[Samba] Allow insecure wide links = yes, wide links =yes; but I still can't "see" files from links to NFS mounts using 3.6.15, after upgrading from 2.2.8a

Wed Dec 11 23:08:02 MST 2013

Thanks Linda, your suggestion is a good one, I think it gives a clue.

I created a new samba Share of a NFS mounted folder, i.e. not linked into
my original Share, and this shows the same thing, I can't see the files via
Win or Mac clients.

So this rules out being a wide link issue right?

It's now a "sharing an NFS mounted folder via smb" issue right?

The solaris 9 system that is our samba server hasn't changed in any way,
i've only compiled and installed samba 3.6.15.

Sharing NFS mounted folders via smb worked in 2.2.8a, even when symlinked
into the smb share,

so what issue have I run into with installing 3.6.15?

At the moment my log level [G] is 0, what level should I set this to to see
anything useful in /var/adm/messages and /usr/local/samba/var/log.smbd.

Thanks for your help,

Cheers,
Jordan

On Thu, Dec 12, 2013 at 2:58 PM, Linda W <samba at tlinx.org> wrote:

>  On 12/11/2013 4:50 PM, Jordan Verschuer wrote:
>
> Hi David,
>
>  however like I say, the files then become "hidden", and this is for both
> PC and Mac. I can see all the files and newly added/copied files from the
> samba server.
> ----
>
> Have you tried explicitly exporting the NFS mounts as SMB shares?
>
> Can you access the NFS files then?  I.e. lets get the "wide links" out of
> the
> picture -- and verify that accessing those NFS files work from a regular
> SMB share.
>
> So far, I haven't seen anything that indicates re-sharing NFS mounts via
> SMB works on your
> newer system (I know it did in the older setup).   Are the NFS mount
> options the same?
>
> Same version of NFS?
>
>   On Wed, Dec 11, 2013 at 10:11 PM, David Keegel <djk at cyber.com.au> wrote:
>
>> Michael, note the second paragraph quoted from man smb.conf :-
>>
>> � � � �allow insecure wide links (G)
>>
>> � � � � � �If is not recommended to enable this option unless you fully
>>
>> � � � � � �understand the implications of allowing the server to follow
>> � � � � � �symbolic links created by UNIX clients. For most normal Samba
>> � � � � � �configurations this would be considered a security hole and
>> setting
>> � � � � � �this parameter is not recommended.
>>
>> Jordan, please note the third paragraph. �I hope you trust all users who
>> can use unix extensions and could access shares that have wide links =
>> yes.
>>
>   ------
> David, can you explain what protection disallowing wide links provides?
> Specifically, if your users access their files via samba, and also have
> their
> home directories on the server where they are able to log in, then they can
> create symlinks in any location they are permitted to by standard file
> permissions.
>
> If they are operating on the same file via unix extensions, and it
> disallows
> them creating symlinks, how does that benefit anything?  They can create
> the symlinks when they are logged into their unix accounts.  It seems
> that disabling the creation of symlinks "remotely", gives some illusion of
> security, but they wouldn't be able to create any symlinks unless they also
> had permission to write in such a directory.  If they had such a
> permission,
> how does being able to create symlinks remotely give them some
> security advantage over being able to create the same symlinks while
> logged in to the file server?
>
>
>