[Samba] Share access permission errors after upgrade from 4.12.14
Rowland Penny
rpenny at samba.org
Wed Jan 24 10:51:17 UTC 2024
On Tue, 23 Jan 2024 21:47:27 +0000
unraidster via samba <samba at lists.samba.org> wrote:
> Hi Rowland,
>
> Thanks for getting back to me, appreciate your time and help.
> Apologies for the long response, I have tried to include as much
> information as possible.
>
> On Friday, 19 January 2024 at 10:12, Rowland Penny via samba
> <samba at lists.samba.org> wrote:
>
> > Sorry to be so long in replying to this, but life got in the way.
> >
> > You initially had an incorrect smb.conf and you changed it, but by
> > doing so you will have changed the user & group IDs, not their
> > names, the numbers. You will probably need to change the user &
> > group ownership of all directories & files and run 'net cache
> > flush' as root.
> >
> > You also say this is on a computer running unraid, did your initial
> > smb.conf come from just clicking things on a 'web page' on your
> > unraid box ?
> >
> > Rowland
>
> Here is a summary of how I changed the IDMAP configuration within
> Unraid 6.9.2.:
> • Configured the idmap within the samba configuration (within
> Unraid this is done using a feature they call "Samba extra
> configuration:" in the GUI which adds an include to the smb.conf
> file).
> • Ran "net cache flush"
> • Renamed all of the .tdb files within /var/lib/samba/. (did
> wonder if I should have done this, and if I should have done it
> before the net cache flush)
> • Started the array (which I believe starts samba).
> • At this stage, the shares are not accessible, even by the
> owner (ur_admin), as you stated the ID values will have changed.
> • Ran "chown ur_admin:ur-lab_access" on the /mnt/user and
> /mnt/user/PrivateShare as root.
> • Applied Permissions back onto the /mnt/user/PrivateShare
> folder using a Windows domain member logged in as TESTLAB\ur_admin
> via access to the share. ○ Update: UR_Admin User - Change Apply To
> from "This Folder" to "This folder, subfolders and files". ○ Add: _RO
> Group - RO access applied to "This folder, subfolders and files". ○
> Add: _RW Group - RW access applied to "This folder, subfolders and
> files". ○ Remove the Everyone Permission ○ Remove the stale IDs ○
> Ensure the "Replace all child object permission entries with
> inheritable permission entries from this object" option is selected
> at all update/add steps.
> • Tested access: share accessible from the rwuser (member of
> _RW group), ur_admin, and rouser (member of _RO group) accounts.
> • {I have the environment snapshotted to this state so can
> return to this point at any time).
> • As part of your recent message, I applied the
> recommendations to the smb.conf file using the "Samba extra
> configuration:" feature of Unraid to make the recommended removals
> from the smb.conf. ntlm auth = ntlmv2-only server min protocol =
> SMB2_02 host msdfs = yes ldap ssl = start tls
> max open files = 16384
> multicast dns register = yes
> os level = 20
> server multi channel support = yes
> acl allow execute always = no
> aio read size = 1
> aio write size = 1
> dos filemode = no
> inherit acls = no
> inherit permissions = no
> null passwords = no
> vfs objects = acl_xattr
> acl group control = no
> • Tested access: the share is accessible as detailed above
> (still Unraid 6.9.2).
> • Upgraded this environment to Unraid 6.12.6 and then
> attempted access using the rwuser account results in the errors.
> • Note: The configuration outputs I have posted in all of my
> previous messages on the messaging list have been captured by running
> testparm as root.
> • Note: The "Samba extra configuration:" is modified via the
> web GUI.
>
> On Fri, 19 Jan 2024 10:12:12 +0000
> Rowland Penny via samba <samba at lists.samba.org> wrote:
>
> > So, I took a wander over to the unraid community forum and found a
> > post which seems to say that this problem has been going on for
> > nearly a year, is this correct ?
> >
> > I was hoping to possibly find a link to the source, but couldn't
> > find one, so I have no idea just what the default smb.conf is.
> >
> > Rowland
>
> You may have seen my post on the community forums, I have been
> attempting to find a resolution to the issue since I first posted
> earlier last year, and others have also reported the same error as
> far back as September 2022. I have been getting this error since
> Unraid 6.10.3 which was built with Samba 4.15.7. I am not sure about
> the source, but I can try and message the Unraid support team if
> there is anything specific you would like me to look into.
