[Samba] Share access permission errors after upgrade from 4.12.14

Rowland Penny rpenny at samba.org
Wed Jan 24 10:51:17 UTC 2024


On Tue, 23 Jan 2024 21:47:27 +0000
unraidster via samba <samba at lists.samba.org> wrote:

> Hi Rowland,
> 
> Thanks for getting back to me, appreciate your time and help.
> Apologies for the long response, I have tried to include as much
> information as possible.
> 
> On Friday, 19 January 2024 at 10:12, Rowland Penny via samba
> <samba at lists.samba.org> wrote:
> 
> > Sorry to be so long in replying to this, but life got in the way.
> >
> > You initially had an incorrect smb.conf and you changed it, but by
> > doing so you will have changed the user & group IDs, not their
> > names, the numbers. You will probably need to change the user &
> > group ownership of all directories & files and run 'net cache
> > flush' as root.
> >
> > You also say this is on a computer running unraid, did your initial
> > smb.conf come from just clicking things on a 'web page' on your
> > unraid box ?
> >
> > Rowland
> 
> Here is a summary of how I changed the IDMAP configuration within
> Unraid 6.9.2.:
> 	• Configured the idmap within the samba configuration (within
> Unraid this is done using a feature they call "Samba extra
> configuration:" in the GUI which adds an include to the smb.conf
> file).
> 	• Ran "net cache flush"
> 	• Renamed all of the .tdb files within /var/lib/samba/.  (did
> wonder if I should have done this, and if I should have done it
> before the net cache flush)
> 	• Started the array (which I believe starts samba).
> 	• At this stage, the shares are not accessible, even by the
> owner (ur_admin), as you stated the ID values will have changed.
> 	• Ran "chown ur_admin:ur-lab_access" on the /mnt/user and
> /mnt/user/PrivateShare as root.
> 	• Applied Permissions back onto the /mnt/user/PrivateShare
> folder using a Windows domain member logged in as TESTLAB\ur_admin
> via access to the share. ○ Update: UR_Admin User - Change Apply To
> from "This Folder" to "This folder, subfolders and files". ○ Add: _RO
> Group - RO access applied to "This folder, subfolders and files". ○
> Add: _RW Group - RW access applied to "This folder, subfolders and
> files". ○ Remove the Everyone Permission ○ Remove the stale IDs ○
> Ensure the "Replace all child object permission entries with
> inheritable permission entries from this object" option is selected
> at all update/add steps.
> 	• Tested access: share accessible from the rwuser (member of
> _RW group), ur_admin, and rouser (member of _RO group) accounts.
> 	• {I have the environment snapshotted to this state so can
> return to this point at any time).
> 	• As part of your recent message, I applied the
> recommendations to the smb.conf file using the "Samba extra
> configuration:" feature of Unraid to make the recommended removals
> from the smb.conf. ntlm auth = ntlmv2-only server min protocol =
> SMB2_02 host msdfs = yes ldap ssl = start tls
> 		max open files = 16384
> 		multicast dns register = yes
> 		os level = 20
> 		server multi channel support = yes
> 		acl allow execute always = no
> 		aio read size = 1
> 		aio write size = 1
> 		dos filemode = no
> 		inherit acls = no
> 		inherit permissions = no
> 		null passwords = no
> vfs objects = acl_xattr
> acl group control = no
> 	• Tested access: the share is accessible as detailed above
> (still Unraid 6.9.2).
> 	• Upgraded this environment to Unraid 6.12.6 and then
> attempted access using the rwuser account results in the errors.
> 	• Note: The configuration outputs I have posted in all of my
> previous messages on the messaging list have been captured by running
> testparm as root.
> 	• Note: The "Samba extra configuration:" is modified via the
> web GUI.
> 
> On Fri, 19 Jan 2024 10:12:12 +0000
> Rowland Penny via samba <samba at lists.samba.org> wrote:
> 
> > So, I took a wander over to the unraid community forum and found a
> > post which seems to say that this problem has been going on for
> > nearly a year, is this correct ?
> >
> > I was hoping to possibly find a link to the source, but couldn't
> > find one, so I have no idea just what the default smb.conf is.
> >
> > Rowland
> 
> You may have seen my post on the community forums, I have been
> attempting to find a resolution to the issue since I first posted
> earlier last year, and others have also reported the same error as
> far back as September 2022. I have been getting this error since
> Unraid 6.10.3 which was built with Samba 4.15.7. I am not sure about
> the source, but I can try and message the Unraid support team if
> there is anything specific you would like me to look into.
> 
> I thought a a clean install of Unraid 6.12.6 (without any
> configuration) may help with the default smb.conf query. I have
> included the contents of smb.conf (and additional included conf
> files) from a fresh Unraid 6.12.6 install below:
> 
> Clean Install .conf files
> =============================================
> smb.conf (clean install)
> 	root at Tower:~# cat /etc/samba/smb.conf
> 	[global]
> 		# configurable identification
> 		include = /etc/samba/smb-names.conf
> 
> 	# log stuff only to syslog
> 	logging = syslog at 0
> 
> 	# we don't do printers
> 	show add printer wizard = No
> 	disable spoolss = Yes
> 	load printers = No
> 	printing = bsd
> 	printcap name = /dev/null
> 
> 	# disable aio by default
> 	aio read size = 0
> 	aio write size = 0
> 
> 	# misc.
> 	invalid users = root
> 	unix extensions = No
> 	wide links = Yes
> 	use sendfile = Yes
> 	host msdfs = No
> 
> 	# ease upgrades from Samba 3.6
> 	acl allow execute always = Yes
> 	# permit NTLMv1 authentication
> 	ntlm auth = Yes
> 
> 	# default global fruit settings:
> 	#fruit:aapl = Yes
> 	#fruit:nfs_aces = Yes
> 	fruit:nfs_aces = No
> 	#fruit:copyfile = No
> 	#fruit:model = MacSamba
> 
> 	# hook for user-defined samba config
> 	include = /boot/config/smb-extra.conf
> 
> 	# auto-configured shares
> 	include = /etc/samba/smb-shares.conf
> 
> smb-names.conf (clean install)
> 	# Generated names
> 	netbios name = Tower
> 	server string = Media server
> 	hide dot files = no
> 	server multi channel support = no
> 	max open files = 40960
> 	multicast dns register = No
> 	disable netbios = yes
> 	server min protocol = SMB2
> 	security = USER
> 	workgroup = WORKGROUP
> 	map to guest = Bad User
> 	passdb backend = smbpasswd
> 	null passwords = Yes
> 	idmap config * : backend = tdb
> 	idmap config * : range = 3000-7999
> 	create mask = 0777
> 	directory mask = 0777
> 	bind interfaces only = yes
> 	interfaces = 192.168.66.10/24 127.0.0.1
> 
> smb-extra.conf (clean install)
> 	{file does not exist, contents of "samba extra configration"
> is empty}
> 
> smb-shares.conf (clean install)
> 	{file exists, but is empty, no user shares configured yet}
> 

