[Samba] Share access permission errors after upgrade from 4.12.14
unraidster
unraidster at protonmail.com
Wed Jan 24 17:31:46 UTC 2024
On Wednesday, 24 January 2024 at 10:51, Rowland Penny via samba <samba at lists.samba.org> wrote:
> I rearranged the smb.conf above and added comments:
>
> [global]
> netbios name = Tower
> server string = Media server
> security = USER
> workgroup = WORKGROUP
> bind interfaces only = yes
> interfaces = 192.168.66.10/24 127.0.0.1
>
> # we don't do printers
> show add printer wizard = No
> disable spoolss = Yes
> load printers = No
> printing = bsd
> printcap name = /dev/null
>
> # log stuff only to syslog
> logging = syslog at 0
>
> use sendfile = Yes
>
> hide dot files = no # why ? You do not usually need to see them.
> server multi channel support = no # reasonable, your unraid device probably only has one network device.
> max open files = 40960 # why ? You shouldn't need to touch this.
> multicast dns register = No # why ? netbios is turned off below, might be a good idea to use Avahi.
> disable netbios = yes
> server min protocol = SMB2 # This is the default and has been for quite sometime.
> map to guest = Bad User
> passdb backend = smbpasswd # The 'smbpasswd' backend was replaced years ago by the tdbsam backend.
> null passwords = Yes # This is just plain stupidity.
> idmap config * : backend = tdb # This and the line below are not required on a standalone server.
> idmap config * : range = 3000-7999
> create mask = 0777 # This and the line below would be better set in the shares.
> directory mask = 0777
>
>
> # disable aio by default
> aio read size = 0 # Why ? This could potentially slow things down.
> aio write size = 0 # Why ? This could potentially slow things down.
>
> # misc.
> invalid users = root # Old school, use acls.
> unix extensions = No # This is only here to allow the next line.
> wide links = Yes # Not a good idea, very insecure.
> host msdfs = No
>
> # ease upgrades from Samba 3.6 # Pardon ? 3.6 Died 8 years ago
> acl allow execute always = Yes
> # permit NTLMv1 authentication
> ntlm auth = Yes # Why ?
>
> # default global fruit settings: # Non of which will have any affect because non of the apple vfs objects are turned on.
> #fruit:aapl = Yes
> #fruit:nfs_aces = Yes
> fruit:nfs_aces = No
> #fruit:copyfile = No
> #fruit:model = MacSamba
>
> It is for a standalone server.
>
> Can you please join it to the domain and then post the new smb.conf , I
> am looking to see what the default idmap backend is for the domain.
>
> Rowland
Hi,
I assumed that the rearranged config you provided was for feedback, I haven't made any changes to the configuration based on those comments. I'll send a message to the Unraid support team with a link to this post when I get to an output with the issue.
I have been including outputs from testparm. I assumed that the command's output is the configuration that is used by smbd after the smb.conf and all included .conf files have been processed, like a resultant configuration. Is that correct? (wanted to validate that, that is the configuration that I should expect is used by the system and there isn't anything in the .conf files that could be modifying the configuration). I noticed that if I set a property to the default value (as specified in the man pages) that it would disappear from the testparm output, I assumed this is because testparm will "filter" out any properties with system default value.
The .conf exports and testparm output was from a clean install. I have joined the Unraid server to the same TESTLAB domain as my previous lab Unraid server. Please find the updated smb.conf below:
smb.conf:
root at Tower:~# cat /etc/samba/smb.conf
[global]
# configurable identification
include = /etc/samba/smb-names.conf
# log stuff only to syslog
logging = syslog at 0
# we don't do printers
show add printer wizard = No
disable spoolss = Yes
load printers = No
printing = bsd
printcap name = /dev/null
# disable aio by default
aio read size = 0
aio write size = 0
# misc.
invalid users = root
unix extensions = No
wide links = Yes
use sendfile = Yes
host msdfs = No
# ease upgrades from Samba 3.6
acl allow execute always = Yes
# permit NTLMv1 authentication
ntlm auth = Yes
# default global fruit settings:
#fruit:aapl = Yes
#fruit:nfs_aces = Yes
fruit:nfs_aces = No
#fruit:copyfile = No
#fruit:model = MacSamba
# hook for user-defined samba config
include = /boot/config/smb-extra.conf
# auto-configured shares
include = /etc/samba/smb-shares.conf
Output from Testparm:
root at Tower:~# testparm
Load smb config files from /etc/samba/smb.conf
lpcfg_do_global_parameter: WARNING: The "null passwords" option is deprecated
Loaded services file OK.
Weak crypto is allowed by GnuTLS (e.g. NTLM as a compatibility fallback)
Server role: ROLE_DOMAIN_MEMBER
Press enter to see a dump of your service definitions
# Global parameters
[global]
bind interfaces only = Yes
disable netbios = Yes
disable spoolss = Yes
host msdfs = No
interfaces = 192.168.66.10/24 127.0.0.1
ldap ssl = no
load printers = No
logging = syslog at 0
max open files = 40960
multicast dns register = No
ntlm auth = ntlmv1-permitted
null passwords = Yes
printcap name = /dev/null
realm = TESTLAB.COM
security = ADS
server min protocol = SMB2
server multi channel support = No
server string = Media server
show add printer wizard = No
smb1 unix extensions = No
winbind use default domain = Yes
workgroup = TESTLAB
fruit:nfs_aces = No
idmap config * : range = 10000-4000000000
idmap config * : backend = hash
acl allow execute always = Yes
acl group control = Yes
aio read size = 0
aio write size = 0
dos filemode = Yes
hide dot files = No
include = /etc/samba/smb-shares.conf
inherit acls = Yes
inherit permissions = Yes
invalid users = root
map acl inherit = Yes
use sendfile = Yes
wide links = Yes
I wasn't able to find the IDMAP lines in the smb.conf. Found them within the smb-names.conf file:
root at Tower:~# cat /etc/samba/smb-names.conf
# Generated names
netbios name = Tower
server string = Media server
hide dot files = no
server multi channel support = no
max open files = 40960
multicast dns register = No
disable netbios = yes
server min protocol = SMB2
security = ADS
workgroup = TESTLAB
realm = testlab.com
null passwords = Yes
idmap config * : backend = hash
idmap config * : range = 10000-4000000000
winbind use default domain = Yes
ldap ssl = No
nt acl support = Yes
acl map full control = Yes
acl group control = Yes
inherit acls = Yes
inherit permissions = Yes
map acl inherit = Yes
dos filemode = Yes
bind interfaces only = yes
interfaces = 192.168.66.10/24 127.0.0.1
Please let me know if there any anything else to change/try/capture. Thanks,
Unraidster
More information about the samba
mailing list