[Samba] [SOLVED] Re: What in samba 4.1 prevents a '/' share?

David C. Rankin drankinatty at suddenlinkmail.com
Fri Jan 10 21:44:39 MST 2014 

On 01/07/2014 09:50 PM, David C. Rankin wrote:
> On 01/07/2014 12:23 AM, David C. Rankin wrote:
>>   I have captured tcpdump traffic during the mount attempts and they point to
>> smb issuing the error, but I'm not that great at reading packet contents, so I'm
>> not entirely sure. But basically, after successful AndX session setup (Tree
>> Connect AndX Request, Path: \\phoinix\config), the request for \\phoinix\config
>> is made and it is found successfully by the server, but then the server response
>> with (Tree Connect AndX Response, Error: STATUS_ACCESS_DENIED) The full ASCII
>> dump of the packet dissection for the STATUS_ACCESS_DENIED packet is:
>>
>>
>> No.     Time        Source                Destination           Protocol Length Info
>>      25 3.487933    192.168.7.16          192.168.7.124         SMB      105
>> Tree Connect AndX Response, Error: STATUS_ACCESS_DENIED
> 
> smb gurus,
> 
>   I think I have made headway. I pulled another level 10 debug on the connection
> attempt and in summary when from any client machine, I try to connect to the '/'
> share, the share_access.c:237(user_ok_token) for (user david [me]) is ok for
> //phoinix/config, but when samba then attempts the check for user 'root' is
> fails with User root not in 'valid users'. Basically a terse summary of the
> entries on connect with:
> 
> mount.cifs //phoinix/config /mnt/phx-cfg/ -v -o
> uid=1000,domain=rlfpllc,credentials=/root/cnf/mountcfile,noperm
> 
> [2014/01/07 20:32:58.157111,  5, pid=5405, effective(0, 0), real(0, 0)]
> ../source3/lib/username.c:181(Get_Pwnam_alloc)
>   Finding user david
> 
> <snip>
> 
> [2014/01/07 20:32:58.158932, 10, pid=5405, effective(0, 0), real(0, 0)]
> ../source3/smbd/share_access.c:237(user_ok_token)
>   user_ok_token: share config is ok for unix user david
> [2014/01/07 20:32:58.159036,  5, pid=5405, effective(0, 0), real(0, 0)]
> ../source3/lib/username.c:181(Get_Pwnam_alloc)
>   Finding user root
> 
> <big snip>
> 
> [2014/01/07 20:32:58.176304, 10, pid=5405, effective(0, 0), real(0, 0)]
> ../source3/smbd/share_access.c:215(user_ok_token)
>   User root not in 'valid users'
> 
> <snip>
> 
> [2014/01/07 20:32:58.176620,  3, pid=5405, effective(0, 0), real(0, 0)]
> ../source3/smbd/error.c:82(error_packet_set)
>   NT error packet at ../source3/smbd/reply.c(952) cmd=117 (SMBtconX)
> NT_STATUS_ACCESS_DENIED
> 
>   I've put the full log here:
> 
> http://www.rlfpllc.com/dl/srv/smb/phoinix-level-10.txt.bz2
> 
>   If anyone has any suggestions, I would appreciate them. Thanks.
> 

  I have tested the share incrementally trying without the 'force user' and then
'force group' but I had never removed both at the same time. I just tested that
and BINGO! it works.

  Something in 4.1.3 changed such that 'force user = root' or 'force group =
root' causes the mount to fail. Removing those options allows the config share
to be mounted:

[config]
   comment = Phoinix Config (Archlinux)
   path = /
   valid users = david
;   force user = root
;   force group = root
   browseable = no
   writeable = Yes


[22:34 providence:/home/david] # mount.cifs //phoinix/config /mnt/phx-cfg/ -v -o
username=david,uid=1000,credentials=/home/david/.dcr/mountcfile
mount.cifs kernel mount options:
ip=192.168.7.16,unc=\\phoinix\config,uid=1000,user=david,pass=********
[22:34 providence:/home/david] # l /mnt/phx-cfg
total 8
<snip>
drwxr-xr-x   4 david root     0 Dec 26 13:02 boot
drwxr-xr-x  58 david david    0 Jan  2 23:51 dat_e
drwxr-xr-x  11 david david    0 Aug 23  2012 dat_f
drwxr-xr-x  17 david root     0 Dec 26 13:05 dev
drwxr-xr-x  71 david root     0 Jan 10 21:01 etc
drwxr-xr-x  14 david root     0 Dec  9 12:17 home
<snip>
[22:34 providence:/home/david] # mount
//phoinix/config on /mnt/phx-cfg type cifs
(rw,relatime,vers=1.0,sec=ntlm,cache=loose,unc=\\phoinix\config,username=david,uid=1000,forceuid,gid=0,noforcegid,addr=192.168.7.16,unix,posixpaths,serverino,acl,rsize=1048576,wsize=65536,actimeo=1)

  Thanks to all that helped, that's what keeps the debug process going. We may
want to drop a note in
http://www.samba.org/samba/docs/using_samba/ch09.html#samba2-CHP-9-SECT-2 (or
somewhere) letting folks know that force user/group = root will cause the mount
to fail in 4.1.3 even though 'invalid users' is not set.

-- 
David C. Rankin, J.D.,P.E.

More information about the samba mailing list