[Samba] Share access permission errors after upgrade from 4.12.14
Rowland Penny
rpenny at samba.org
Thu Jan 11 10:36:37 UTC 2024
On Thu, 11 Jan 2024 08:53:38 +0000
unraidster via samba <samba at lists.samba.org> wrote:
> Hello,
>
> Issue Description
> After the upgrade of the Unraid server OS (unraid.net) from v6.9.2 to
> v6.12.6 (which upgrades the version of Samba from 4.12.14 to 4.17.12)
> access to shares stops working.
>
> Error Summary:
> [2024/01/07 21:52:43.357676, 0, pid=93992, effective(1278739538,
> 1278738945), real(1278739538, 0)]
> ../../source3/smbd/smb2_service.c:168(chdir_current_service)
> chdir_current_service: vfs_ChDir(/mnt/user/PrivateShare) failed:
> Permission denied. Current token: uid=1278739538, gid=1278738945, 7
> groups: 1278739538 1278738945 1278739551 1278739543 1278739547
> 1278739545 1278739556
>
> Samba is joined to an Active Directory domain as a member server. The
> following error is found in the log when I attempt to browse to the
> share using a Windows 10 client signed in as the domain's "rwuser"
> user account. (Note: worked with the older version of the OS).
>
> I have included output from logs/commands that I thought might help
> answer any subsequent questions that readers may have. Please let me
> know if there is any additional information I can provide. Thank You.
>
> Error Detail:
> ==================
> [2024/01/07 21:52:43.356009, 4, pid=93992, effective(1278739538,
> 1278738945), real(1278739538, 0), class=vfs]
> ../../source3/smbd/vfs.c:938(vfs_ChDir) vfs_ChDir to
> /mnt/user/PrivateShare [2024/01/07 21:52:43.357676, 0, pid=93992,
> effective(1278739538, 1278738945), real(1278739538, 0)]
> ../../source3/smbd/smb2_service.c:168(chdir_current_service)
> chdir_current_service: vfs_ChDir(/mnt/user/PrivateShare) failed:
> Permission denied. Current token: uid=1278739538, gid=1278738945, 7
> groups: 1278739538 1278738945 1278739551 1278739543 1278739547
> 1278739545 1278739556 [2024/01/07 21:52:43.357802, 3, pid=93992,
> effective(1278739538, 1278738945), real(1278739538, 0), class=smb2]
> ../../source3/smbd/smb2_server.c:3961(smbd_smb2_request_error_ex)
> smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1]
> status[NT_STATUS_ACCESS_DENIED] || at
> ../../source3/smbd/smb2_server.c:3253 [2024/01/07 21:52:43.357809,
> 10, pid=91942, effective(0, 0), real(0, 0)]
> ../../source3/smbd/notify_inotify.c:446(inotify_watch)
> inotify_add_watch for /mnt/user/PublicShare mask 210003c6 returned wd
> 1 [2024/01/07 21:52:43.357834, 10, pid=93992, effective(1278739538,
> 1278738945), real(1278739538, 0), class=smb2]
> ../../source3/smbd/smb2_server.c:3847(smbd_smb2_request_done_ex)
> smbd_smb2_request_done_ex: mid [15] idx[1]
> status[NT_STATUS_ACCESS_DENIED] body[8] dyn[yes:1] at
> ../../source3/smbd/smb2_server.c:4011 [2024/01/07 21:52:43.357843,
> 10, pid=91942, effective(0, 0), real(0, 0)]
> ../../source3/smbd/notifyd/notifyd.c:449(notifyd_apply_rec_change)
> notifyd_apply_rec_change: /mnt/user/PublicShare has 2 instances
> [2024/01/07 21:52:43.357855, 10, pid=93992, effective(1278739538,
> 1278738945), real(1278739538, 0), class=smb2_credits]
> ../../source3/smbd/smb2_server.c:975(smb2_set_operation_credit)
> smb2_set_operation_credit: smb2_set_operation_credit: requested 1,
> charge 1, granted 1, current possible/max 8161/8192, total
> granted/max/low/range 32/8192/16/32
>
> Directory Permissions
> =========================
> /
> drwxr-xr-x 20 root root
>
> /mnt/
> drwxr-xr-x 9 root root
>
> /mnt/user/
