[Samba] Can't write to a samba share mounted as an AD user

Rowland Penny rpenny at samba.org
Thu Aug 2 15:56:40 UTC 2018 

On Thu, 2 Aug 2018 11:17:47 -0400
pisymbol <pisymbol at gmail.com> wrote:

> On Thu, Aug 2, 2018 at 11:11 AM, Rowland Penny via samba <
> samba at lists.samba.org> wrote:
> 
> > On Thu, 2 Aug 2018 11:02:45 -0400
> > pisymbol <pisymbol at gmail.com> wrote:
> >
> > > Whoops! Replying to all!
> > >
> > > On Thu, Aug 2, 2018 at 10:55 AM, Rowland Penny via samba <
> > > samba at lists.samba.org> wrote:
> > >
> > > > On Thu, 2 Aug 2018 10:43:26 -0400
> > > > pisymbol via samba <samba at lists.samba.org> wrote:
> > > >
> > > > > Full disclosure: This is an exported share on a QNAP NAS
> > > > > device.
> > > >
> > > > Even fuller disclosure ;-)
> > > > You haven't given us enough info
> > > >
> > >
> > > I can facilitate though.
> > >
> > >
> > > > What version of Samba is the QNAP NAS using ?
> > > >
> > >
> > > 4.4.16
> > >
> > > What is in smb.conf ?
> > > >
> > >
> > > A lot of stuff as you can imagine.
> >
> > Yes and it will remain imaginary until you post it
> >
> 
> [admin at outerdrive ~]# cat /etc/config/smb.conf
> [global]
> realm = ACME.COM
> passdb backend = smbpasswd
> workgroup = ACME
> security = ADS       #### NOTE: I had to change this to ADS to get
> this toaster oven to join AD
> server string =
> encrypt passwords = Yes
> username level = 0
> map to guest = Bad User
> null passwords = yes
> max log size = 10
> socket options = TCP_NODELAY SO_KEEPALIVE
> os level = 20
> preferred master = no
> dns proxy = No
> smb passwd file=/etc/config/smbpasswd
> username map = /etc/config/smbusers
> guest account = guest
> directory mask = 0777
> create mask = 0777
> oplocks = yes
> locking = yes
> disable spoolss = no
> load printers = yes
> veto files = /.AppleDB/.AppleDouble/.AppleDesktop/:2eDS_Store/Network
> Trash Folder/Temporary
> Items/TheVolumeSettingsFolder/. at __thumb/. at __desc/:2e*/. at __qini/.Qsync/. at upload_cache/.qsync/.qsync_sn/. at qsys/.streams/.digest/
> delete veto files = yes
> map archive = no
> map system = no
> map hidden = no
> map read only = no
> deadtime = 10
> server role = auto
> use sendfile = yes
> unix extensions = no
> store dos attributes = yes
> client ntlmv2 auth = yes
> dos filetime resolution = no
> follow symlinks = yes
> wide links = yes
> force unknown acl user = yes
> template homedir = /share/homes/DOMAIN=%D/%U
> inherit acls = yes
> domain logons = no
> min receivefile size = 256
> case sensitive = auto
> domain master = auto
> local master = no
> enhance acl v1 = yes
> remove everyone = yes
> conn log = no
> kernel oplocks = no
> min protocol = LANMAN1
> smb2 leases = yes
> durable handles = yes
> kernel share modes = no
> posix locking = no
> lock directory = /share/CACHEDEV1_DATA/.samba/lock
> state directory = /share/CACHEDEV1_DATA/.samba/state
> cache directory = /share/CACHEDEV1_DATA/.samba/cache
> printcap cache time = 0
> acl allow execute always = yes
> server signing = disabled
> aio read size = 1
> aio write size = 0
> streams_depot:delete_lost = yes
> streams_depot:check_valid = no
> fruit:nfs_aces = no
> fruit:veto_appledouble = no
> winbind expand groups = 1
> pid directory = /var/lock
> printcap name = /etc/printcap
> printing = cups
> show add printer wizard = no
> host msdfs = yes
> winbind enum groups = Yes
> winbind enum users = Yes
> wins support = no
> name resolve order = host bcast
> max protocol = SMB2_10
> vfs objects =  shadow_copy2 acl_xattr catia fruit qnap_macea
> streams_depot aio_pthread
> 
> [Multimedia]
> comment = System default share
> path = /share/CACHEDEV1_DATA/Multimedia
> browsable = yes
> oplocks = yes
> ftp write only = no
> recycle bin = yes
> recycle bin administrators only = no
> qbox = no
> public = yes
> invalid users = "guest"
> read list = @"everyone"
> write list = "admin"
