I am new to Samba, but not to Linux. I hope someone here can point me in the
right direction.
I have installed Samba and it appears to be working, at least as far as I have
tested it. However, I have hit a snag in my testing. I have searched Google for
several hours but I have not found a solution.
On a Linux machine (named "annwn") running Fedora Core 6, I have set
up a share,
using the least restrictive "share" type permissions (this is only for
testing:
once I get things working, I will lock things down more). The directory to be
shared is /var/media:
drwxrwxr-x 5 root media 4096 Apr 5 11:22 media
I have created a user called "smbguest", and added this user to the
"media"
group. I have then set "smbguest" as the guest user, and created a
"media"
share for the /var/media directory:
[global]
workgroup = MORTSHIRE
server string = Samba Server
security = SHARE
guest account = smbguest
log file = /var/log/samba/%m.log
max log size = 50
dns proxy = No
wins support = Yes
guest ok = Yes
hosts allow = 192.168.1., 127.0.0.1
cups options = raw
[media]
comment = media on annwn.mortshire
path = /var/media
writeable = yes
browseable = yes
guest ok = yes
testparm says that the smb.conf file is valid. Then I restarted samba. But when
I test this share by running (on annwn, as root) smbclient, the share connects,
but will not permit a "dir" command. It returns the error
NT_STATUS_ACCESS_DENIED.
[root@annwn samba]# smbclient //annwn/media
Password:
Domain=[MORTSHIRE] OS=[Unix] Server=[Samba 3.0.23c-2]
Server not using user level security and no password supplied.
smb: \> dir
NT_STATUS_ACCESS_DENIED listing \*
57237 blocks of size 4194304. 4158 blocks available
I have gone so far as to chmod both /var and /var/media to 777, and chown them
both to smbguest:smbguest, to see if that would make a difference. It
didn't. I
still get NT_STATUS_ACCESS_DENIED.
Here is the service definition output from testparm:
[global]
workgroup = MORTSHIRE
server string = Samba Server
security = SHARE
guest account = smbguest
log file = /var/log/samba/%m.log
max log size = 50
dns proxy = No
wins support = Yes
guest ok = Yes
hosts allow = 192.168.1., 127.0.0.1
cups options = raw
[homes]
comment = Home Directories
read only = No
browseable = No
[printers]
comment = All Printers
path = /usr/spool/samba
printable = Yes
browseable = No
[media]
comment = media on annwn.mortshire
path = /var/media
read only = No
I have double and triple checked everything I can think of, and I am stumped.
Does anyone have a clue they'd be willing to share?
--
bblackmoor@blackgate.net
2007-04-05
On Thu, 05 Apr 2007, Brandon Blackmoor might have said:> I am new to Samba, but not to Linux. I hope someone here can point me in the > right direction. > > I have installed Samba and it appears to be working, at least as far as I have > tested it. However, I have hit a snag in my testing. I have searched Google for > several hours but I have not found a solution. > > On a Linux machine (named "annwn") running Fedora Core 6, I have set up a share, > using the least restrictive "share" type permissions (this is only for testing: > once I get things working, I will lock things down more). The directory to be > shared is /var/media: > > drwxrwxr-x 5 root media 4096 Apr 5 11:22 media > > I have created a user called "smbguest", and added this user to the "media" > group. I have then set "smbguest" as the guest user, and created a "media" > share for the /var/media directory: > > > [global] > workgroup = MORTSHIRE > server string = Samba Server > security = SHARE > guest account = smbguest > log file = /var/log/samba/%m.log > max log size = 50 > dns proxy = No > wins support = Yes > guest ok = Yes > hosts allow = 192.168.1., 127.0.0.1 > cups options = raw > > [media] > comment = media on annwn.mortshire > path = /var/media > writeable = yes > browseable = yes > guest ok = yes > > > testparm says that the smb.conf file is valid. Then I restarted samba. But when > I test this share by running (on annwn, as root) smbclient, the share connects, > but will not permit a "dir" command. It returns the error > NT_STATUS_ACCESS_DENIED. > > > [root@annwn samba]# smbclient //annwn/media > Password: > Domain=[MORTSHIRE] OS=[Unix] Server=[Samba 3.0.23c-2] > Server not using user level security and no password supplied. > smb: \> dir > NT_STATUS_ACCESS_DENIED listing \* > > 57237 blocks of size 4194304. 