[Samba] ARGH... once again samba causes "permission" errors.

John H Terpstra jht at samba.org
Tue Jun 1 10:03:00 MDT 2010

On 05/29/2010 03:21 AM, Jeff Wiegley wrote:
> I've been doing unix sys. admin for nearly 20 years and yet EVERY single
> time I have to setup samba I have configuration problems.


With all respect, please note that Samba is not your usual UNIX
networking toolset - it implements SMB/CIFS, a technology that is
overloaded with its own specific requirements that need to be understood
and correctly handled.

Have you read the books:
Samba3-ByExample  (http://www.samba.org/samba/docs/Samba3-ByExample.pdf)
Samba3-HOWTO      (http://www.samba.org/samba/docs/Samba3-HOWTO.pdf)

These may help to alleviate some of your discomfort with Samba.  There
are other Samba books, unfortunately all (even the two above) are quite
out of date. Not withstanding that they are out of date, the above can
still be of value (particularly Samba3-ByExample) because it provides
worked example network deployment configurations.

Additionally, you may find some useful pointers on the Samba Wiki at:

> Before we start let's clear up some common misunderstandings: I have
> googled for the answer. I have spent the last six hours doing so and trying
> various "suggestions". Most of these suggestions point to solutions
> involving chown or chmod.  These are not the problems (or I will be
> very surprised).

Googling is a good thing (most of the time), but when it comes to Samba
issues this will usually turn up a lot of complaints about problems and
very few reports that explain how each was solved - if it was solved in
the first place.

> # cat /etc/samba/smb.conf
> [global]
>         workgroup = CYTE.COM

Do NOT use a '.' character in a workgroup/domain name. In MS Windows NT4
(the protocols Samba3 implements) this is not a supported character. It
would be better to just declare the workgroup name as "CYTE" or 'CYTE-COM"

>         server string = CyteNAS
>         netbios name = NAS
>         hosts allow = 127., 10.0.10.

Is this devices multi-homed? If it is then "hosts allow" is probably a
good things - if not, it is best to start without it and add it later
when you know the configuration is working.

For diagnostic purposes add the following to the [global] stanza:

	log file = %L-%m.log
	max log size = 0
	log level = 3
	map to guest = bad user

When the network is finally stable, and diagnostics are no longer
needed, reduce the "log level" to either 0 or 1.

> [nas]
>         comment = NAS
>         path = /mnt/nas
>         force user = nas
>         force group = nas
>         read only = No
> # cat /etc/samba/smbpasswd
> nas:500:75891A0CAAF2F9828AE88C0FE87091EF:E8C4E8E10FEE888764D18AD4A0AC61F5:[U         
> ]:LCT-4C00625E:

What version of Samba are you using?  If it is later than 3.0.x (in
other words 3.2.x, 3.3.x, 3.4.x, 3.5.x) the default is to use tdbsam,
not smbpasswd.  If you particularly want to use smbpasswd to store the
SMB/CIFS credentials, specify the following in [global]
	passdb backend = smbpasswd:/etc/samba/smbpasswd

> # grep nas /etc/passwd
> nas:x:500:500::/mnt/nas:/bin/bash
> # grep nas /etc/group
> nas:x:500:
> # ls -al /mnt/nas
> total 16
> drwxrwxrwx 2 nas  nas  4096 May 28 17:01 .
> drwxrwxrwx 3 root root 4096 May 28 15:04 ..
> So before you tell me about "permission" problems please note the following
>   1) The permissions on all the files is 777... EVERYBODY can do anything.
>   2) samba IS configured to force the user and group to the owner of the
> share
>       path anyways.
>   3) The group and user exist and they have their passwords configured
>        correctly.
> I can map the share on my Windows 7 workstation. But any attempt to
> create anything yields a pop-up window that says:
> "You need permission to perform this action"
>                               nas(\\NAS)
>                               Space free: 89.7 GB
>                               Total size: 97.0 GB
> Why am I getting ANY permission problems??? Frankly. I don't think it is
> a permission problem. (I set log level to 10; the output is long so I won't
> include it because I looked through it and didn't see any errors reported
> or any mention of permission denied.)

As much as you may not like scanning samba log files, this is the only
way to diagnose what is going wrong.

> It gets worse. a 90GB NAS storage is pretty useless. The NAS is actually
> a 6TB Raid5 array with an XFS filesystem. But if I actually mount it....
> # /etc/init.d/smb stop
> # mount /mnt/nas
> # ls -al /mnt/nas
> total 8
> drwxrwxrwx 2 nas  nas     6 May 28 18:11 .
> drwxrwxrwx 3 root root 4096 May 28 15:04 ..
> see... no difference in permissions or ownership but now it is a mount
> point.

OK, we feel your pain, but instead of complaining to this list you are
better served asking how to diagnose the problem so you can find a solution.

> Now I can't even map the samba share at all. All I get is a window
> that says:
>    "Attemping to connect to \\NAS\nas"
>           (Cancel)
> And it never seems to go away.
> and yes, under both cases I can simply login as the user nas via
> ssh and touch/mkdir or do anything I want and the files get created
> just fine. Frankly I think this is another case of Windows presenting
> the user with a misleading diagnostic "Permission" problem when
> something much more fundamental is going wrong with Samba.

The log files are your sole pathway to a solution.

If you just want a solution to the problem, you could also consider
getting commercial Samba support from one of the support providers at:

- John T.

More information about the samba mailing list