/network:/samba:/TESTING/openSUSE_13.2


After an update to Version 4.4.2, we began getting error from our CAD
program (SolidWorks). This happens under both Windows 7 and Windows 10.

The messages in the Samba log file are:

[2016/05/17 10:49:02.822522, 2] ../source3/smbd/open.c:1006(open_file)
ASC\jnitz opened file
Projects/ALI/CAD/~$ALI_Pit-8-Concept_Assy-0_MAIN_00.SLDASM read=No
write=No (numopen=2)
[2016/05/17 10:49:02.823553, 2]
../source3/smbd/trans2.c:6144(smb_set_file_dosmode)
smb_set_file_dosmode: file_set_dosmode of
Projects/ALI/CAD/~$ALI_Pit-8-Concept_Assy-0_MAIN_00.SLDASM failed
(Operation not supported)

This file is both readable and writable using the Windows NotePad
accessory.

There were no configuration file changes made before or after the update
to samba4-4.4.2, and there were no changes to the CAD program, so the
problem would seem to be associated with the update. I notice in the
Release Notes that there were several Samba patches associated with
preventing MITM attacks. I wonder if the problem may come from one of
those changes.

Has anyone else seen this issue? Is there a workaround? May I provide
more information.

Here are the results of rpm -qa | grep samba
_____________________________________________
libsamba-passdb0-4.2.3-5.1.x86_64
libsamba-passdb0-32bit-4.2.4-34.1.x86_64
libsamba-util0-32bit-4.2.4-34.1.x86_64
samba4-4.4.2-1.1.x86_64
libsamba-hostconfig0-32bit-4.2.4-34.1.x86_64
libsamba-credentials0-32bit-4.2.4-34.1.x86_64
samba-libs-32bit-4.2.4-34.1.x86_64
samba-libs-4.2.3-5.1.x86_64
samba-winbind-32bit-4.2.4-34.1.x86_64
libsamba-util0-4.2.3-5.1.x86_64
yast2-samba-server-3.1.11-2.8.1.noarch
samba-client-32bit-4.2.4-34.1.x86_64
samba-winbind-4.2.3-5.1.x86_64

Here is the header part of our smb.conf file:
____________________________________________
# Global parameters
[global]
workgroup = ASC
netbios name = ASCPC21
server role = active directory domain controller
realm = ASC.AIRFLOWSCIENCES.COM
#dns recursive queries = yes # although documented in a few
places, this stanza is apparently not parsed or implemented
allow dns updates = nonsecure
dns forwarder = 8.8.8.8
log file = /var/log/samba/samba4.log
log level = 2
idmap gid = 10000-20000
idmap uid = 10000-20000
security = user
usershare allow guests = No
usershare max shares = 100
add machine script = /usr/sbin/useradd -c Machine -d
/var/lib/nobody -s /bin/false %m$
domain logons = Yes
domain master = Yes
ldap admin dn =
ldap suffix =
local master = Yes
os level = 65
passdb backend = smbpasswd
preferred master = Yes
wins server =
wins support = No
vfs objects = acl_xattr
map acl inherit = Yes
store dos attributes = Yes
unix extensions = no
wide links = yes
time server = yes

--
Robert K. Nelson
Airflow Sciences Corporation
12190 Hubbard Street, Livonia, MI 48150-1737
(734) 525-0300 FAX (734) 525-0303 www.airflowsciences.com

--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba

[Rowland penny]

This is possibly caused by one of the regressions fixed in 4.4.3, see
release notes here:

https://www.samba.org/samba/history/samba-4.4.3.html

Can I also suggest you remove everything in your smb.conf after the 'log
level =2' line, they are either default lines, lines that shouldn't be
in an AD DC smb.conf, lines that do nothing on an AD DC, or lines that
over-ride required settings.

Rowland

[Markus Dellermann]

Hi,

Am 18.05.2016 um 15:39 schrieb Robert K. Nelson:
> We are using samba4 as an AD controller under OpenSuSE 13.2 using the
> repository at:
>
> http://download.opensuse.org/repositories/network:/samba:/TESTING/openSUSE_13.2
>
>

Not related to your Problem, but are you sure, that this repo really
provide ad-dc - funktionality??

