[Samba] Can't write to a samba share mounted as an AD user

Eric Altman eric at lumaforge.com
Thu Aug 2 17:11:20 UTC 2018 

If I’m not confused though, I believe pisymbol CAN get a mount. 

It’s just that the mount has read-only access despite the file ownership and modes being set to give full read-write?

-E

> On Aug 2, 2018, at 8:56 AM, Rowland Penny via samba <samba at lists.samba.org> wrote:
> 
> On Thu, 2 Aug 2018 11:17:47 -0400
> pisymbol <pisymbol at gmail.com <mailto:pisymbol at gmail.com>> wrote:
> 
>> On Thu, Aug 2, 2018 at 11:11 AM, Rowland Penny via samba <
>> samba at lists.samba.org> wrote:
>> 
>>> On Thu, 2 Aug 2018 11:02:45 -0400
>>> pisymbol <pisymbol at gmail.com> wrote:
>>> 
>>>> Whoops! Replying to all!
>>>> 
>>>> On Thu, Aug 2, 2018 at 10:55 AM, Rowland Penny via samba <
>>>> samba at lists.samba.org> wrote:
>>>> 
>>>>> On Thu, 2 Aug 2018 10:43:26 -0400
>>>>> pisymbol via samba <samba at lists.samba.org> wrote:
>>>>> 
>>>>>> Full disclosure: This is an exported share on a QNAP NAS
>>>>>> device.
>>>>> 
>>>>> Even fuller disclosure ;-)
>>>>> You haven't given us enough info
>>>>> 
>>>> 
>>>> I can facilitate though.
>>>> 
>>>> 
>>>>> What version of Samba is the QNAP NAS using ?
>>>>> 
>>>> 
>>>> 4.4.16
>>>> 
>>>> What is in smb.conf ?
>>>>> 
>>>> 
>>>> A lot of stuff as you can imagine.
>>> 
>>> Yes and it will remain imaginary until you post it
>>> 
>> 
>> [admin at outerdrive ~]# cat /etc/config/smb.conf
>> [global]
>> realm = ACME.COM
>> passdb backend = smbpasswd
>> workgroup = ACME
>> security = ADS       #### NOTE: I had to change this to ADS to get
>> this toaster oven to join AD
>> server string =
>> encrypt passwords = Yes
>> username level = 0
>> map to guest = Bad User
>> null passwords = yes
>> max log size = 10
>> socket options = TCP_NODELAY SO_KEEPALIVE
>> os level = 20
>> preferred master = no
>> dns proxy = No
>> smb passwd file=/etc/config/smbpasswd
>> username map = /etc/config/smbusers
>> guest account = guest
>> directory mask = 0777
>> create mask = 0777
>> oplocks = yes
>> locking = yes
>> disable spoolss = no
>> load printers = yes
>> veto files = /.AppleDB/.AppleDouble/.AppleDesktop/:2eDS_Store/Network
>> Trash Folder/Temporary
>> Items/TheVolumeSettingsFolder/. at __thumb/. at __desc/:2e*/. at __qini/.Qsync/. at upload_cache/.qsync/.qsync_sn/. at qsys/.streams/.digest/
>> delete veto files = yes
>> map archive = no
>> map system = no
>> map hidden = no
>> map read only = no
>> deadtime = 10
>> server role = auto
>> use sendfile = yes
>> unix extensions = no
>> store dos attributes = yes
>> client ntlmv2 auth = yes
>> dos filetime resolution = no
>> follow symlinks = yes
>> wide links = yes
>> force unknown acl user = yes
>> template homedir = /share/homes/DOMAIN=%D/%U
>> inherit acls = yes
>> domain logons = no
>> min receivefile size = 256
>> case sensitive = auto
>> domain master = auto
>> local master = no
>> enhance acl v1 = yes
>> remove everyone = yes
>> conn log = no
>> kernel oplocks = no
>> min protocol = LANMAN1
>> smb2 leases = yes
>> durable handles = yes
>> kernel share modes = no
>> posix locking = no
>> lock directory = /share/CACHEDEV1_DATA/.samba/lock
>> state directory = /share/CACHEDEV1_DATA/.samba/state
>> cache directory = /share/CACHEDEV1_DATA/.samba/cache
>> printcap cache time = 0
>> acl allow execute always = yes
>> server signing = disabled
>> aio read size = 1
>> aio write size = 0
>> streams_depot:delete_lost = yes
>> streams_depot:check_valid = no
>> fruit:nfs_aces = no
>> fruit:veto_appledouble = no
>> winbind expand groups = 1
>> pid directory = /var/lock
>> printcap name = /etc/printcap
>> printing = cups
>> show add printer wizard = no
>> host msdfs = yes
>> winbind enum groups = Yes
>> winbind enum users = Yes
>> wins support = no
>> name resolve order = host bcast
>> max protocol = SMB2_10
>> vfs objects =  shadow_copy2 acl_xattr catia fruit qnap_macea
>> streams_depot aio_pthread
>> 
>> [Multimedia]
>> comment = System default share
>> path = /share/CACHEDEV1_DATA/Multimedia
>> browsable = yes
>> oplocks = yes
>> ftp write only = no
>> recycle bin = yes
>> recycle bin administrators only = no
>> qbox = no
>> public = yes