I rearranged the smb.conf above and added comments:

	[global]
	netbios name = Tower
	server string = Media server
	security = USER
	workgroup = WORKGROUP
	bind interfaces only = yes
	interfaces = 192.168.66.10/24 127.0.0.1

	# we don't do printers
	show add printer wizard = No
	disable spoolss = Yes
	load printers = No
	printing = bsd
	printcap name = /dev/null

	# log stuff only to syslog
	logging = syslog at 0

	use sendfile = Yes

	hide dot files = no # why ? You do not usually need to see them.
	server multi channel support = no # reasonable, your unraid device probably only has one network device.
	max open files = 40960 # why ? You shouldn't need to touch this.
	multicast dns register = No # why ? netbios is turned off below, might be a good idea to use Avahi.
	disable netbios = yes
	server min protocol = SMB2 # This is the default and has been for quite sometime.
	map to guest = Bad User
	passdb backend = smbpasswd # The 'smbpasswd' backend was replaced years ago by the tdbsam backend.
	null passwords = Yes # This is just plain stupidity.
	idmap config * : backend = tdb # This and the line below are not required on a standalone server.
	idmap config * : range = 3000-7999
	create mask = 0777 # This and the line below would be better set in the shares.
	directory mask = 0777


	# disable aio by default
	aio read size = 0 # Why ? This could potentially slow things down.
	aio write size = 0 # Why ? This could potentially slow things down.

	# misc.
	invalid users = root # Old school, use acls.
	unix extensions = No # This is only here to allow the next line.
	wide links = Yes # Not a good idea, very insecure.
	host msdfs = No

	# ease upgrades from Samba 3.6 # Pardon ? 3.6 Died 8 years ago
	acl allow execute always = Yes
	# permit NTLMv1 authentication
	ntlm auth = Yes # Why ?

	# default global fruit settings: # Non of which will have any affect because non of the apple vfs objects are turned on.
	#fruit:aapl = Yes
	#fruit:nfs_aces = Yes
	fruit:nfs_aces = No
	#fruit:copyfile = No
	#fruit:model = MacSamba

It is for a standalone server.

Can you please join it to the domain and then post the new smb.conf , I
am looking to see what the default idmap backend is for the domain.

Rowland



More information about the samba mailing list