4158 blocks available > > > I have gone so far as to chmod both /var and /var/media to 777, and chown them > both to smbguest:smbguest, to see if that would make a difference. It didn't. I > still get NT_STATUS_ACCESS_DENIED. > > Here is the service definition output from testparm: > > [global] > workgroup = MORTSHIRE > server string = Samba Server > security = SHARE > guest account = smbguest > log file = /var/log/samba/%m.log > max log size = 50 > dns proxy = No > wins support = Yes > guest ok = Yes > hosts allow = 192.168.1., 127.0.0.1 > cups options = raw > > [homes] > comment = Home Directories > read only = No > browseable = No > > [printers] > comment = All Printers > path = /usr/spool/samba > printable = Yes > browseable = No > > [media] > comment = media on annwn.mortshire > path = /var/media > read only = No > > > I have double and triple checked everything I can think of, and I am stumped. > Does anyone have a clue they'd be willing to share? > > -- > bblackmoor@blackgate.net > 2007-04-05 > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/listinfo/samba >Samba in the past worked with its own database of accounts populated and maintained with 'smbpasswd'. Your account must be in the smbpasswd file for you to authenticate, etc. Mike
Quoting Mark Hull-Richter <mhull-richter@datallegro.com>:> > You have your security set to SHARE. Don't do that > if you want to use USER security.I wanted to get it working with SHARE (because I assumed that would be the easiest thing to get working), at which point I would lock it down further. However, switching it from SHARE to USER makes no difference: [root@annwn html]# smbclient //annwn/media Password: Anonymous login successful Domain=[MORTSHIRE] OS=[Unix] Server=[Samba 3.0.23c-2] smb: \> dir NT_STATUS_ACCESS_DENIED listing \* 57237 blocks of size 4194304. 4171 blocks available -- Brandon Blackmoor bblackmoor@blackgate.net 2007-04-05
Brandon Blackmoor wrote:> But when I test this share by running (on annwn, as root) smbclient, > the share connects, but will not permit a "dir" command. It returns > the error NT_STATUS_ACCESS_DENIED.I would put a "log level = auth:3" and check in the log file what's happening on the samba side... -- Davide
Hi Brandon,
I would encourage you to simplify things even more at this point until
you get the situation resolved. Remove or comment out anything that is
not critical for Samba to startup with a single share, an example
smb.conf would be:
[global]
workgroup = MORTSHIRE
security = share
netbios name = annw
restrict anonymous = 0
[media]
path = /var/media
writeable = yes
If that works, then add the rest of your stuff line by line until you
find something that doesn't work.
The only time that I have seen the access denied message you list was
when I had set 'restrict anonymous = 2'. This value defaults to 0 which
allows anonymous browsing of a Samba server's service definitions (in
any security mode). This value is documented in the man page for smb.conf.
HTH,
--
Joshua M. Miller - RHCE,VCP
Brandon Blackmoor wrote:> I am new to Samba, but not to Linux. I hope someone here can point me in
the
> right direction.
>
> I have installed Samba and it appears to be working, at least as far as I
have
> tested it. However, I have hit a snag in my testing. I have searched Google
for
> several hours but I have not found a solution.
>
> On a Linux machine (named "annwn") running Fedora Core 6, I have
set up a share,
> using the least restrictive "share" type permissions (this is
only for testing:
> once I get things working, I will lock things down more). The directory to
be
> shared is /var/media:
>
> drwxrwxr-x 5 root media 4096 Apr 5 11:22 media
>
> I have created a user called "smbguest", and added this user to
the "media"
> group. I have then set "smbguest" as the guest user, and created
a "media"
> share for the /var/media directory:
>
>
> [global]
> workgroup = MORTSHIRE
> server string = Samba Server
> security = SHARE
> guest account = smbguest
> log file = /var/log/samba/%m.log
> max log size = 50
> dns proxy = No
> wins support = Yes
> guest ok = Yes
> hosts allow = 192.168.1., 127.0.0.1
> cups options = raw
>
> [media]
> comment = media on annwn.mortshire
> path = /var/media
> writeable = yes
> browseable = yes
> guest ok = yes
>
>
> testparm says that the smb.conf file is valid. Then I restarted samba. But
when
> I test this share by running (on annwn, as root) smbclient, the share
connects,
> but will not permit a "dir" command. It returns the error
> NT_STATUS_ACCESS_DENIED.
