[Samba] Allow insecure wide links = yes, wide links =yes; but I still can't "see" files from links to NFS mounts using 3.6.15, after upgrading from 2.2.8a

David Keegel djk at cyber.com.au
Wed Dec 11 04:11:43 MST 2013 

Michael, note the second paragraph quoted from man smb.conf :-

       allow insecure wide links (G)

           In normal operation the option wide links which allows the server
           to follow symlinks outside of a share path is automatically
           disabled when unix extensions are enabled on a Samba server.  This
           is done for security purposes to prevent UNIX clients creating
           symlinks to areas of the server file system that the administrator
           does not wish to export.

           Setting allow insecure wide links to true disables the link between
           these two parameters, removing this protection and allowing a site
           to configure the server to follow symlinks (by setting wide links
           to "true") even when unix extensions is turned on.

           If is not recommended to enable this option unless you fully
           understand the implications of allowing the server to follow
           symbolic links created by UNIX clients. For most normal Samba
           configurations this would be considered a security hole and setting
           this parameter is not recommended.

Jordan, please note the third paragraph.  I hope you trust all users who
can use unix extensions and could access shares that have wide links = yes.

On Wed, Dec 11, 2013 at 09:46:13AM +0100, Michael Adam wrote:
> Hi,
> 
> you have to set "unix extensions = no" in order to be able
> to use wide links. Setting "unix extensions = yes" (the default)
> automatically disables insecure wide links.
> 
> Cheers - Michael
> 
> On 2013-12-11 at 17:34 +1100, Jordan Verschuer wrote:
> > Hi friends,
> > 
> > 
> > I updated our old sparc Solaris 9 server running samba 2.2.8a to 3.6.15 so
> > that Mac 10.7+ users could access this file server.
> > 
> > However now we can't see files in folders that are links to NFS mounts from
> > other servers.
> > 
> > I can access folders/files that are links outside the share but local to
> > the samba server,
> > 
> > but for links to folders that are mounted to the server via NFS from other
> > servers you can double click and get into the folder but you can't see the
> > files, as if they're hidden.
> > 
> > For e.g. my folder that I use is large, so I keep it on a separate server
> > which is mounted to the samba server via NFS;
> >           mount  -F  nfs  xraid:/Volumes/Sharing_RAID/Sharing  /raid1
> > 
> > and my folder under this is linked to the samba share folder called
> > "biograph";
> >           ln  -s  /raid1/Staff/Jordan  /p3/biograph/Jordan
> > 
> > The configuration/permsissions/ownership for these folders hasn't changed,
> > and I could access these folders with no problems using 2.2.8a.
> > 
> > I have read many posts about the "allow insecure wide links" and I think I
> > have set the correct options for this in smb.conf, with allow insecure wide
> > links = yes, wide links = yes, follow symlinks = yes, unix extensions = yes
> > [global] and wide links = yes, follow symlinks = yes [share],
> > 
> > and if these were set incorrectly, wouldn't I get an "access denied" type
> > of message appear rather than just showing no files??
> > 
> > I can even copy files to the linked folder, but they "disappear" or become
> > hidden after a refresh, and I can see all the linked files via ls on the
> > samba server, so they are there and the link is ok, and I can open them and
> > access them fine, for e.g. using more or cat,
> > 
> > it's just they're no longer "visible" via the samba clients, even though
> > they were under 2.2.8a.
> > 
> > I'm thinking it must be a permission issue that's crept in somehow, but
> > like I say, the ownership/permissions of the links and source files/folders
> > hasn't changed. Nor the user/password used to access the share, this is the
> > same, using smbpasswd backend.
> > 
> > 
> > I've copied my testparm results below for the new smb.conf, as well as the
> > old smb.conf.
> > 
> > Any help would be greatly appreciated, thanks for reading.
> > 
> > 
> > Cheers,
> > Jordan
> > 
> > 
> > 
> > +-----------------------------------------------------------------------------------------------------------------------------
> > +-----------------------------------------------------------------------------------------------------------------------------
