[Samba] Share access permission errors after upgrade from 4.12.14

unraidster unraidster at protonmail.com
Mon Jan 15 21:00:21 UTC 2024


On Thursday, 11 January 2024 at 10:36, Rowland Penny via samba <samba at lists.samba.org> wrote:

> Is winbind running ?
> Are you using sssd ?
>
> To be honest, your 'idmap config' block isn't correct, you have:
>
> idmap config * : range = 10000-4000000000
> idmap config * : backend = hash
>
> Lets start with the idmap backend. If you run 'man idmap_hash', the
> very top of that file has this:
>
> IDMAP_HASH(8) System Administration tools
> IDMAP_HASH(8)
>
> NAME
> idmap_hash - DO NOT USE THIS BACKEND
>
> Never mind that you should really only use the 'tdb' backend with the
> default (*) domain, the manpage itself tells you not to use this
> backend.
>
> You also do not seem to have any 'idmap config' lines for the TESTLAB
> domain.
>
> I would expect to see 'idmap config' lines similar to these:
>
> idmap config * : backend = tdb
> idmap config * : range = 3000-7999
> idmap config TESTLAB : backend = rid
> idmap config TESTLAB : range = 10000-4000000000
>
> Do you have any computers that must use SMBv1 ? (windows XP or earlier)
>
> If not, you can probably remove these lines:
>
> ntlm auth = ntlmv1-permitted
> server min protocol = NT1/etc/samba/smb-shares.conf
>
> For various reasons, I would also remove these lines:
>
> host msdfs = No
> ldap ssl = no
> max open files = 40960
> multicast dns register = No
> os level = 100
> server multi channel support = No
> acl allow execute always = Yes
> acl group control = Yes
> aio read size = 0
> aio write size = 0
> dos filemode = Yes
> inherit acls = Yes
> inherit permissions = Yes/etc/samba/smb-shares.conf
> invalid users = root
> fruit:nfs_aces = No
>
> I would definitely remove this line:
>
> null passwords = Yes
>
> All accounts should have a password, if only for security.
>
> I would also add this line:
>
> vfs objects = acl_xattr
>
> If your users are going to connect to the Samba server and have a home
> directory, you might like to add:
>
> template homedir = /home/%U
>
> Otherwise they will get the default path of '/home/TESTLAB/%U'
>
> If they are going to actually log into the server, you should also set:
>
> template shell = /bin/bash
>
> Or the default '/bin/false' will be used and they will not be able to
> log in.
>
> Finally, what is in '/etc/samba/smb-shares.conf' ?

-----------------------------------------------------------------------------
Hi Rowland, thanks for the comprehensive reply. I have worked through your questions and recommendations (tagged [RP]) and included responses/outcomes (tagged [UR]) inline below:

[RP] Is winbind running ?
	[UR] - Can see multiple winbindd processes running, assuming yes.

[RP] Are you using sssd ?
	[UR] - Tried to look for a process called sssd running, and searching nsswitch.conf for sss and neither returned a result. Assuming SSSD is not in use. (not sure if these were the correct ways to check).

[RP] To be honest, your 'idmap config' block isn't correct, you have:
        idmap config * : range = 10000-4000000000
	idmap config * : backend = hash
	Lets start with the idmap backend. If you run 'man idmap_hash', the
	very top of that file has this:
	IDMAP_HASH(8)             System Administration tools
	IDMAP_HASH(8) NAME
	idmap_hash - DO NOT USE THIS BACKEND
	Never mind that you should really only use the 'tdb' backend with the
	default (*) domain, the manpage itself tells you not to use this
	backend.
	You also do not seem to have any 'idmap config' lines for the TESTLAB
	domain.
	I would expect to see 'idmap config' lines similar to these:
	idmap config * : backend = tdb
	idmap config * : range = 3000-7999
	idmap config TESTLAB : backend  = rid
	idmap config TESTLAB : range = 10000-4000000000
	[UR] - I had another version of configuration that has the IDMAP updated to a recommended configuration. The IDMAP change process required me to add the changes to the configuration and then reconfigure the ACL on the shares. This was all done in the v6.9.2 (samba version 4.12.14) of the Unraid product. The updated IDMAP configuration was tested and confirmed functional from the W10 client. I then upgraded Unraid OS to 6.12.6 (samba 4.17.1) and tested again. I encountered the same error as encountered in the original post's error.