> valid users = "root",@"everyone","admin"
> inherit permissions = yes
> shadow:snapdir = /share/CACHEDEV1_DATA/_.share/Multimedia/.snapshot
> shadow:basedir = /share/CACHEDEV1_DATA/Multimedia
> shadow:sort = desc
> shadow:format = @GMT-%Y.%m.%d-%H:%M:%S
> smb encrypt = disabled
> strict allocate = yes
> streams_depot:check_valid = yes
> mangled names = yes
> 
> [Download]
> comment = System default share
> path = /share/CACHEDEV1_DATA/Download
> browsable = yes
> oplocks = yes
> ftp write only = no
> recycle bin = yes
> recycle bin administrators only = no
> qbox = no
> public = yes
> invalid users = "guest"
> read list =
> write list = "admin"
> valid users = "root","admin"
> inherit permissions = yes
> shadow:snapdir = /share/CACHEDEV1_DATA/_.share/Download/.snapshot
> shadow:basedir = /share/CACHEDEV1_DATA/Download
> shadow:sort = desc
> shadow:format = @GMT-%Y.%m.%d-%H:%M:%S
> smb encrypt = disabled
> strict allocate = yes
> streams_depot:check_valid = yes
> mangled names = yes
> 
> [Web]
> comment = System default share
> path = /share/CACHEDEV1_DATA/Web
> browsable = yes
> oplocks = yes
> ftp write only = no
> recycle bin = yes
> recycle bin administrators only = no
> qbox = no
> public = yes
> invalid users = "guest"
> read list =
> write list = "admin"
> valid users = "root","admin"
> inherit permissions = yes
> shadow:snapdir = /share/CACHEDEV1_DATA/_.share/Web/.snapshot
> shadow:basedir = /share/CACHEDEV1_DATA/Web
> shadow:sort = desc
> shadow:format = @GMT-%Y.%m.%d-%H:%M:%S
> smb encrypt = disabled
> strict allocate = yes
> streams_depot:check_valid = yes
> mangled names = yes
> 
> [Public]
> comment = System default share
> path = /share/CACHEDEV1_DATA/Public
> browsable = yes
> oplocks = yes
> ftp write only = no
> recycle bin = yes
> recycle bin administrators only = yes
> qbox = no
> public = yes
> invalid users = "guest"
> read list = @"everyone"
> write list = "admin",@"ACME\Users"
> valid users = "root",@"everyone","admin",@"ACME\Users"
> inherit permissions = yes
> shadow:snapdir = /share/CACHEDEV1_DATA/_.share/Public/.snapshot
> shadow:basedir = /share/CACHEDEV1_DATA/Public
> shadow:sort = desc
> shadow:format = @GMT-%Y.%m.%d-%H:%M:%S
> smb encrypt = disabled
> strict allocate = yes
> streams_depot:check_valid = yes
> mangled names = yes
> 
> [homes]
> comment = System default share
> path = /share/CACHEDEV1_DATA/homes
> browsable = yes
> oplocks = yes
> ftp write only = no
> recycle bin = yes
> recycle bin administrators only = no
> qbox = no
> public = yes
> invalid users =
> read list =
> write list = "admin"
> valid users = "root","admin"
> inherit permissions = yes
> shadow:snapdir = /share/CACHEDEV1_DATA/_.share/homes/.snapshot
> shadow:basedir = /share/CACHEDEV1_DATA/homes
> shadow:sort = desc
> shadow:format = @GMT-%Y.%m.%d-%H:%M:%S
> smb encrypt = disabled
> mangled names = yes
> 
> [printers]
> use client driver = yes
> writable = no
> browsable = no
> printable = yes
> guest ok = yes
> path = /var/spool/smb
> 
> [home]
> comment = Home
> path = %H
> browsable = yes
> oplocks = yes
> ftp write only = no
> inherit permissions = yes
> invalid users = guest
> writable = yes
> read list = "%u"
> write list = "%u"
> valid users = "%u"
> root preexec = /sbin/create_home -u '%q'
> shadow:snapdir
> = /share/CACHEDEV1_DATA/homes/../_.share/homes/.snapshot
> shadow:basedir = %H shadow:sort = desc
> shadow:format = @GMT-%Y.%m.%d-%H:%M:%S

Was this NAS a 'standalone server' at some point ?

It certainly looks like it to me, two things point that way, one you
are using the deprecated 'smbpasswd' 'passdb backend' and the other is
that you have no authentication lines in smb.conf. Without
authentication, the only user who could connect, would be the guest
user, but you have explicitly denied this with 'invalid users =
"guest"'

Rowland

More information about the samba mailing list