> > [root at hakea:/usr/local/samba]> testparm /usr/local/samba/lib/smb.conf
> > Load smb config files from /usr/local/samba/lib/smb.conf
> > rlimit_max: increasing rlimit_max (256) to minimum Windows limit (16384)
> > WARNING: The "printer admin" option is deprecated
> > Processing section "[print$]"
> > Processing section "[biograph]"
> > Processing section "[roger]"
> > Processing section "[X2125-A6]"
> > Processing section "[wenlf]"
> > Loaded services file OK.
> > Server role: ROLE_STANDALONE
> > Press enter to see a dump of your service definitions
> > 
> > [global]
> >   server string = Samba Server
> >   interfaces = eri0, 152.76.10.3/255.255.255.192
> >   passdb backend = smbpasswd
> >   os level = 65
> >   preferred master = Yes
> >   domain master = Yes
> >   wins support = Yes
> >   remote announce = 152.76.10.255/WORKGROUP
> >   allow insecure wide links = Yes
> >   idmap config * : range =
> >   idmap config * : backend = tdb
> >   admin users = root, roger, ecat
> >   printer admin = @ntadmin
> >   wide links = Yes
> > 
> > [print$]
> >   path = /usr/local/samba/printers
> >   admin users = roger, root
> >   write list = @ntadmin, root
> >   guest ok = Yes
> > 
> > [biograph]
> >   comment = biograph
> >   path = /p3/biograph
> >   valid users = biograph, roger, steve, stefan, ecat, root, lingfeng, jordan
> >   admin users =
> >   read only = No
> > 
> > [roger]
> >   comment = roger
> >   path = /home/acacia/roger
> >   valid users = roger, root
> >   read only = No
> > 
> > [X2125-A6]
> >   comment = X2125 A6
> >   path = /var/spool/samba/print
> >   printable = Yes
> >   print ok = Yes
> > 
> > [wenlf]
> >   comment = lingfeng
> >   path = /home/karri/lingfeng
> >   valid users = lingfeng
> >   admin users =
> >   read only = No
> >   browseable = No
> > [root at hakea:/usr/local/samba]>
> > +-----------------------------------------------------------------------------------------------------------------------------
> > +-----------------------------------------------------------------------------------------------------------------------------
> > 
> > 
> > OLD 2.2.8a smb.conf
> > +-----------------------------------------------------------------------------------------------------------------------------
> > +-----------------------------------------------------------------------------------------------------------------------------
> > # Samba config file created using SWAT
> > # from libertas.nucmed.rpa.cs.nsw.gov.au (152.76.10.115)
> > # Date: 2008/10/17 10:57:23
> > 
> > # Global parameters
> > [global]
> >   server string = Samba Server
> >   interfaces = eri0 152.76.10.3/255.255.255.192
> >   encrypt passwords = Yes
> >   os level = 65
> >   preferred master = Yes
> >   domain master = Yes
> >   wins support = Yes
> >   remote announce = 152.76.10.255/WORKGROUP
> >   admin users = roger,ecat
> >   printer admin = @ntadmin
> > 
> > [print$]
> >   path = /usr/local/samba/printers
> >   admin users = roger,root
> >   write list = @ntadmin,root
> >   guest ok = Yes
> > 
> > [biograph]
> >   comment = biograph
> >   path = /p3/biograph
> >   guest account =
> >   valid users = biograph,roger,steve,stefan,ecat,root
> >   admin users =
> >   read only = No
> > 
> > [roger]
> >   comment = roger
> >   path = /home/acacia/roger
> >   guest account =
> >   valid users = roger,root
> >   read only = No
> > 
> > [X2125-A6]
> >   comment = X2125 A6
> >   path = /var/spool/samba/print
> >   guest account = ftp
> >   printable = Yes
> > 
> > [wenlf]
> >   comment = lingfeng
> >   path = /home/karri/lingfeng
> >   guest account =
> >   valid users = lingfeng
> >   admin users =
> >   read only = No
> >   browseable = No
> > +-----------------------------------------------------------------------------------------------------------------------------
> > +-----------------------------------------------------------------------------------------------------------------------------
> > -- 
> > To unsubscribe from this list go to the following URL and read the
> > instructions:  https://lists.samba.org/mailman/options/samba



> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba


-- 
___________________________________________________________________________
  David Keegel <djk at cyber.com.au>        Cyber IT Solutions Pty. Ltd.   
   http://www.cyber.com.au/~djk/     Linux & Unix Systems Administration

More information about the samba mailing list