>
>
> [root@annwn samba]# smbclient //annwn/media
> Password:
> Domain=[MORTSHIRE] OS=[Unix] Server=[Samba 3.0.23c-2]
> Server not using user level security and no password supplied.
> smb: \> dir
> NT_STATUS_ACCESS_DENIED listing \*
>
> 57237 blocks of size 4194304. 4158 blocks available
>
>
> I have gone so far as to chmod both /var and /var/media to 777, and chown
them
> both to smbguest:smbguest, to see if that would make a difference. It
didn't. I
> still get NT_STATUS_ACCESS_DENIED.
>
> Here is the service definition output from testparm:
>
> [global]
> workgroup = MORTSHIRE
> server string = Samba Server
> security = SHARE
> guest account = smbguest
> log file = /var/log/samba/%m.log
> max log size = 50
> dns proxy = No
> wins support = Yes
> guest ok = Yes
> hosts allow = 192.168.1., 127.0.0.1
> cups options = raw
>
> [homes]
> comment = Home Directories
> read only = No
> browseable = No
>
> [printers]
> comment = All Printers
> path = /usr/spool/samba
> printable = Yes
> browseable = No
>
> [media]
> comment = media on annwn.mortshire
> path = /var/media
> read only = No
>
>
> I have double and triple checked everything I can think of, and I am
stumped.
> Does anyone have a clue they'd be willing to share?
>
> --
> bblackmoor@blackgate.net
> 2007-04-05
Quoting Brian Cowan <brcowan@gmail.com>:> > A debug log may tell you something.I have been looking at the logs, but just at the default log level. They haven't shown anything at all other than that samba is running and that I connected to the "media" share and then disconnected from it (which I did). However, here is the log level set to 3: [root@annwn samba]# tail -n100 annwn.log [2007/04/06 11:34:44, 3] smbd/reply.c:reply_tcon_and_X(716) tconX service=MEDIA [2007/04/06 11:34:44, 3] smbd/process.c:process_smb(1110) Transaction 7 of length 57 [2007/04/06 11:34:44, 3] smbd/process.c:switch_message(914) switch message SMBecho (pid 31305) conn 0x0 [2007/04/06 11:34:44, 3] smbd/sec_ctx.c:set_sec_ctx(241) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0 [2007/04/06 11:34:44, 3] smbd/reply.c:reply_echo(3584) echo 1 times [2007/04/06 11:34:44, 3] smbd/sec_ctx.c:set_sec_ctx(241) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0 [2007/04/06 11:34:46, 3] smbd/process.c:process_smb(1110) Transaction 8 of length 106 [2007/04/06 11:34:46, 3] smbd/process.c:switch_message(914) switch message SMBtrans2 (pid 31305) conn 0x8fd4f30 [2007/04/06 11:34:46, 3] smbd/sec_ctx.c:set_sec_ctx(241) setting sec ctx (502, 504) - sec_ctx_stack_ndx = 0 [2007/04/06 11:34:46, 3] smbd/trans2.c:call_trans2qfilepathinfo(2908) call_trans2qfilepathinfo: TRANSACT2_QPATHINFO: level = 257 [2007/04/06 11:34:46, 3] smbd/msdfs.c:dfs_redirect(435) dfs_redirect: Not redirecting annwn/media. [2007/04/06 11:34:46, 3] smbd/msdfs.c:dfs_redirect(439) dfs_redirect: Path converted to non-dfs path [2007/04/06 11:34:46, 3] smbd/trans2.c:call_trans2qfilepathinfo(2959) call_trans2qfilepathinfo . (fnum = -1) level=257 call=5 total_data=0 [2007/04/06 11:34:46, 3] smbd/process.c:process_smb(1110) Transaction 9 of length 116 [2007/04/06 11:34:46, 3] smbd/process.c:switch_message(914) switch message SMBtrans2 (pid 31305) conn 0x8fd4f30 [2007/04/06 