[Samba] Share access permission errors after upgrade from 4.12.14

Rowland Penny rpenny at samba.org
Thu Jan 25 09:55:43 UTC 2024 

On Thu, 25 Jan 2024 09:01:11 +0000
unraidster via samba <samba at lists.samba.org> wrote:

>
> 
> Hi Rowland,
> 
> Thanks for the info on the idmap setting. My last lab configuration
> was using the broader RID range for the TESTLAB domain. Should I be
> able to change the default domain and add an AD Domain's idmap after
> initial configuration or should I "disjoin" the domain and rejoin
> with the updated configuration? I included a summary of my idmap
> change approach in the previous email in case the detail is required
> and have not disjoined the domain in that approach.

The problem with the 'hash' backend (as far as I am aware) is that you
will get 'collisions' (not 'can', 'will').
Now, if you use the 'hash' backend, your users & groups will get a
numeric ID, somewhere in the 10000-2147483647 range. If you change to
using the 'rid' backend as I showed, then they will get calculated
numeric IDs in the 10000-999999, but they will be different from the
hash IDs.
The user & group names will stay the same, but they will have different
numeric IDs. There is no need to leave the domain, you just need to run
'net cache flush' as root and this will clear out any cached IDS, you
will also need to restart any Samba binaries or reload the smb.conf
with smbcontrol (see 'man smbcontrol'). Once you have reset the IDs,
you will also need to change the ownership of Directories and files.

Having said all that, it would probably be easier to set up a new
unraid instance (using the 'rid' backend) and then copy all the data
from the 'old' unraid to the 'new' unraid, this should deal with the
numeric ID changes.

If you do change to the 'rid' backend, you will require the four lines
as shown in my last post.