> drwxrwxrwx 1 ur_admin ur-lab_access
>
> /mnt/user/PrivateShare/
> drwxrwx---+ 1 ur_admin ur-lab_access
>
> ACL
> root at UR-Lab:~# getfacl /mnt/user/PrivateShare
> getfacl: Removing leading '/' from absolute path names
> # file: mnt/user/PrivateShare
> # owner: ur_admin
> # group: ur-lab_access
> user::rwx
> user:ur_admin:rwx
> group::rwx
> group:ur-lab_access:rwx
> group:ur-lab-privateshare-ro:r-x
> group:ur-lab-privateshare-rw:rwx
> mask::rwx
> other::---
> default:user::rwx
> default:user:ur_admin:rwx
> default:group::---
> default:group:ur-lab_access:rwx
> default:group:ur-lab-privateshare-ro:r-x
> default:group:ur-lab-privateshare-rw:rwx
> default:mask::rwx
> default:other::---
>
>
> WB Info for Users and groups
> =========================
> ur_admin
> root at UR-Lab:~# wbinfo -n ur_admin
> S-1-5-21-3759969785-1361971536-1710822149-1107 SID_USER (1)
>
> rwuser
> root at UR-Lab:~# wbinfo -n rwuser
> S-1-5-21-3759969785-1361971536-1710822149-1106 SID_USER (1)
> root at UR-Lab:~# id 1278739538
> uid=1278739538(rwuser) gid=1278738945(domain users)
> groups=1278738945(domain
> users),1278739538(rwuser),1278739551(ur_users),1278739543(ur-lab-privateshare-rw),1278739547(b-rw),1278739545(ur-lab-privateshare-a-rw),1278739556(ubuntu_share_rw)
>
> ur-lab-privateshare-rw
> root at UR-Lab:~# wbinfo -n ur-lab-privateshare-rw
> S-1-5-21-3759969785-1361971536-1710822149-1111 SID_DOM_GROUP
> (2)
>
> ur-lab-privateshare-ro
> root at UR-Lab:~# wbinfo -n ur-lab-privateshare-ro
> S-1-5-21-3759969785-1361971536-1710822149-1110 SID_DOM_GROUP
> (2)
>
> Testparm Output
> ===============
> Load smb config files from /etc/samba/smb.conf
> lpcfg_do_global_parameter: WARNING: The "null passwords" option is
> deprecated Loaded services file OK.
> Weak crypto is allowed by GnuTLS (e.g. NTLM as a compatibility
> fallback)
>
> Server role: ROLE_DOMAIN_MEMBER
>
> Press enter to see a dump of your service definitions
>
> # Global parameters
> [global]
> bind interfaces only = Yes
> disable spoolss = Yes
> host msdfs = No
> interfaces = 192.168.66.4 127.0.0.1
> ldap ssl = no
> load printers = No
> log file = /var/log/samba/samba.log
> logging = syslog at 0
> max open files = 40960
> multicast dns register = No
> ntlm auth = ntlmv1-permitted
> null passwords = Yes
> os level = 100
> printcap name = /dev/null
> realm = TESTLAB.COM
> security = ADS
> server min protocol = NT1
> server multi channel support = No
> server string = Media server
> show add printer wizard = No
> smb1 unix extensions = No
> winbind use default domain = Yes
> workgroup = TESTLAB
> fruit:nfs_aces = No
> idmap config * : range = 10000-4000000000
> idmap config * : backend = hash
> acl allow execute always = Yes
> acl group control = Yes
> aio read size = 0
> aio write size = 0
> dos filemode = Yes
> hide dot files = No
> include = /etc/samba/smb-shares.conf
> inherit acls = Yes
> inherit permissions = Yes
> invalid users = root
> map acl inherit = Yes
> use sendfile = Yes
> wide links = Yes
>
>
> [PrivateShare]
> path = /mnt/user/PrivateShare
> read only = No
>
>
> [PrivateShare-A]
> path = /mnt/user/PrivateShare-A
> read only = No
>
>
> [PrivateShare-B]
> path = /mnt/user/PrivateShare-B
> read only = No
>
>
> [PublicShare]
> path = /mnt/user/PublicShare
> read only = No
> ========================================
> Not sure if it is of any use, I noticed a log entry which includes
> the phrase security_token_debug. This includes the IDs of the groups
> that the user account is a member of.