From the spec-file:
"%global with_mitkrb5 1"
"%global with_dc 0"

"%if ! %with_dc
--without-ad-dc \"



Markus

[Rowland penny]

On 18/05/16 16:16, Markus Dellermann wrote:
> Hi,
> Am 18.05.2016 um 15:39 schrieb Robert K. Nelson:
>> We are using samba4 as an AD controller under OpenSuSE 13.2 using the
>> repository at:
>>
>> http://download.opensuse.org/repositories/network:/samba:/TESTING/openSUSE_13.2
>>
>>
> Not related to your Problem, but are you sure, that this repo really
> provide ad-dc - funktionality??
>
> From the spec-file:
> "%global with_mitkrb5 1"
> "%global with_dc 0"
>
> "%if ! %with_dc
> --without-ad-dc \"
>
>
>
> Markus
>
>

It looks like you are right, there is also these lines:

%exclude %{_mandir}/man8/samba-tool.8.*
%exclude %{_mandir}/man8/samba.8.*

It seems the manpages for samba-tool and the 'samba' binary aren't
installed and the only reason for that would be if 'samba-tool' and the
'samba' binary aren't installed.

I should have engaged brain before posting, Suse, just like RHEL uses
MIT instead of Heimdal kerberos and therefore doesn't have the AD DC
stuff in its Samba packages.

Rowland

[Markus Dellermann]

Hi,
for the record,
it is possible to build own packages on opensuse-build-server for several
distros.
So there are one or two inofficial repos with ad-dc enabled samba-packages for
opensuse..
Maybe not pefect, but works good for me

(...eventually really a good place to do this for different distros...)

Markus

[Robert K. Nelson]

On 05/19/2016 03:16 AM, Markus Dellermann wrote:
> Am Mittwoch, 18. Mai 2016, 17:10:13 CEST schrieb Rowland penny:
>> On 18/05/16 16:16, Markus Dellermann wrote:

>> ...

>>> Not related to your Problem, but are you sure, that this repo really
>>> provide ad-dc - funktionality??
>>>

>>> Markus
>> It looks like you are right, there is also these lines:

>> ...

>> Rowland
> Hi,
> for the record,
> it is possible to build own packages on opensuse-build-server for several
> distros.
> So there are one or two inofficial repos with ad-dc enabled samba-packages for
> opensuse..
> Maybe not pefect, but works good for me
>
> (...eventually really a good place to do this for different distros...)
>
> Markus
>
>

Yes, we are using an "unofficial" repository on this machine. In fact,
the following Samba repositories are configured:

http://download.opensuse.org/repositories/home:/jniltinho/openSUSE_13.2
http://download.opensuse.org/repositories/network:/samba:/TESTING/openSUSE_13.2
http://download.opensuse.org/repositories/network:/samba:/STABLE/openSUSE_13.2

The rpm samba4-4.4.2-1.1.x86_64.rpm is being taken from the first of these, which has been working quite successfully for us.

The newest version of this repository is for OpenSuSE Leap 42.1 at
http://download.opensuse.org/repositories/home:/jniltinho/openSUSE_Leap_42.1/x86_64/
but it still uses the 4.4.2 version.

I'll contact Nilton OS to see if he plans to update to 4.4.3, so I can check out Rowland Penny's suggestion that this problem may be solved in that version.

If, not, I suppose I could diff the Nilton version of 4.4.2 and the standard version to figure out how to modify the 4.4.3 version to run under OpenSuSE.

Bob Nelson

[Rowland penny]

If you run 'samba -V' do you get any output ?
Does samba-tool exist ?

If the answer to either or both is no, then you cannot have an AD domain.

Rowland

[Robert K. Nelson]

The answer to both is no, which has to be, since I'm using Samba4 AD for
unified login, windows access to Linux files, and for DNS resolution.
Thanks to all concerned for this incredible useful too.