11:34:46, 3] smbd/sec_ctx.c:set_sec_ctx(241) setting sec ctx (502, 504) - sec_ctx_stack_ndx = 0 [2007/04/06 11:34:46, 3] smbd/trans2.c:call_trans2findfirst(1662) call_trans2findfirst: dirtype = 16, maxentries = 1366, close_after_first=0, close_if_end = 2 requires_resume_key = 4 level = 0x104, max_data_bytes = 16644 [2007/04/06 11:34:46, 3] smbd/msdfs.c:dfs_redirect(435) dfs_redirect: Not redirecting annwn/media/*. [2007/04/06 11:34:46, 3] smbd/msdfs.c:dfs_redirect(439) dfs_redirect: Path converted to non-dfs path * [2007/04/06 11:34:46, 3] smbd/error.c:unix_error_packet(90) unix_error_packet: error string = Permission denied [2007/04/06 11:34:46, 3] smbd/error.c:error_packet(146) error packet at smbd/trans2.c(1772) cmd=50 (SMBtrans2) NT_STATUS_ACCESS_DENIED [2007/04/06 11:34:46, 3] smbd/process.c:process_smb(1110) Transaction 10 of length 106 [2007/04/06 11:34:46, 3] smbd/process.c:switch_message(914) switch message SMBtrans2 (pid 31305) conn 0x8fd4f30 [2007/04/06 11:34:46, 3] smbd/sec_ctx.c:set_sec_ctx(241) setting sec ctx (502, 504) - sec_ctx_stack_ndx = 0 [2007/04/06 11:34:46, 3] smbd/trans2.c:call_trans2qfilepathinfo(2908) call_trans2qfilepathinfo: TRANSACT2_QPATHINFO: level = 257 [2007/04/06 11:34:46, 3] smbd/msdfs.c:dfs_redirect(435) dfs_redirect: Not redirecting annwn/media. [2007/04/06 11:34:46, 3] smbd/msdfs.c:dfs_redirect(439) dfs_redirect: Path converted to non-dfs path [2007/04/06 11:34:46, 3] smbd/trans2.c:call_trans2qfilepathinfo(2959) call_trans2qfilepathinfo . (fnum = -1) level=257 call=5 total_data=0 [2007/04/06 11:34:46, 3] smbd/process.c:process_smb(1110) Transaction 11 of length 39 [2007/04/06 11:34:46, 3] smbd/process.c:switch_message(914) switch message SMBdskattr (pid 31305) conn 0x8fd4f30 [2007/04/06 11:34:46, 3] smbd/sec_ctx.c:set_sec_ctx(241) setting sec ctx (502, 504) - sec_ctx_stack_ndx = 0 [2007/04/06 11:34:46, 3] lib/sysquotas.c:sys_get_quota(448) sys_get_vfs_quota() failed for mntpath[/] bdev[/dev/mapper/VolGroup00-LogVol00] qtype[2] id[502]: Invalid argument [2007/04/06 11:34:46, 3] lib/sysquotas.c:sys_get_quota(448) sys_get_vfs_quota() failed for mntpath[/] bdev[/dev/mapper/VolGroup00-LogVol00] qtype[4] id[504]: Invalid argument [2007/04/06 11:34:46, 3] smbd/reply.c:reply_dskattr(1053) dskattr dfree=4170 [2007/04/06 11:34:49, 3] smbd/process.c:process_smb(1110) Transaction 12 of length 57 [2007/04/06 11:34:49, 3] smbd/process.c:switch_message(914) switch message SMBecho (pid 31305) conn 0x0 [2007/04/06 11:34:49, 3] smbd/sec_ctx.c:set_sec_ctx(241) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0 [2007/04/06 11:34:49, 3] smbd/reply.c:reply_echo(3584) echo 1 times [2007/04/06 11:34:49, 3] smbd/sec_ctx.c:set_sec_ctx(241) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0 [2007/04/06 11:34:51, 3] smbd/process.c:process_smb(1110) Transaction 13 of length 39 [2007/04/06 11:34:51, 3] smbd/process.c:switch_message(914) switch message SMBtdis (pid 31305) conn 0x8fd4f30 [2007/04/06 11:34:51, 3] smbd/sec_ctx.c:set_sec_ctx(241) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0 [2007/04/06 11:34:51, 3] smbd/sec_ctx.c:set_sec_ctx(241) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0 [2007/04/06 11:34:51, 