[Samba] Share access permission errors after upgrade from 4.12.14

Rowland Penny rpenny at samba.org
Thu Jan 11 10:36:37 UTC 2024


On Thu, 11 Jan 2024 08:53:38 +0000
unraidster via samba <samba at lists.samba.org> wrote:

> Hello,
> 
> Issue Description
> After the upgrade of the Unraid server OS (unraid.net) from v6.9.2 to
> v6.12.6 (which upgrades the version of Samba from 4.12.14 to 4.17.12)
> access to shares stops working.
> 
> Error Summary:
> [2024/01/07 21:52:43.357676,  0, pid=93992, effective(1278739538,
> 1278738945), real(1278739538, 0)]
> ../../source3/smbd/smb2_service.c:168(chdir_current_service)
> chdir_current_service: vfs_ChDir(/mnt/user/PrivateShare) failed:
> Permission denied. Current token: uid=1278739538, gid=1278738945, 7
> groups: 1278739538 1278738945 1278739551 1278739543 1278739547
> 1278739545 1278739556
> 
> Samba is joined to an Active Directory domain as a member server. The
> following error is found in the log when I attempt to browse to the
> share using a Windows 10 client signed in as the domain's "rwuser"
> user account. (Note: worked with the older version of the OS).
> 
> I have included output from logs/commands that I thought might help
> answer any subsequent questions that readers may have. Please let me
> know if there is any additional information I can provide. Thank You.
> 
> Error Detail:
> ==================
> [2024/01/07 21:52:43.356009,  4, pid=93992, effective(1278739538,
> 1278738945), real(1278739538, 0), class=vfs]
> ../../source3/smbd/vfs.c:938(vfs_ChDir) vfs_ChDir to
> /mnt/user/PrivateShare [2024/01/07 21:52:43.357676,  0, pid=93992,
> effective(1278739538, 1278738945), real(1278739538, 0)]
> ../../source3/smbd/smb2_service.c:168(chdir_current_service)
> chdir_current_service: vfs_ChDir(/mnt/user/PrivateShare) failed:
> Permission denied. Current token: uid=1278739538, gid=1278738945, 7
> groups: 1278739538 1278738945 1278739551 1278739543 1278739547
> 1278739545 1278739556 [2024/01/07 21:52:43.357802,  3, pid=93992,
> effective(1278739538, 1278738945), real(1278739538, 0), class=smb2]
> ../../source3/smbd/smb2_server.c:3961(smbd_smb2_request_error_ex)
> smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1]
> status[NT_STATUS_ACCESS_DENIED] || at
> ../../source3/smbd/smb2_server.c:3253 [2024/01/07 21:52:43.357809,
> 10, pid=91942, effective(0, 0), real(0, 0)]
> ../../source3/smbd/notify_inotify.c:446(inotify_watch)
> inotify_add_watch for /mnt/user/PublicShare mask 210003c6 returned wd
> 1 [2024/01/07 21:52:43.357834, 10, pid=93992, effective(1278739538,
> 1278738945), real(1278739538, 0), class=smb2]
> ../../source3/smbd/smb2_server.c:3847(smbd_smb2_request_done_ex)
> smbd_smb2_request_done_ex: mid [15] idx[1]
> status[NT_STATUS_ACCESS_DENIED] body[8] dyn[yes:1] at
> ../../source3/smbd/smb2_server.c:4011 [2024/01/07 21:52:43.357843,
> 10, pid=91942, effective(0, 0), real(0, 0)]
> ../../source3/smbd/notifyd/notifyd.c:449(notifyd_apply_rec_change)
> notifyd_apply_rec_change: /mnt/user/PublicShare has 2 instances
> [2024/01/07 21:52:43.357855, 10, pid=93992, effective(1278739538,
> 1278738945), real(1278739538, 0), class=smb2_credits]
> ../../source3/smbd/smb2_server.c:975(smb2_set_operation_credit)
> smb2_set_operation_credit: smb2_set_operation_credit: requested 1,
> charge 1, granted 1, current possible/max 8161/8192, total
> granted/max/low/range 32/8192/16/32
> 
> Directory Permissions
> =========================
> /
> 	drwxr-xr-x  20 root root
> 
> /mnt/
> 	drwxr-xr-x  9 root     root
> 
> /mnt/user/
> 	drwxrwxrwx  1 ur_admin   ur-lab_access
> 
> /mnt/user/PrivateShare/
> 	drwxrwx---+ 1 ur_admin ur-lab_access
> 
> 	ACL
> 	root at UR-Lab:~# getfacl /mnt/user/PrivateShare
> 	getfacl: Removing leading '/' from absolute path names
> 	# file: mnt/user/PrivateShare
> 	# owner: ur_admin
> 	# group: ur-lab_access
> 	user::rwx
> 	user:ur_admin:rwx
> 	group::rwx
> 	group:ur-lab_access:rwx
> 	group:ur-lab-privateshare-ro:r-x
> 	group:ur-lab-privateshare-rw:rwx
> 	mask::rwx
> 	other::---
> 	default:user::rwx
> 	default:user:ur_admin:rwx
> 	default:group::---
> 	default:group:ur-lab_access:rwx
> 	default:group:ur-lab-privateshare-ro:r-x
> 	default:group:ur-lab-privateshare-rw:rwx
> 	default:mask::rwx
> 	default:other::---
> 
> 
> WB Info for Users and groups
> =========================
> ur_admin
> 	root at UR-Lab:~# wbinfo -n ur_admin
> 	S-1-5-21-3759969785-1361971536-1710822149-1107 SID_USER (1)
> 
> rwuser
> 	root at UR-Lab:~# wbinfo -n rwuser
> 	S-1-5-21-3759969785-1361971536-1710822149-1106 SID_USER (1)
> 	root at UR-Lab:~# id 1278739538
> 	uid=1278739538(rwuser) gid=1278738945(domain users)
> groups=1278738945(domain