They work fast in Brasil! Right after I asked, Nilton OS added Samba
4.4.3 to his OpenSuSE repositories. I installed it and checked it:

ascpc21:~ # samba -V
Version 4.4.3

Still failing. In fact now I see both sys_acl_set_file and
sys_set_file_dosmode errors. The log file reads:

[2016/05/19 12:41:56.327435, 2]
../source3/smbd/close.c:780(close_normal_file)
ASC\jnitz closed file
Projects/ALI/CAD/ALI_Pit-8-Concept_Assy-0_MAIN_00.SLDASM (numopen=4)
NT_STATUS_OK
[2016/05/19 12:41:56.334243, 2]
../source4/dns_server/dns_query.c:994(dns_server_process_query_send)
Not authoritative for 'safebrowsing-cache.google.com', forwarding
[2016/05/19 12:41:56.334628, 2]
../source4/dns_server/dns_query.c:994(dns_server_process_query_send)
Not authoritative for 'safebrowsing-cache.google.com', forwarding
[2016/05/19 12:41:56.369922, 2] ../source3/smbd/open.c:1006(open_file)
ASC\jnitz opened file
Projects/ALI/CAD/~$ALI_Pit-8-Concept_Assy-0_MAIN_00.SLDASM read=Yes
write=Yes (numopen=5)
[2016/05/19 12:41:56.372597, 2]
../source3/smbd/posix_acls.c:3040(set_canon_ace_list)
set_canon_ace_list: sys_acl_set_file failed for file
Projects/ALI/CAD/~$ALI_Pit-8-Concept_Assy-0_MAIN_00.SLDASM (Operation
not supported).
[2016/05/19 12:41:56.420078, 2]
../source3/smbd/close.c:780(close_normal_file)
ASC\jnitz closed file
Projects/ALI/CAD/~$ALI_Pit-8-Concept_Assy-0_MAIN_00.SLDASM (numopen=4)
NT_STATUS_OK
[2016/05/19 12:41:56.421726, 2] ../source3/smbd/open.c:1006(open_file)

ASC\jnitz opened file
Projects/ALI/CAD/~$ALI_Pit-8-Concept_Assy-0_MAIN_00.SLDASM read=No

write=No (numopen=5)
[2016/05/19 12:41:56.422742, 2]
../source3/smbd/close.c:780(close_normal_file)
ASC\jnitz closed file
Projects/ALI/CAD/~$ALI_Pit-8-Concept_Assy-0_MAIN_00.SLDASM (numopen=4)
NT_STATUS_OK
[2016/05/19 12:41:56.423770, 2] ../source3/smbd/open.c:1006(open_file)

ASC\jnitz opened file
Projects/ALI/CAD/~$ALI_Pit-8-Concept_Assy-0_MAIN_00.SLDASM read=No

write=No (numopen=5)
[2016/05/19 12:41:56.424819, 2]
../source3/smbd/trans2.c:6183(smb_set_file_dosmode)

smb_set_file_dosmode: file_set_dosmode of
Projects/ALI/CAD/~$ALI_Pit-8-Concept_Assy-0_MAIN_00.SLDASM failed
(Operation not supported)

[2016/05/19 12:41:56.425344, 2]
../source3/smbd/close.c:780(close_normal_file)
ASC\jnitz closed file
Projects/ALI/CAD/~$ALI_Pit-8-Concept_Assy-0_MAIN_00.SLDASM (numopen=4)
NT_STATUS_OK
[2016/05/19 12:41:56.787246, 2] ../source3/smbd/open.c:1006(open_file)