>> invalid users = "guest"
>> read list = @"everyone"
>> write list = "admin"
>> valid users = "root",@"everyone","admin"
>> inherit permissions = yes
>> shadow:snapdir = /share/CACHEDEV1_DATA/_.share/Multimedia/.snapshot
>> shadow:basedir = /share/CACHEDEV1_DATA/Multimedia
>> shadow:sort = desc
>> shadow:format = @GMT-%Y.%m.%d-%H:%M:%S
>> smb encrypt = disabled
>> strict allocate = yes
>> streams_depot:check_valid = yes
>> mangled names = yes
>> 
>> [Download]
>> comment = System default share
>> path = /share/CACHEDEV1_DATA/Download
>> browsable = yes
>> oplocks = yes
>> ftp write only = no
>> recycle bin = yes
>> recycle bin administrators only = no
>> qbox = no
>> public = yes
>> invalid users = "guest"
>> read list =
>> write list = "admin"
>> valid users = "root","admin"
>> inherit permissions = yes
>> shadow:snapdir = /share/CACHEDEV1_DATA/_.share/Download/.snapshot
>> shadow:basedir = /share/CACHEDEV1_DATA/Download
>> shadow:sort = desc
>> shadow:format = @GMT-%Y.%m.%d-%H:%M:%S
>> smb encrypt = disabled
>> strict allocate = yes
>> streams_depot:check_valid = yes
>> mangled names = yes
>> 
>> [Web]
>> comment = System default share
>> path = /share/CACHEDEV1_DATA/Web
>> browsable = yes
>> oplocks = yes
>> ftp write only = no
>> recycle bin = yes
>> recycle bin administrators only = no
>> qbox = no
>> public = yes
>> invalid users = "guest"
>> read list =
>> write list = "admin"
>> valid users = "root","admin"
>> inherit permissions = yes
>> shadow:snapdir = /share/CACHEDEV1_DATA/_.share/Web/.snapshot
>> shadow:basedir = /share/CACHEDEV1_DATA/Web
>> shadow:sort = desc
>> shadow:format = @GMT-%Y.%m.%d-%H:%M:%S
>> smb encrypt = disabled
>> strict allocate = yes
>> streams_depot:check_valid = yes
>> mangled names = yes
>> 
>> [Public]
>> comment = System default share
>> path = /share/CACHEDEV1_DATA/Public
>> browsable = yes
>> oplocks = yes
>> ftp write only = no
>> recycle bin = yes
>> recycle bin administrators only = yes
>> qbox = no
>> public = yes
>> invalid users = "guest"
>> read list = @"everyone"
>> write list = "admin",@"ACME\Users"
>> valid users = "root",@"everyone","admin",@"ACME\Users"
>> inherit permissions = yes
>> shadow:snapdir = /share/CACHEDEV1_DATA/_.share/Public/.snapshot
>> shadow:basedir = /share/CACHEDEV1_DATA/Public
>> shadow:sort = desc
>> shadow:format = @GMT-%Y.%m.%d-%H:%M:%S
>> smb encrypt = disabled
>> strict allocate = yes
>> streams_depot:check_valid = yes
>> mangled names = yes
>> 
>> [homes]
>> comment = System default share
>> path = /share/CACHEDEV1_DATA/homes
>> browsable = yes
>> oplocks = yes
>> ftp write only = no
>> recycle bin = yes
>> recycle bin administrators only = no
>> qbox = no
>> public = yes
>> invalid users =
>> read list =
>> write list = "admin"
>> valid users = "root","admin"
>> inherit permissions = yes
>> shadow:snapdir = /share/CACHEDEV1_DATA/_.share/homes/.snapshot
>> shadow:basedir = /share/CACHEDEV1_DATA/homes
>> shadow:sort = desc
>> shadow:format = @GMT-%Y.%m.%d-%H:%M:%S
>> smb encrypt = disabled
>> mangled names = yes
>> 
>> [printers]
>> use client driver = yes
>> writable = no
>> browsable = no
>> printable = yes
>> guest ok = yes
>> path = /var/spool/smb
>> 
>> [home]
>> comment = Home
>> path = %H
>> browsable = yes
>> oplocks = yes
>> ftp write only = no
>> inherit permissions = yes
>> invalid users = guest
>> writable = yes
>> read list = "%u"
>> write list = "%u"
>> valid users = "%u"
>> root preexec = /sbin/create_home -u '%q'
>> shadow:snapdir
>> = /share/CACHEDEV1_DATA/homes/../_.share/homes/.snapshot
>> shadow:basedir = %H shadow:sort = desc
>> shadow:format = @GMT-%Y.%m.%d-%H:%M:%S
> 
> Was this NAS a 'standalone server' at some point ?
> 
> It certainly looks like it to me, two things point that way, one you
> are using the deprecated 'smbpasswd' 'passdb backend' and the other is
> that you have no authentication lines in smb.conf. Without
> authentication, the only user who could connect, would be the guest
> user, but you have explicitly denied this with 'invalid users =
> "guest"'
> 
> Rowland
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba <https://lists.samba.org/mailman/options/samba>

More information about the samba mailing list