> users),1278739538(rwuser),1278739551(ur_users),1278739543(ur-lab-privateshare-rw),1278739547(b-rw),1278739545(ur-lab-privateshare-a-rw),1278739556(ubuntu_share_rw)
> 
> ur-lab-privateshare-rw
> 	root at UR-Lab:~# wbinfo -n ur-lab-privateshare-rw
> 	S-1-5-21-3759969785-1361971536-1710822149-1111 SID_DOM_GROUP
> (2)
> 
> ur-lab-privateshare-ro
> 	root at UR-Lab:~# wbinfo -n ur-lab-privateshare-ro
> 	S-1-5-21-3759969785-1361971536-1710822149-1110 SID_DOM_GROUP
> (2)
> 
> Testparm Output
> ===============
> Load smb config files from /etc/samba/smb.conf
> lpcfg_do_global_parameter: WARNING: The "null passwords" option is
> deprecated Loaded services file OK.
> Weak crypto is allowed by GnuTLS (e.g. NTLM as a compatibility
> fallback)
> 
> Server role: ROLE_DOMAIN_MEMBER
> 
> Press enter to see a dump of your service definitions
> 
> # Global parameters
> [global]
>         bind interfaces only = Yes
>         disable spoolss = Yes
>         host msdfs = No
>         interfaces = 192.168.66.4 127.0.0.1
>         ldap ssl = no
>         load printers = No
>         log file = /var/log/samba/samba.log
>         logging = syslog at 0
>         max open files = 40960
>         multicast dns register = No
>         ntlm auth = ntlmv1-permitted
>         null passwords = Yes
>         os level = 100
>         printcap name = /dev/null
>         realm = TESTLAB.COM
>         security = ADS
>         server min protocol = NT1
>         server multi channel support = No
>         server string = Media server
>         show add printer wizard = No
>         smb1 unix extensions = No
>         winbind use default domain = Yes
>         workgroup = TESTLAB
>         fruit:nfs_aces = No
>         idmap config * : range = 10000-4000000000
>         idmap config * : backend = hash
>         acl allow execute always = Yes
>         acl group control = Yes
>         aio read size = 0
>         aio write size = 0
>         dos filemode = Yes
>         hide dot files = No
>         include = /etc/samba/smb-shares.conf
>         inherit acls = Yes
>         inherit permissions = Yes
>         invalid users = root
>         map acl inherit = Yes
>         use sendfile = Yes
>         wide links = Yes
> 
> 
> [PrivateShare]
>         path = /mnt/user/PrivateShare
>         read only = No
> 
> 
> [PrivateShare-A]
>         path = /mnt/user/PrivateShare-A
>         read only = No
> 
> 
> [PrivateShare-B]
>         path = /mnt/user/PrivateShare-B
>         read only = No
> 
> 
> [PublicShare]
>         path = /mnt/user/PublicShare
>         read only = No
> ========================================
> Not sure if it is of any use, I noticed a log entry which includes
> the phrase security_token_debug. This includes the IDs of the groups
> that the user account is a member of.
> 
> 	[2024/01/07 21:52:43.271094,  5, pid=93992, effective(0, 0),
> real(0, 0)]
> ../../libcli/security/security_token.c:51(security_token_debug)
> Security token SIDs (19): SID[  0]:
> S-1-5-21-3759969785-1361971536-1710822149-1106 SID[  1]:
> S-1-5-21-3759969785-1361971536-1710822149-513 SID[  2]:
> S-1-5-21-3759969785-1361971536-1710822149-1119 SID[  3]:
> S-1-5-21-3759969785-1361971536-1710822149-1111 SID[  4]:
> S-1-5-21-3759969785-1361971536-1710822149-1115 SID[  5]:
> S-1-5-21-3759969785-1361971536-1710822149-1113 SID[  6]:
> S-1-5-21-3759969785-1361971536-1710822149-1124 SID[  7]: S-1-18-1
> SID[  8]: S-1-1-0 SID[  9]: S-1-5-2
> 	    SID[ 10]: S-1-5-11
> 	    SID[ 11]: S-1-22-1-1278739538
> 	    SID[ 12]: S-1-22-2-1278738945
> 	    SID[ 13]: S-1-22-2-1278739538
> 	    SID[ 14]: S-1-22-2-1278739551
> 	    SID[ 15]: S-1-22-2-1278739543
> 	    SID[ 16]: S-1-22-2-1278739547
> 	    SID[ 17]: S-1-22-2-1278739545
> 	    SID[ 18]: S-1-22-2-1278739556
> 	   Privileges (0x               0):
> 	   Rights (0x               0):
> 	[2024/01/07 21:52:43.271202,  5, pid=93992, effective(0, 0),
> real(0, 0)]
> ../../source3/auth/token_util.c:873(debug_unix_user_token) UNIX token
> of user 1278739538 Primary group is 1278738945 and contains 7
> supplementary groups Group[  0]: 1278739538 Group[  1]: 1278738945
> 	  Group[  2]: 1278739551
> 	  Group[  3]: 1278739543
> 	  Group[  4]: 1278739547
> 	  Group[  5]: 1278739545
> 	  Group[  6]: 1278739556
> 
> ===============================================
> 
> I am planning to move to the RID IDMAP backend and have tested a RID
> based IDMAP config within the lab. This did not seem to make a
> difference in relation to the issue above and therefore I have not
> used it in the scenario above to keep troubleshooting as simple as
> possible for now.
> 
> This is my first time posting to the list and please let me know if
> there is anything I can do differently to make the process better.
> 
> Thank You,
> 
> 