1] smbd/service.c:close_cnum(1141) annwn (192.168.1.90) closed connection to service media [2007/04/06 11:34:51, 3] smbd/connection.c:yield_connection(69) Yielding connection to media [2007/04/06 11:34:51, 3] smbd/sec_ctx.c:set_sec_ctx(241) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0 [2007/04/06 11:34:51, 3] smbd/process.c:timeout_processing(1359) timeout_processing: End of file from client (client has disconnected). [2007/04/06 11:34:51, 3] smbd/sec_ctx.c:set_sec_ctx(241) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0 [2007/04/06 11:34:51, 3] smbd/connection.c:yield_connection(69) Yielding connection to [2007/04/06 11:34:51, 3] smbd/server.c:exit_server_common(675) Server exit (normal exit) I can see the line where the error is generated: [2007/04/06 11:34:46, 3] smbd/error.c:unix_error_packet(90) unix_error_packet: error string = Permission denied [2007/04/06 11:34:46, 3] smbd/error.c:error_packet(146) error packet at smbd/trans2.c(1772) cmd=50 (SMBtrans2) NT_STATUS_ACCESS_DENIED Does this tell me anything new?> Also, see who the smbd process is running as.... > You may get an unpleasant surprise.[root@annwn RPMs]# ps -ef | grep smbd root 5501 1 0 Apr05 ? 00:00:00 smbd -D root 5502 5501 0 Apr05 ? 00:00:00 smbd -D root 30996 3882 0 11:05 pts/1 00:00:00 grep smbd What would be considered "an unpleasant surprise" here? (Incidentally, the Reply-To for this list is set up incorrectly. I have to manually type in the address of the list every time I send a reply.) -- Brandon Blackmoor bblackmoor@blackgate.net 2007-04-06
Okay, I am starting fresh.
I made a new directory in the root directory, /media, and chmod'ed it 775
recursively. /media and everything in it has rwx for everyone in the
"media"
group:
drwxrwxr-x 5 root media 4096 Oct 1 2006 media
"root", "bblackmoor", and "smbguest" are all
members of the "media" group.
I deleted the old "media" share and created a new "media"
share for the above
directory, set it to guest access, set the guest as smbguest, and set samba to
use SHARE permissions:
[global]
workgroup = MORTSHIRE
server string = Samba Server
security = SHARE
guest account = smbguest
log level = 3
log file = /var/log/samba/%m.log
max log size = 50
os level = 33
preferred master = Yes
local master = No
domain master = Yes
dns proxy = No
wins support = Yes
guest ok = Yes
hosts allow = 192.168.1., 127.0.0.1
cups options = raw
[media]
comment = testing media share
path = /media
writeable = yes
browseable = yes
guest ok = yes
So, according to what I have spent all week reading, I should be able to connect
to this share as a guest and see what's in it.
[root@annwn /]# smbclient //annwn/media2
Password:
Domain=[MORTSHIRE] OS=[Unix] Server=[Samba 3.0.23c-2]
Server not using user level security and no password supplied.
smb: \> dir
NT_STATUS_ACCESS_DENIED listing \*
57237 blocks of size 4194304. 4170 blocks available
I have tried this with the "smbguest" samba user having no assigned
Windows name
or password, and I have tried it with an assigned Windows name and password. The
behavior is exactly the same.
I am open to suggestions. Am I the only person who has ever had this problem?
--
Brandon Blackmoor
bblackmoor@blackgate.net
2007-04-06