> 
> For my next test I used an earlier snapshot of my configuration in
> Unraid 6.9.2 and updated the IDMAP to use the range you recommended
> along with the additions to smb-extras.conf to that change the
> default smb.conf (that is configured by unraid) to match your
> recommended settings. Please find the contents of the smb-extras.conf
> file and the output from testparm below (captured using unraid 6.9.2):
> 
> =======================================================
> Smb-extras.conf (an include within smb.conf)
> 	root at UR-Lab:~# cat /boot/config/smb-extra.conf
> 	ntlm auth = ntlmv2-only
> 	server min protocol = SMB2_02
> 	host msdfs = yes
> 	ldap ssl = start tls
> 	max open files = 16384
> 	multicast dns register = yes
> 	os level = 20
> 	server multi channel support = yes
> 	acl allow execute always = no
> 	aio read size = 1
> 	aio write size = 1
> 	dos filemode = no
> 	inherit acls = no
> 	inherit permissions = no
> 	null passwords = no
> 	vfs objects = acl_xattr
> 	acl group control = no
> 	idmap config * : backend = tdb
> 	idmap config * : range = 3000-7999
> 	idmap config TESTLAB : backend  = rid
> 	idmap config TESTLAB : range = 10000-999999
> 
> Testparm (run in unraid 6.9.2):
> 	root at UR-Lab:~# testparm
> 	Load smb config files from /etc/samba/smb.conf
> 	WARNING: The "null passwords" option is deprecated
> 	WARNING: The "null passwords" option is deprecated
> 	Loaded services file OK.
> 	Server role: ROLE_DOMAIN_MEMBER
> 
> 	Press enter to see a dump of your service definitions
> 
> 	# Global parameters
> 	[global]
> 		disable spoolss = Yes
> 		load printers = No
> 		logging = syslog at 0
> 		max open files = 16384
> 		printcap name = /dev/null
> 		realm = TESTLAB.COM
> 		security = ADS
> 		server multi channel support = Yes
> 		server string = Media server
> 		show add printer wizard = No
> 		unix extensions = No
> 		winbind use default domain = Yes
> 		workgroup = TESTLAB
> 		idmap config testlab : range = 10000-999999
> 		idmap config testlab : backend = rid
> 		idmap config * : range = 3000-7999
> 		idmap config * : backend = tdb
> 		hide dot files = No
> 		include = /etc/samba/smb-shares.conf
> 		invalid users = root
> 		map acl inherit = Yes
> 		map archive = No
> 		use sendfile = Yes
> 		vfs objects = acl_xattr
> 		wide links = Yes
> 
> 
> 	[flash]
> 		comment = Unraid OS boot device
> 		force user = root
> 		guest ok = Yes
> 		map readonly = yes
> 		path = /boot
> 		read only = No
> 
> 
> 	[PrivateShare]
> 		path = /mnt/user/PrivateShare
> 		read only = No
> 
> 
> 	[PrivateShare-A]
> 		path = /mnt/user/PrivateShare-A
> 		read only = No
> 
> 
> 	[PrivateShare-B]
> 		path = /mnt/user/PrivateShare-B
> 		read only = No
> 
> 
> 	[PublicShare]
> 		path = /mnt/user/PublicShare
> 		read only = No
> =======================================================
> 
> Post idmap update, I followed the same process I did previously and
> took ownership of the share folder and set the ACL. This was all done
> on Unraid 6.9.2 and I confirmed shared access is functional. I then
> updated the system to Unraid 6.12.6 and share access stops with the
> same error. Note the uid and group ids reflect numbers from the lower
> range used in the idmap config.
> 
> Error:
> 	Jan 25 00:01:22 UR-Lab smbd[9689]: [2024/01/25
> 00:01:22.344606,  0]
> ../../source3/smbd/smb2_service.c:168(chdir_current_service) Jan 25
> 00:01:22 UR-Lab smbd[9689]:   chdir_current_service:
> vfs_ChDir(/mnt/user/PrivateShare) failed: Permission denied. Current
> token: uid=11106, gid=10513, 11 groups: 11106 10513 11119 11111 11115
> 11113 11124 3003 3004 3006 3001
> 
> For consistency, I have included the output from testparm (run in
> Unraid 6.12.6) below:
> =======================================================
> root at UR-Lab:~# testparm Load smb config files from /etc/samba/smb.conf
> 	lpcfg_do_global_parameter: WARNING: The "null passwords"
> option is deprecated lpcfg_do_global_parameter: WARNING: The "null
> passwords" option is deprecated Loaded services file OK.
> 	Weak crypto is allowed by GnuTLS (e.g. NTLM as a
> compatibility fallback)
> 
> 	Server role: ROLE_DOMAIN_MEMBER
> 
> 	Press enter to see a dump of your service definitions
> 
> 	# Global parameters
> 	[global]
> 		bind interfaces only = Yes
> 		disable spoolss = Yes
> 		interfaces = 192.168.66.4 127.0.0.1
> 		load printers = No
> 		logging = syslog at 0
> 		max open files = 16384
> 		printcap name = /dev/null
> 		realm = TESTLAB.COM
> 		security = ADS
> 		server string = Media server
> 		show add printer wizard = No
> 		smb1 unix extensions = No
> 		winbind use default domain = Yes
> 		workgroup = TESTLAB
> 		idmap config testlab : range = 10000-999999
> 		idmap config testlab : backend = rid
> 		fruit:nfs_aces = No
> 		idmap config * : range = 3000-7999
> 		idmap config * : backend = tdb
> 		hide dot files = No
> 		include = /etc/samba/smb-shares.conf
> 		invalid users = root
> 		map acl inherit = Yes
> 		use sendfile = Yes
> 		vfs objects = acl_xattr
> 		wide links = Yes
> 
> 
> 	[PrivateShare]
> 		path = /mnt/user/PrivateShare
> 		read only = No
> 
> 
> 	[PrivateShare-A]
> 		path = /mnt/user/PrivateShare-A
> 		read only = No
> 
> 
> 	[PrivateShare-B]
> 		path = /mnt/user/PrivateShare-B
> 		read only = No
> 
> 
> 	[PublicShare]
> 		path = /mnt/user/PublicShare
> 		read only = No
> =======================================================
> 
> Here are some differences in the testparm output between this lab's
> Unraid 6.9.2 (working) and 6.12.6 (not working) configurations:
> 	• (added in 6.12.6) "bind interfaces only = Yes" - Note: the
> man page lists this having a default value of no.
> 	• (added in 6.12.6) "interfaces = 192.168.66.4 127.0.0.1" -
> Note: Man page says this default value is blank.
> 	• (removed from 6.12.6) "server multi channel support = Yes"
> - Note: option was made yes by default from 4.15, hence disappeared
> from testparm output.
> 	• (added in 6.12.6) "fruit:nfs_aces = No"
> 	• (removed from 6.12.6) "map archive = No" - Note: The
> default value is yes, seems to be set to default in 6.12.16.
> 
> I don’t think any of the differences I highlighted would cause the
> error. I did try setting fruit:nfs_aces to yes, but it did not fix
> the issue.

You can set that parameter to whatever you like and it will have no
effect, because you do not have 'vfs objects = fruit' set in your
smb.conf
NOTE: I am not saying that you should set 'vfs objects = fruit', far
from it, unless you have any MAC clients, in which case then by all
means set the parameter, but you would probably need more 'fruit:'
lines.

What I was trying to get across, when I mentioned the "fruit:nfs_aces =
No" line, was that the unraid smb.conf seems to be splattered with
parameters it doesn't really need, another one is 'ldap ssl = no', as
far as I can see, unraid doesn't use ldap, so why set it and multiple
other parameters that you don't really need ?

What would be a better idea, would be to add:

  vfs objects = acl_xattr
  map acl inherit = Yes

But read 'man vfs_acl_xattr' before you do

Rowland

More information about the samba mailing list