[Samba] Allow insecure wide links = yes, wide links =yes; but I still can't "see" files from links to NFS mounts using 3.6.15, after upgrading from 2.2.8a
Jordan Verschuer
jvsamba007 at gmail.com
Wed Dec 11 17:50:43 MST 2013
Hi David,
thanks for your concern, we would still like to restore this functionality
though, of being able to access the NFS mounted wide links; like we could
in 2.2.8a.
I only upgraded to 3.6.15 so new Mac users on 10.7+ could connect, but it's
more important that those users who need to access the wide links still can
(instead of having to mount many different NFS mounts separately), so i'll
have to roll back to using 2.2.8a if I can't get this to work in 3.6.15;
which would be a shame.
Do you or others have any advice as to why it's not working properly for us
?
If I use the default options, and set Allow insecure wide links = No [G],
and wide links = No [S], I get the "Access denied" message (as you'd
expect),
however, if I set Allow insecure wise links = Yes [G] and wide links = Yes
[S], I can double click the folder and access it, and even copy files to it,
however like I say, the files then become "hidden", and this is for both PC
and Mac. I can see all the files and newly added/copied files from the
samba server.
So this doesn't sound simply like the many hundreds of "please turn wide
links on" type of posts which I've seen.
Permission for the actual folders and their links haven't changed since
2.2.8, so I can't see what could be wrong but it must be something to do
with this,
and not just the wide link = yes option since I can open the folder and
copy stuff to it without getting an "Access denied" message.
Any ideas??
Thanks everyone.
Cheers,
Jordan
On Wed, Dec 11, 2013 at 10:11 PM, David Keegel <djk at cyber.com.au> wrote:
> Michael, note the second paragraph quoted from man smb.conf :-
>
> allow insecure wide links (G)
>
> In normal operation the option wide links which allows the
> server
> to follow symlinks outside of a share path is automatically
> disabled when unix extensions are enabled on a Samba server.
> This
> is done for security purposes to prevent UNIX clients creating
> symlinks to areas of the server file system that the
> administrator
> does not wish to export.
>
> Setting allow insecure wide links to true disables the link
> between
> these two parameters, removing this protection and allowing a
> site
> to configure the server to follow symlinks (by setting wide
> links
> to "true") even when unix extensions is turned on.
>
> If is not recommended to enable this option unless you fully
> understand the implications of allowing the server to follow
> symbolic links created by UNIX clients. For most normal Samba
> configurations this would be considered a security hole and
> setting
> this parameter is not recommended.
>
> Jordan, please note the third paragraph. I hope you trust all users who
> can use unix extensions and could access shares that have wide links = yes.
>
> On Wed, Dec 11, 2013 at 09:46:13AM +0100, Michael Adam wrote:
> > Hi,
> >
> > you have to set "unix extensions = no" in order to be able
> > to use wide links. Setting "unix extensions = yes" (the default)
> > automatically disables insecure wide links.
> >
> > Cheers - Michael
> >
> > On 2013-12-11 at 17:34 +1100, Jordan Verschuer wrote:
> > > Hi friends,
> > >
> > >
> > > I updated our old sparc Solaris 9 server running samba 2.2.8a to
> 3.6.15 so
> > > that Mac 10.7+ users could access this file server.
> > >
> > > However now we can't see files in folders that are links to NFS mounts
> from
> > > other servers.
> > >
> > > I can access folders/files that are links outside the share but local
> to
> > > the samba server,
> > >
> > > but for links to folders that are mounted to the server via NFS from
> other
> > > servers you can double click and get into the folder but you can't see
> the
> > > files, as if they're hidden.
> > >
> > > For e.g. my folder that I use is large, so I keep it on a separate
> server
> > > which is mounted to the samba server via NFS;
> > > mount -F nfs xraid:/Volumes/Sharing_RAID/Sharing /raid1
> > >
> > > and my folder under this is linked to the samba share folder called
> > > "biograph";
> > > ln -s /raid1/Staff/Jordan /p3/biograph/Jordan
> > >
> > > The configuration/permsissions/ownership for these folders hasn't
> changed,
> > > and I could access these folders with no problems using 2.2.8a.
> > >
> > > I have read many posts about the "allow insecure wide links" and I
> think I
> > > have set the correct options for this in smb.conf, with allow insecure
> wide
> > > links = yes, wide links = yes, follow symlinks = yes, unix extensions
> = yes
> > > [global] and wide links = yes, follow symlinks = yes [share],
> > >
> > > and if these were set incorrectly, wouldn't I get an "access denied"
> type
> > > of message appear rather than just showing no files??
> > >
> > > I can even copy files to the linked folder, but they "disappear" or
> become
> > > hidden after a refresh, and I can see all the linked files via ls on
> the
> > > samba server, so they are there and the link is ok, and I can open
> them and
> > > access them fine, for e.g. using more or cat,
> > >
> > > it's just they're no longer "visible" via the samba clients, even
> though
> > > they were under 2.2.8a.
> > >
> > > I'm thinking it must be a permission issue that's crept in somehow, but
> > > like I say, the ownership/permissions of the links and source
> files/folders
> > > hasn't changed. Nor the user/password used to access the share, this
> is the
> > > same, using smbpasswd backend.
