[Samba] widelinks_warning - but unix extensions *are* off

Thomas Werschlein thomas.werschlein at geo.uzh.ch
Wed Nov 4 14:57:36 UTC 2015 

> On 03.11.2015, at 11:50, Thomas Werschlein <thomas.werschlein at geo.uzh.ch> wrote:
> 
>> 
>> On 02.11.2015, at 20:25, Rowland Penny <rowlandpenny241155 at gmail.com> wrote:
>> 
>> On 02/11/15 17:08, Thomas Werschlein wrote:
>>>> On 02.11.2015, at 16:25, Rowland Penny <rowlandpenny241155 at gmail.com> wrote:
>>>> 
>>>> Well he didn't write what I asked for, can you please post your entire smb.conf, please do not use testparm, please post as is (although you can sanitise any sensitive info)
>>> Sorry, missed that part. Here we go.
>>> Regards, Thomas
>>> 
>>> [global]
>>>  available = yes
>>>  smb2 leases = yes
>>>  dbwrap_tdb_mutexes:* = yes
>>> 
>>>  fruit:resource = xattr
>>>  kerberos method = system keytab
>>> 
>>>  smb ports = 445
>>> 
>>>  log level = 0
>>>  log file =/usr/local/samba-4.2.5/var/logs_per_client/log.%m
>>> 
>>>  max open files = 262144
>>> 
>>>  realm = D.SOME.ORG.TLD
>>>  workgroup = D
>>>  security = ADS
>>>  disable netbios = yes
>>>  local master = no
>>>  domain master = no
>>> 
>>>  host msdfs = no
>>> 
>>>  idmap config * : backend = tdb
>>>  idmap config * : range = 1000000-1999999
>>>  idmap config D : backend  = nss
>>>  idmap config D : range = 1000-999999
>>>  idmap negative cache time = 0
>>> 
>>>  netbios name = FSRV
>>>  server signing = auto
>>>  create mask = 0644
>>>  server string =
>>>  hide dot files = yes
>>>  hide files = /Maildir/$RECYCLE.BIN/desktop.ini
>>>  load printers = no
>>>  printing = bsd
>>>  printcap name = /dev/null
>>>  deadtime = 15
>>> 
>>>  interfaces = 192.168.222.77/32
>>>  bind interfaces only = yes
>>> 
>>>  unix extensions = no
>>> 
>>>  map untrusted to domain = yes
>>> 
>>>  username map script = /usr/local/samba-4.2.5/etc/samba/mapcomputers.sh
>>> 
>>>  shadow:snapdir = .zfs/snapshot
>>>  shadow:sort = desc
>>>  shadow:localtime = yes
>>>  shadow:format = %Y%m%d%H%M
>>>  wide links = yes
>>> 
>>>  vfs objects = full_audit
>>>  full_audit:prefix = %u|%I|%m|%S
>>>  full_audit:success = mkdir rename rmdir pwrite
>>>  full_audit:failure = none
>>>  full_audit:facility = LOCAL7
>>>  full_audit:priority = NOTICE
>>> 
>>>  aio read size = 1
>>>  aio write size =1
>>> 
>>> [homes]
>>>  path = /pool1/home/%S
>>>  read only = no
>>>  browseable = no
>>>  create mask = 0640
>>>  directory mask = 0750
>>>  ea support = yes
>>>  store dos attributes = yes
>>> 
>>>  vfs objects = shadow_copy2 fruit streams_xattr zfsacl full_audit
>>>  nt acl support = yes
>>>  inherit acls = no
>>> 
>>> [group]
>>>  read only = no
>>>  path = /pool1/group
>>>  hide unreadable = yes
>>>  comment = Group spaces of %U
>>>  create mask = 0660
>>>  directory mask = 0770
>>>  force create mode = 0660
>>>  force directory mode = 0770
>>>  ea support = yes
>>>  store dos attributes = yes
>>>  map archive = No
>>>  map hidden = No
>>>  map system = No
>>>  map readonly = No
>>>  vfs objects = fruit streams_xattr zfsacl
>>>  acl map full control = False
>>>  nt acl support = no
>>>  inherit acls = no
>>> 
>>> [web]
>>>  read only = no
>>>  path = /pool1/web
>>>  hide unreadable = yes
>>>  comment = Web spaces
>>>  create mask = 0664
>>>  directory mask = 0775
>>>  force create mode = 0664
>>>  force directory mode = 0775
>>>  ea support = yes
>>>  store dos attributes = yes
>>>  map archive = No
>>>  map hidden = No
>>>  map system = No
>>>  map readonly = No
>>>  vfs objects = zfsacl full_audit
>>>  acl map full control = False
>>>  nt acl support = no
>>>  inherit acls = no
>>> 
>>> [data]
>>>  path = /pool1/data
>>>  hide unreadable = yes
>>>  read only = no
>>>  ea support = yes
>>>  store dos attributes = yes
>>>  map archive = No
>>>  map hidden = No
>>>  map system = No
>>>  map readonly = No
>>>  vfs objects = zfsacl full_audit
>>>  acl map full control = False
>>>  nt acl support = no
>>>  inherit acls = no
>>> 
>>> 
>> 
>> 'unix extensions' is supposed to be set as a global option and if turned on, is supposed to automatically turn off 'wide links'. However 'wide links' has been set to on, but globally rather than on a share by share basis, this should turn off the warning message you are getting, but isn't. Perhaps the reason is the way you have set 'wide links', try using it on a share by share basis and see if it stops the messages. If that doesn't work, you could try adding 'allow insecure wide links' to the global section of your smb.conf
>> 
>> Rowland
> 
> Thanks for pointing out that 'wide links' is a per share option. We (mis-)used it as global option ever since samba 3.5.x, when the default for 'wide links' changed. Made it a share option now. I'll report back if it stopped the messages.
> 
> Best, Thomas

Still throwing the warning message. Now that 'wide link=yes' is not defined as default for every share, it's clear that samba gets it's config messed up somehow:

[2015/11/04 13:51:51.777783,  0] ../source3/param/loadparm.c:4306(widelinks_warning)
  Share 'web' has wide links and unix extensions enabled. These parameters are incompatible. Wide links will be disabled for this share.

The share 'web' does not have vfs_shadow_copy2 enabled, therefore no need for 'wide links'. Still, the warning message pops up (and no, 'allow insecure wide links' does not prevent it neither). BTW: I just double checked, defining 'wide link' in the global section is fine according to the man page. No misuse there.

To me, it still looks like a nasty runtime problem, not a configuration issue.

Regards, Thomas

More information about the samba mailing list