[RP] Do you have any computers that must use SMBv1 ? (windows XP or earlier)
	If not, you can probably remove these lines:
	ntlm auth = ntlmv1-permitted
	server min protocol = NT1/etc/samba/smb-shares.conf
	For various reasons, I would also remove these lines:
	host msdfs = No
	ldap ssl = no
	max open files = 40960
	multicast dns register = No
	os level = 100
	server multi channel support = No
	acl allow execute always = Yes
	acl group control = Yes
	aio read size = 0
	aio write size = 0
	dos filemode = Yes
	inherit acls = Yes
	inherit permissions = Yes/etc/samba/smb-shares.conf
	invalid users = root
	fruit:nfs_aces = No
	I would definitely remove this line:
	null passwords = Yes
	All accounts should have a password, if only for security.
	I would also add this line:
	vfs objects = acl_xattr
	If your users are going to connect to the Samba server and have a home
	directory, you might like to add:
	template homedir = /home/%U
	Otherwise they will get the default path of '/home/TESTLAB/%U'
	If they are going to actually log into the server, you should also set:
	template shell = /bin/bash
	Or the default '/bin/false' will be used and they will not be able to
	log in.

	[UR] - multiple responses below.
		- SMBv1 not needed - so modified in config.
		- The Unraid product configures/manages the smb.conf file, but provides an option add extra lines to the samba configuration file. I used this to set items, that you recommended to remove, to the default value. This seems to have removed some them from the testparm output others appear to be set to the default value, others (aio write size for example) did not seem to use the extra line value. I have also used the "updated IDMAP" version of the configuration in this test to align the configuration as close as possible to your recommendations:

			Testparm Output: #########################
				# Global parameters
				[global]
					disable spoolss = Yes
					load printers = No
					logging = syslog at 0
					max open files = 16384
					printcap name = /dev/null
					realm = TESTLAB.COM
					security = ADS
					server multi channel support = Yes
					server string = Media server
					show add printer wizard = No
					unix extensions = No
					winbind use default domain = Yes
					workgroup = TESTLAB
					idmap config testlab : range = 1000000-99999999
					idmap config testlab : backend = rid
					idmap config * : range = 3000-7999
					idmap config * : backend = tdb
					acl group control = Yes
					aio write size = 0
					hide dot files = No
					include = /etc/samba/smb-shares.conf
					invalid users = root
					map acl inherit = Yes
					map archive = No
					use sendfile = Yes
					vfs objects = acl_xattr
					wide links = Yes


				[flash]
					comment = Unraid OS boot device
					force user = root
					guest ok = Yes
					map readonly = yes
					path = /boot
					read only = No


				[PrivateShare]
					path = /mnt/user/PrivateShare
					read only = No


				[PublicShare]
					path = /mnt/user/PublicShare
					read only = No
			######################################

	- I don't expect AD user accounts to sign into the Unraid host so did not add the default path/template changes.
	- Test Outcome: Share access from the W10 client throws the same error from the original post. Here is the latest log error:
		Jan 14 22:07:13 UR-Lab smbd[9216]: [2024/01/14 22:07:13.202799,  0] ../../source3/smbd/smb2_service.c:168(chdir_current_service)
		Jan 14 22:07:13 UR-Lab smbd[9216]:   chdir_current_service: vfs_ChDir(/mnt/user/PrivateShare) failed: Permission denied. Current token: uid=1001106, gid=1000513, 11 groups: 1001106 1000513 1001119 1001111 1001115 1001113 1001124 3003 3004 3006 3001
	- Here is an id output of the rwuser (used for share access in the tests):
		root at UR-Lab:~# id rwuser
		uid=1001106(rwuser) gid=1000513(domain users) groups=1000513(domain users),1001106(rwuser),1001119(ur_users),1001111(ur-lab-privateshare-rw),1001115(b-rw),1001113(ur-lab-privateshare-a-rw),1001124(ubuntu_share_rw),3001(BUILTIN\users)

[RP] Finally, what is in '/etc/samba/smb-shares.conf' ?
	[UR] Output from '/etc/samba/smb-shares.conf' ##########################
		[PrivateShare]
			path = /mnt/user/PrivateShare
			comment =
			browseable = yes
			case sensitive = auto
			preserve case = yes
			short preserve case = yes
			writeable = yes
		[PublicShare]
			path = /mnt/user/PublicShare
			comment =
			browseable = yes
			case sensitive = auto
			preserve case = yes
			short preserve case = yes
			writeable = yes
		############################################

Are there any other items you recommend I take a look at?

Thanks for your previous response and anything else you are able to advise, it is very much appreciated.

Best Regards,
Unraidster




More information about the samba mailing list