ASC\jnitz opened file
Projects/ALI/CAD/~$ALI_Pit-8-Concept_Assy-0_MAIN_00.SLDASM read=No

write=No (numopen=5)
[2016/05/19 12:41:56.788304, 2]
../source3/smbd/close.c:780(close_normal_file)
ASC\jnitz closed file
Projects/ALI/CAD/~$ALI_Pit-8-Concept_Assy-0_MAIN_00.SLDASM (numopen=4)
NT_STATUS_OK
[2016/05/19 12:41:56.789430, 2] ../source3/smbd/open.c:1006(open_file)
ASC\jnitz opened file
Projects/ALI/CAD/~$ALI_Pit-8-Concept_Assy-0_MAIN_00.SLDASM read=Yes
write=No (numopen=5)
[2016/05/19 12:41:56.791039, 2]
../source3/smbd/close.c:780(close_normal_file)
ASC\jnitz closed file
Projects/ALI/CAD/~$ALI_Pit-8-Concept_Assy-0_MAIN_00.SLDASM (numopen=4)
NT_STATUS_OK
[2016/05/19 12:41:56.791985, 2] ../source3/smbd/open.c:1006(open_file)
ASC\jnitz opened file
Projects/ALI/CAD/~$ALI_Pit-8-Concept_Assy-0_MAIN_00.SLDASM read=Yes
write=No (numopen=5)
[2016/05/19 12:41:56.793107, 2]
../source3/smbd/close.c:780(close_normal_file)
ASC\jnitz closed file
Projects/ALI/CAD/~$ALI_Pit-8-Concept_Assy-0_MAIN_00.SLDASM (numopen=4)
NT_STATUS_OK
[2016/05/19 12:41:56.793711, 2] ../source3/smbd/open.c:1006(open_file)
ASC\jnitz opened file
Projects/ALI/CAD/~$ALI_Pit-8-Concept_Assy-0_MAIN_00.SLDASM read=Yes
write=No (numopen=5)
[2016/05/19 12:41:56.794885, 2]
../source3/smbd/close.c:780(close_normal_file)
ASC\jnitz closed file
Projects/ALI/CAD/~$ALI_Pit-8-Concept_Assy-0_MAIN_00.SLDASM (numopen=4)
NT_STATUS_OK
[2016/05/19 12:41:56.834743, 2] ../source3/smbd/open.c:1006(open_file)
ASC\jnitz opened file
Projects/ALI/CAD/~$ALI_Pit-8-Concept_Assy-0_MAIN_00.SLDASM read=Yes
write=No (numopen=5)
[2016/05/19 12:41:56.835820, 2]
../source3/smbd/close.c:780(close_normal_file)
ASC\jnitz closed file
Projects/ALI/CAD/~$ALI_Pit-8-Concept_Assy-0_MAIN_00.SLDASM (numopen=4)
NT_STATUS_OK
[2016/05/19 12:41:56.836625, 2] ../source3/smbd/open.c:1006(open_file)
ASC\jnitz opened file
Projects/ALI/CAD/~$ALI_Pit-8-Concept_Assy-0_MAIN_00.SLDASM read=Yes
write=No (numopen=5)
[2016/05/19 12:41:56.837654, 2]
../source3/smbd/close.c:780(close_normal_file)
ASC\jnitz closed file
Projects/ALI/CAD/~$ALI_Pit-8-Concept_Assy-0_MAIN_00.SLDASM (numopen=4)
NT_STATUS_OK
[2016/05/19 12:41:56.838247, 2] ../source3/smbd/open.c:1006(open_file)
ASC\jnitz opened file
Projects/ALI/CAD/~$ALI_Pit-8-Concept_Assy-0_MAIN_00.SLDASM read=Yes
write=No (numopen=5)
[2016/05/19 12:41:56.839437, 2]
../source3/smbd/close.c:780(close_normal_file)
ASC\jnitz closed file
Projects/ALI/CAD/~$ALI_Pit-8-Concept_Assy-0_MAIN_00.SLDASM (numopen=4)
NT_STATUS_OK
[2016/05/19 12:41:56.879357, 2] ../source3/smbd/open.c:1006(open_file)
ASC\jnitz opened file
Projects/ALI/CAD/~$ALI_Pit-8-Concept_Assy-0_MAIN_00.SLDASM read=Yes
write=No (numopen=5)
[2016/05/19 12:41:56.880462, 2]
../source3/smbd/close.c:780(close_normal_file)
ASC\jnitz closed file
Projects/ALI/CAD/~$ALI_Pit-8-Concept_Assy-0_MAIN_00.SLDASM (numopen=4)
NT_STATUS_OK
[2016/05/19 12:41:56.881248, 2] ../source3/smbd/open.c:1006(open_file)
ASC\jnitz opened file
Projects/ALI/CAD/~$ALI_Pit-8-Concept_Assy-0_MAIN_00.SLDASM read=Yes
write=No (numopen=5)
[2016/05/19 12:41:56.882298, 2]
../source3/smbd/close.c:780(close_normal_file)
ASC\jnitz closed file
Projects/ALI/CAD/~$ALI_Pit-8-Concept_Assy-0_MAIN_00.SLDASM (numopen=4)
NT_STATUS_OK
[2016/05/19 12:41:56.882909, 2] ../source3/smbd/open.c:1006(open_file)
ASC\jnitz opened file
Projects/ALI/CAD/~$ALI_Pit-8-Concept_Assy-0_MAIN_00.SLDASM read=Yes
write=No (numopen=5)
[2016/05/19 12:41:56.884262, 2]
../source3/smbd/close.c:780(close_normal_file)
ASC\jnitz closed file
Projects/ALI/CAD/~$ALI_Pit-8-Concept_Assy-0_MAIN_00.SLDASM (numopen=4)
NT_STATUS_OK)