>
> [2024/01/07 21:52:43.271094, 5, pid=93992, effective(0, 0),
> real(0, 0)]
> ../../libcli/security/security_token.c:51(security_token_debug)
> Security token SIDs (19): SID[ 0]:
> S-1-5-21-3759969785-1361971536-1710822149-1106 SID[ 1]:
> S-1-5-21-3759969785-1361971536-1710822149-513 SID[ 2]:
> S-1-5-21-3759969785-1361971536-1710822149-1119 SID[ 3]:
> S-1-5-21-3759969785-1361971536-1710822149-1111 SID[ 4]:
> S-1-5-21-3759969785-1361971536-1710822149-1115 SID[ 5]:
> S-1-5-21-3759969785-1361971536-1710822149-1113 SID[ 6]:
> S-1-5-21-3759969785-1361971536-1710822149-1124 SID[ 7]: S-1-18-1
> SID[ 8]: S-1-1-0 SID[ 9]: S-1-5-2
> SID[ 10]: S-1-5-11
> SID[ 11]: S-1-22-1-1278739538
> SID[ 12]: S-1-22-2-1278738945
> SID[ 13]: S-1-22-2-1278739538
> SID[ 14]: S-1-22-2-1278739551
> SID[ 15]: S-1-22-2-1278739543
> SID[ 16]: S-1-22-2-1278739547
> SID[ 17]: S-1-22-2-1278739545
> SID[ 18]: S-1-22-2-1278739556
> Privileges (0x 0):
> Rights (0x 0):
> [2024/01/07 21:52:43.271202, 5, pid=93992, effective(0, 0),
> real(0, 0)]
> ../../source3/auth/token_util.c:873(debug_unix_user_token) UNIX token
> of user 1278739538 Primary group is 1278738945 and contains 7
> supplementary groups Group[ 0]: 1278739538 Group[ 1]: 1278738945
> Group[ 2]: 1278739551
> Group[ 3]: 1278739543
> Group[ 4]: 1278739547
> Group[ 5]: 1278739545
> Group[ 6]: 1278739556
>
> ===============================================
>
> I am planning to move to the RID IDMAP backend and have tested a RID
> based IDMAP config within the lab. This did not seem to make a
> difference in relation to the issue above and therefore I have not
> used it in the scenario above to keep troubleshooting as simple as
> possible for now.
>
> This is my first time posting to the list and please let me know if
> there is anything I can do differently to make the process better.
>
> Thank You,
>
>
Is winbind running ?
Are you using sssd ?
To be honest, your 'idmap config' block isn't correct, you have:
idmap config * : range = 10000-4000000000
idmap config * : backend = hash
Lets start with the idmap backend. If you run 'man idmap_hash', the
very top of that file has this:
IDMAP_HASH(8) System Administration tools
IDMAP_HASH(8)
NAME
idmap_hash - DO NOT USE THIS BACKEND
Never mind that you should really only use the 'tdb' backend with the
default (*) domain, the manpage itself tells you not to use this
backend.
You also do not seem to have any 'idmap config' lines for the TESTLAB
domain.
I would expect to see 'idmap config' lines similar to these:
idmap config * : backend = tdb
idmap config * : range = 3000-7999
idmap config TESTLAB : backend = rid
idmap config TESTLAB : range = 10000-4000000000
Do you have any computers that must use SMBv1 ? (windows XP or earlier)
If not, you can probably remove these lines:
ntlm auth = ntlmv1-permitted
server min protocol = NT1/etc/samba/smb-shares.conf
For various reasons, I would also remove these lines:
host msdfs = No
ldap ssl = no
max open files = 40960
multicast dns register = No
os level = 100
server multi channel support = No
acl allow execute always = Yes
acl group control = Yes
aio read size = 0
aio write size = 0
dos filemode = Yes
inherit acls = Yes
inherit permissions = Yes/etc/samba/smb-shares.conf
invalid users = root
fruit:nfs_aces = No
I would definitely remove this line:
null passwords = Yes
All accounts should have a password, if only for security.
I would also add this line:
vfs objects = acl_xattr
If your users are going to connect to the Samba server and have a home
directory, you might like to add:
template homedir = /home/%U
Otherwise they will get the default path of '/home/TESTLAB/%U'
If they are going to actually log into the server, you should also set:
template shell = /bin/bash
Or the default '/bin/false' will be used and they will not be able to
log in.
Finally, what is in '/etc/samba/smb-shares.conf' ?
Rowland
More information about the samba
mailing list