Is winbind running ?
Are you using sssd ?

To be honest, your 'idmap config' block isn't correct, you have:

idmap config * : range = 10000-4000000000
idmap config * : backend = hash

Lets start with the idmap backend. If you run 'man idmap_hash', the
very top of that file has this:

IDMAP_HASH(8)             System Administration tools
IDMAP_HASH(8)

NAME
       idmap_hash - DO NOT USE THIS BACKEND

Never mind that you should really only use the 'tdb' backend with the
default (*) domain, the manpage itself tells you not to use this
backend.

You also do not seem to have any 'idmap config' lines for the TESTLAB
domain.

I would expect to see 'idmap config' lines similar to these:

idmap config * : backend = tdb
idmap config * : range = 3000-7999
idmap config TESTLAB : backend  = rid
idmap config TESTLAB : range = 10000-4000000000

Do you have any computers that must use SMBv1 ? (windows XP or earlier)

If not, you can probably remove these lines:

ntlm auth = ntlmv1-permitted
server min protocol = NT1/etc/samba/smb-shares.conf

For various reasons, I would also remove these lines:

host msdfs = No
ldap ssl = no
max open files = 40960
multicast dns register = No
os level = 100
server multi channel support = No
acl allow execute always = Yes
acl group control = Yes
aio read size = 0
aio write size = 0
dos filemode = Yes
inherit acls = Yes
inherit permissions = Yes/etc/samba/smb-shares.conf
invalid users = root
fruit:nfs_aces = No

I would definitely remove this line:

null passwords = Yes

All accounts should have a password, if only for security.

I would also add this line:

vfs objects = acl_xattr

If your users are going to connect to the Samba server and have a home
directory, you might like to add:

template homedir = /home/%U

Otherwise they will get the default path of '/home/TESTLAB/%U'

If they are going to actually log into the server, you should also set:

template shell = /bin/bash

Or the default '/bin/false' will be used and they will not be able to
log in.

Finally, what is in '/etc/samba/smb-shares.conf' ?

Rowland




More information about the samba mailing list