[Samba] Share access permission errors after upgrade from 4.12.14

unraidster unraidster at protonmail.com
Tue Jan 23 21:47:27 UTC 2024 

Hi Rowland,

Thanks for getting back to me, appreciate your time and help. Apologies for the long response, I have tried to include as much information as possible.

On Friday, 19 January 2024 at 10:12, Rowland Penny via samba <samba at lists.samba.org> wrote:

> Sorry to be so long in replying to this, but life got in the way.
>
> You initially had an incorrect smb.conf and you changed it, but by
> doing so you will have changed the user & group IDs, not their names,
> the numbers. You will probably need to change the user & group
> ownership of all directories & files and run 'net cache flush' as root.
>
> You also say this is on a computer running unraid, did your initial
> smb.conf come from just clicking things on a 'web page' on your unraid
> box ?
>
> Rowland

Here is a summary of how I changed the IDMAP configuration within Unraid 6.9.2.:
	• Configured the idmap within the samba configuration (within Unraid this is done using a feature they call "Samba extra configuration:" in the GUI which adds an include to the smb.conf file).
	• Ran "net cache flush"
	• Renamed all of the .tdb files within /var/lib/samba/.  (did wonder if I should have done this, and if I should have done it before the net cache flush)
	• Started the array (which I believe starts samba).
	• At this stage, the shares are not accessible, even by the owner (ur_admin), as you stated the ID values will have changed.
	• Ran "chown ur_admin:ur-lab_access" on the /mnt/user and /mnt/user/PrivateShare as root.
	• Applied Permissions back onto the /mnt/user/PrivateShare folder using a Windows domain member logged in as TESTLAB\ur_admin via access to the share.
		○ Update: UR_Admin User - Change Apply To from "This Folder" to "This folder, subfolders and files".
		○ Add: _RO Group - RO access applied to "This folder, subfolders and files".
		○ Add: _RW Group - RW access applied to "This folder, subfolders and files".
		○ Remove the Everyone Permission
		○ Remove the stale IDs
		○ Ensure the "Replace all child object permission entries with inheritable permission entries from this object" option is selected at all update/add steps.
	• Tested access: share accessible from the rwuser (member of _RW group), ur_admin, and rouser (member of _RO group) accounts.
	• {I have the environment snapshotted to this state so can return to this point at any time).
	• As part of your recent message, I applied the recommendations to the smb.conf file using the "Samba extra configuration:" feature of Unraid to make the recommended removals from the smb.conf.
		ntlm auth = ntlmv2-only
server min protocol = SMB2_02
		host msdfs = yes
		ldap ssl = start tls
		max open files = 16384
		multicast dns register = yes
		os level = 20
		server multi channel support = yes
		acl allow execute always = no
		aio read size = 1
		aio write size = 1
		dos filemode = no
		inherit acls = no
		inherit permissions = no
		null passwords = no
vfs objects = acl_xattr
acl group control = no
	• Tested access: the share is accessible as detailed above (still Unraid 6.9.2).
	• Upgraded this environment to Unraid 6.12.6 and then attempted access using the rwuser account results in the errors.
	• Note: The configuration outputs I have posted in all of my previous messages on the messaging list have been captured by running testparm as root.
	• Note: The "Samba extra configuration:" is modified via the web GUI.

On Fri, 19 Jan 2024 10:12:12 +0000
Rowland Penny via samba <samba at lists.samba.org> wrote:

> So, I took a wander over to the unraid community forum and found a post
> which seems to say that this problem has been going on for nearly a
> year, is this correct ?
>
> I was hoping to possibly find a link to the source, but couldn't find
> one, so I have no idea just what the default smb.conf is.
>
> Rowland

You may have seen my post on the community forums, I have been attempting to find a resolution to the issue since I first posted earlier last year, and others have also reported the same error as far back as September 2022. I have been getting this error since Unraid 6.10.3 which was built with Samba 4.15.7. I am not sure about the source, but I can try and message the Unraid support team if there is anything specific you would like me to look into.

I thought a a clean install of Unraid 6.12.6 (without any configuration) may help with the default smb.conf query. I have included the contents of smb.conf (and additional included conf files) from a fresh Unraid 6.12.6 install below:

Clean Install .conf files
=============================================
smb.conf (clean install)
	root at Tower:~# cat /etc/samba/smb.conf
	[global]
		# configurable identification
		include = /etc/samba/smb-names.conf

	# log stuff only to syslog
	logging = syslog at 0

	# we don't do printers
	show add printer wizard = No
	disable spoolss = Yes
	load printers = No
	printing = bsd
	printcap name = /dev/null

	# disable aio by default
	aio read size = 0
	aio write size = 0

	# misc.
	invalid users = root
	unix extensions = No
	wide links = Yes
	use sendfile = Yes
	host msdfs = No

	# ease upgrades from Samba 3.6
	acl allow execute always = Yes
	# permit NTLMv1 authentication
	ntlm auth = Yes

	# default global fruit settings:
	#fruit:aapl = Yes
	#fruit:nfs_aces = Yes
	fruit:nfs_aces = No
	#fruit:copyfile = No
	#fruit:model = MacSamba

	# hook for user-defined samba config
	include = /boot/config/smb-extra.conf

	# auto-configured shares
	include = /etc/samba/smb-shares.conf

smb-names.conf (clean install)
	# Generated names
	netbios name = Tower
	server string = Media server
	hide dot files = no
	server multi channel support = no
	max open files = 40960
	multicast dns register = No
	disable netbios = yes
	server min protocol = SMB2
	security = USER
	workgroup = WORKGROUP
	map to guest = Bad User
	passdb backend = smbpasswd
	null passwords = Yes
	idmap config * : backend = tdb
	idmap config * : range = 3000-7999
	create mask = 0777
	directory mask = 0777
	bind interfaces only = yes
	interfaces = 192.168.66.10/24 127.0.0.1

smb-extra.conf (clean install)
	{file does not exist, contents of "samba extra configration" is empty}

smb-shares.conf (clean install)
	{file exists, but is empty, no user shares configured yet}

Testparm (clean install)
	root at Tower:~# testparm
	Load smb config files from /etc/samba/smb.conf
	lpcfg_do_global_parameter: WARNING: The "null passwords" option is deprecated
	Loaded services file OK.
	Weak crypto is allowed by GnuTLS (e.g. NTLM as a compatibility fallback)

	Server role: ROLE_STANDALONE

	Press enter to see a dump of your service definitions

	# Global parameters
	[global]
		bind interfaces only = Yes
		disable netbios = Yes
		disable spoolss = Yes
	#       host msdfs = No
		interfaces = 192.168.66.10/24 127.0.0.1
		load printers = No
		logging = syslog at 0
		map to guest = Bad User
		max open files = 40960
		multicast dns register = No
		ntlm auth = ntlmv1-permitted
		null passwords = Yes
		passdb backend = smbpasswd
		printcap name = /dev/null
		security = USER
		server min protocol = SMB2
		server multi channel support = No
		server string = Media server
		show add printer wizard = No
		smb1 unix extensions = No
		fruit:nfs_aces = No
		idmap config * : range = 3000-7999
		idmap config * : backend = tdb
		acl allow execute always = Yes
		aio read size = 0
		aio write size = 0
		create mask = 0777
		directory mask = 0777
		hide dot files = No
		include = /etc/samba/smb-shares.conf
		invalid users = root
		use sendfile = Yes
		wide links = Yes
===========================================

Please let me know if a similar output as listed above would be useful from a clean Unraid 6.9.2 install. Again appreciate all of the time and input on this, thank you.

Unraidster

More information about the samba mailing list