How can I help straighten this out? Could this be an issue with kerberos
versions?

Bob Nelson

[Rowland penny]

OK, you now have the 'samba' binary that is required for an AD DC and by
your own admission, you didn't before.
So, bearing this in mind, how did you provision your domain without
'samba-tool domain provision' ??

Rowland

[Markus Dellermann]

[...]

> >> Bob Nelson
> >
> > If you run 'samba -V' do you get any output ?
> > Does samba-tool exist ?
> >
> > If the answer to either or both is no, then you cannot have an AD domain.
> >
> > Rowland
>
> The answer to both is no, which has to be, since I'm using Samba4 AD for
> unified login, windows access to Linux files, and for DNS resolution.
> Thanks to all concerned for this incredible useful too.
>
> They work fast in Brasil! Right after I asked, Nilton OS added Samba
> 4.4.3 to his OpenSuSE repositories. I installed it and checked it:
>
> ascpc21:~ # samba -V
> Version 4.4.3
>
> Still failing. In fact now I see both sys_acl_set_file and
> sys_set_file_dosmode errors. The log file reads:
>
> [2016/05/19 12:41:56.327435, 2]
> ../source3/smbd/close.c:780(close_normal_file)
> ASC\jnitz closed file

[...]

> How can I help straighten this out? Could this be an issue with kerberos
> versions?
>
> Bob Nelson

If i understand right,
you have three repos for samba und two of them are using a different file-
hierarchy for ad & file-service on one server.
This "samba4 -rpm" seems to put all under "/opt/...", where the other repos /
opensuse nothing else installs..
Don`t know, if this mixed libs,etc ... can be a problem.
BTW: i wouldn`t use stable and testing -repo parallel..

Maybe it`s easier to split ad & file-server and look again...

Markus

[Robert K. Nelson]

On 05/19/2016 01:30 PM, Rowland penny wrote:
>
> OK, you now have the 'samba' binary that is required for an AD DC and
> by your own admission, you didn't before.
> So, bearing this in mind, how did you provision your domain without
> 'samba-tool domain provision' ??
>
> Rowland

Not sure what you meant by "you didn't before" - actually, I just
initially gave the wrong repository info. I have always been using the
one from NiltonOS that allows for AD DC. Still getting the same result
in the log files.


Here is the result from "samba-tool domain info". Is that what you were
looking for? If not, let me know what command you want me to run for the
information you want

Forest : asc.airflowsciences.com
Domain : asc.airflowsciences.com
Netbios domain : ASC
DC name : ascpc21.asc.airflowsciences.com
DC netbios name : ASCPC21
Server site : Default-First-Site-Name
Client site : Default-First-Site-Name

Again, "samba-tool -V" gives 4.4.3

Thanks so much for your help. Sorry about the delay here in getting back
to this thread. Medical took precedence over technical, but this is
quite important to me.