> > >
> > >
> > > I've copied my testparm results below for the new smb.conf, as well as
> the
> > > old smb.conf.
> > >
> > > Any help would be greatly appreciated, thanks for reading.
> > >
> > >
> > > Cheers,
> > > Jordan
> > >
> > >
> > >
> > >
> +-----------------------------------------------------------------------------------------------------------------------------
> > >
> +-----------------------------------------------------------------------------------------------------------------------------
> > > [root at hakea:/usr/local/samba]> testparm /usr/local/samba/lib/smb.conf
> > > Load smb config files from /usr/local/samba/lib/smb.conf
> > > rlimit_max: increasing rlimit_max (256) to minimum Windows limit
> (16384)
> > > WARNING: The "printer admin" option is deprecated
> > > Processing section "[print$]"
> > > Processing section "[biograph]"
> > > Processing section "[roger]"
> > > Processing section "[X2125-A6]"
> > > Processing section "[wenlf]"
> > > Loaded services file OK.
> > > Server role: ROLE_STANDALONE
> > > Press enter to see a dump of your service definitions
> > >
> > > [global]
> > > server string = Samba Server
> > > interfaces = eri0, 152.76.10.3/255.255.255.192
> > > passdb backend = smbpasswd
> > > os level = 65
> > > preferred master = Yes
> > > domain master = Yes
> > > wins support = Yes
> > > remote announce = 152.76.10.255/WORKGROUP
> > > allow insecure wide links = Yes
> > > idmap config * : range =
> > > idmap config * : backend = tdb
> > > admin users = root, roger, ecat
> > > printer admin = @ntadmin
> > > wide links = Yes
> > >
> > > [print$]
> > > path = /usr/local/samba/printers
> > > admin users = roger, root
> > > write list = @ntadmin, root
> > > guest ok = Yes
> > >
> > > [biograph]
> > > comment = biograph
> > > path = /p3/biograph
> > > valid users = biograph, roger, steve, stefan, ecat, root, lingfeng,
> jordan
> > > admin users =
> > > read only = No
> > >
> > > [roger]
> > > comment = roger
> > > path = /home/acacia/roger
> > > valid users = roger, root
> > > read only = No
> > >
> > > [X2125-A6]
> > > comment = X2125 A6
> > > path = /var/spool/samba/print
> > > printable = Yes
> > > print ok = Yes
> > >
> > > [wenlf]
> > > comment = lingfeng
> > > path = /home/karri/lingfeng
> > > valid users = lingfeng
> > > admin users =
> > > read only = No
> > > browseable = No
> > > [root at hakea:/usr/local/samba]>
> > >
> +-----------------------------------------------------------------------------------------------------------------------------
> > >
> +-----------------------------------------------------------------------------------------------------------------------------
> > >
> > >
> > > OLD 2.2.8a smb.conf
> > >
> +-----------------------------------------------------------------------------------------------------------------------------
> > >
> +-----------------------------------------------------------------------------------------------------------------------------
> > > # Samba config file created using SWAT
> > > # from libertas.nucmed.rpa.cs.nsw.gov.au (152.76.10.115)
> > > # Date: 2008/10/17 10:57:23
> > >
> > > # Global parameters
> > > [global]
> > > server string = Samba Server
> > > interfaces = eri0 152.76.10.3/255.255.255.192
> > > encrypt passwords = Yes
> > > os level = 65
> > > preferred master = Yes
> > > domain master = Yes
> > > wins support = Yes
> > > remote announce = 152.76.10.255/WORKGROUP
> > > admin users = roger,ecat
> > > printer admin = @ntadmin
> > >
> > > [print$]
> > > path = /usr/local/samba/printers
> > > admin users = roger,root
> > > write list = @ntadmin,root
> > > guest ok = Yes
> > >
> > > [biograph]
> > > comment = biograph
> > > path = /p3/biograph
> > > guest account =
> > > valid users = biograph,roger,steve,stefan,ecat,root
> > > admin users =
> > > read only = No
> > >
> > > [roger]
> > > comment = roger
> > > path = /home/acacia/roger
> > > guest account =
> > > valid users = roger,root
> > > read only = No
> > >
> > > [X2125-A6]
> > > comment = X2125 A6
> > > path = /var/spool/samba/print
> > > guest account = ftp
> > > printable = Yes
> > >
> > > [wenlf]
> > > comment = lingfeng
> > > path = /home/karri/lingfeng
> > > guest account =
> > > valid users = lingfeng
> > > admin users =
> > > read only = No
> > > browseable = No
> > >
> +-----------------------------------------------------------------------------------------------------------------------------
> > >
> +-----------------------------------------------------------------------------------------------------------------------------
> > > --
> > > To unsubscribe from this list go to the following URL and read the
> > > instructions: https://lists.samba.org/mailman/options/samba
>
>
>
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions: https://lists.samba.org/mailman/options/samba
>
>
> --
> ___________________________________________________________________________
> David Keegel <djk at cyber.com.au> Cyber IT Solutions Pty. Ltd.
> http://www.cyber.com.au/~djk/ Linux & Unix Systems Administration
>
>
More information about the samba
mailing list