>
> I thought a a clean install of Unraid 6.12.6 (without any
> configuration) may help with the default smb.conf query. I have
> included the contents of smb.conf (and additional included conf
> files) from a fresh Unraid 6.12.6 install below:
>
> Clean Install .conf files
> =============================================
> smb.conf (clean install)
> root at Tower:~# cat /etc/samba/smb.conf
> [global]
> # configurable identification
> include = /etc/samba/smb-names.conf
>
> # log stuff only to syslog
> logging = syslog at 0
>
> # we don't do printers
> show add printer wizard = No
> disable spoolss = Yes
> load printers = No
> printing = bsd
> printcap name = /dev/null
>
> # disable aio by default
> aio read size = 0
> aio write size = 0
>
> # misc.
> invalid users = root
> unix extensions = No
> wide links = Yes
> use sendfile = Yes
> host msdfs = No
>
> # ease upgrades from Samba 3.6
> acl allow execute always = Yes
> # permit NTLMv1 authentication
> ntlm auth = Yes
>
> # default global fruit settings:
> #fruit:aapl = Yes
> #fruit:nfs_aces = Yes
> fruit:nfs_aces = No
> #fruit:copyfile = No
> #fruit:model = MacSamba
>
> # hook for user-defined samba config
> include = /boot/config/smb-extra.conf
>
> # auto-configured shares
> include = /etc/samba/smb-shares.conf
>
> smb-names.conf (clean install)
> # Generated names
> netbios name = Tower
> server string = Media server
> hide dot files = no
> server multi channel support = no
> max open files = 40960
> multicast dns register = No
> disable netbios = yes
> server min protocol = SMB2
> security = USER
> workgroup = WORKGROUP
> map to guest = Bad User
> passdb backend = smbpasswd
> null passwords = Yes
> idmap config * : backend = tdb
> idmap config * : range = 3000-7999
> create mask = 0777
> directory mask = 0777
> bind interfaces only = yes
> interfaces = 192.168.66.10/24 127.0.0.1
>
> smb-extra.conf (clean install)
> {file does not exist, contents of "samba extra configration"
> is empty}
>
> smb-shares.conf (clean install)
> {file exists, but is empty, no user shares configured yet}
>
I rearranged the smb.conf above and added comments:
[global]
netbios name = Tower
server string = Media server
security = USER
workgroup = WORKGROUP
bind interfaces only = yes
interfaces = 192.168.66.10/24 127.0.0.1
# we don't do printers
show add printer wizard = No
disable spoolss = Yes
load printers = No
printing = bsd
printcap name = /dev/null
# log stuff only to syslog
logging = syslog at 0
use sendfile = Yes
hide dot files = no # why ? You do not usually need to see them.
server multi channel support = no # reasonable, your unraid device probably only has one network device.
max open files = 40960 # why ? You shouldn't need to touch this.
multicast dns register = No # why ? netbios is turned off below, might be a good idea to use Avahi.
disable netbios = yes
server min protocol = SMB2 # This is the default and has been for quite sometime.
map to guest = Bad User
passdb backend = smbpasswd # The 'smbpasswd' backend was replaced years ago by the tdbsam backend.
null passwords = Yes # This is just plain stupidity.
idmap config * : backend = tdb # This and the line below are not required on a standalone server.
idmap config * : range = 3000-7999
create mask = 0777 # This and the line below would be better set in the shares.
directory mask = 0777
# disable aio by default
aio read size = 0 # Why ? This could potentially slow things down.
aio write size = 0 # Why ? This could potentially slow things down.
# misc.
invalid users = root # Old school, use acls.
unix extensions = No # This is only here to allow the next line.
wide links = Yes # Not a good idea, very insecure.
host msdfs = No
# ease upgrades from Samba 3.6 # Pardon ? 3.6 Died 8 years ago
acl allow execute always = Yes
# permit NTLMv1 authentication
ntlm auth = Yes # Why ?
# default global fruit settings: # Non of which will have any affect because non of the apple vfs objects are turned on.
#fruit:aapl = Yes
#fruit:nfs_aces = Yes
fruit:nfs_aces = No
#fruit:copyfile = No
#fruit:model = MacSamba
It is for a standalone server.
Can you please join it to the domain and then post the new smb.conf , I
am looking to see what the default idmap backend is for the domain.
Rowland
More information about the samba
mailing list