samba - May 2010 - ARGH... once again samba causes "permission" errors.

I've been doing unix sys. admin for nearly 20 years and yet EVERY single
time I have to setup samba I have configuration problems.

Before we start let's clear up some common misunderstandings: I have
googled for the answer. I have spent the last six hours doing so and trying
various "suggestions". Most of these suggestions point to solutions
involving chown or chmod.  These are not the problems (or I will be
very surprised).

# cat /etc/samba/smb.conf
[global]
         workgroup = CYTE.COM
         server string = CyteNAS
         netbios name = NAS
         hosts allow = 127., 10.0.10.

[nas]
         comment = NAS
         path = /mnt/nas
         force user = nas
         force group = nas
         read only = No

# cat /etc/samba/smbpasswd
nas:500:75891A0CAAF2F9828AE88C0FE87091EF:E8C4E8E10FEE888764D18AD4A0AC61F5:[U
]:LCT-4C00625E:

# grep nas /etc/passwd
nas:x:500:500::/mnt/nas:/bin/bash

# grep nas /etc/group
nas:x:500:

# ls -al /mnt/nas
total 16
drwxrwxrwx 2 nas  nas  4096 May 28 17:01 .
drwxrwxrwx 3 root root 4096 May 28 15:04 ..

So before you tell me about "permission" problems please note the
following
   1) The permissions on all the files is 777... EVERYBODY can do anything.
   2) samba IS configured to force the user and group to the owner of 
the share
       path anyways.
   3) The group and user exist and they have their passwords configured
        correctly.

I can map the share on my Windows 7 workstation. But any attempt to
create anything yields a pop-up window that says:

"You need permission to perform this action"
                               nas(\\NAS)
                               Space free: 89.7 GB
                               Total size: 97.0 GB

Why am I getting ANY permission problems??? Frankly. I don't think it is
a permission problem. (I set log level to 10; the output is long so I won't
include it because I looked through it and didn't see any errors reported
or any mention of permission denied.)

GRRRRRRR!

It gets worse. a 90GB NAS storage is pretty useless. The NAS is actually
a 6TB Raid5 array with an XFS filesystem. But if I actually mount it....

# /etc/init.d/smb stop
# mount /mnt/nas
# ls -al /mnt/nas
total 8
drwxrwxrwx 2 nas  nas     6 May 28 18:11 .
drwxrwxrwx 3 root root 4096 May 28 15:04 ..

see... no difference in permissions or ownership but now it is a mount
point.

Now I can't even map the samba share at all. All I get is a window
that says:

    "Attemping to connect to \\NAS\nas"
           (Cancel)

And it never seems to go away.

and yes, under both cases I can simply login as the user nas via
ssh and touch/mkdir or do anything I want and the files get created
just fine. Frankly I think this is another case of Windows presenting
the user with a misleading diagnostic "Permission" problem when
something much more fundamental is going wrong with Samba.

Please help.

- Jeff

Quoting Jeff Wiegley (jeffw at csun.edu):
> Before we start let's clear up some common misunderstandings: I have
> googled for the answer. I have spent the last six hours doing so and trying
> various "suggestions". Most of these suggestions point to
solutions
> involving chown or chmod.  These are not the problems (or I will be
> very surprised).
Some more info (and less ranting) would help:

- samba version
- logs on the samba server side when you experience these problems

Jeff Wiegley wrote:
>I've been doing unix sys. admin for nearly 20 years and yet EVERY
single
>time I have to setup samba I have configuration problems.
>
>Before we start let's clear up some common misunderstandings: I have
>googled for the answer. I have spent the last six hours doing so and
>trying
>various "suggestions". Most of these suggestions point to
solutions
>involving chown or chmod.  These are not the problems (or I will be
>very surprised).
>
># cat /etc/samba/smb.conf
>[global]
>         workgroup = CYTE.COM
>         server string = CyteNAS
>         netbios name = NAS
>         hosts allow = 127., 10.0.10.
>
>[nas]
>         comment = NAS
>         path = /mnt/nas
>         force user = nas
>         force group = nas
>         read only = No
>
># cat /etc/samba/smbpasswd
>nas:500:75891A0CAAF2F9828AE88C0FE87091EF:E8C4E8E10FEE888764D18AD4A0AC61
F5:
>[U
>]:LCT-4C00625E:
>
># grep nas /etc/passwd
>nas:x:500:500::/mnt/nas:/bin/bash
>
># grep nas /etc/group
>nas:x:500:
>
># ls -al /mnt/nas
>total 16
>drwxrwxrwx 2 nas  nas  4096 May 28 17:01 .
>drwxrwxrwx 3 root root 4096 May 28 15:04 ..
>
>So before you tell me about "permission" problems please note the
>following
>   1) The permissions on all the files is 777... EVERYBODY can do
anything.
>   2) samba IS configured to force the user and group to the owner of
>the share
>       path anyways.
>   3) The group and user exist and they have their passwords configured
>        correctly.
>
>I can map the share on my Windows 7 workstation. But any attempt to
>create anything yields a pop-up window that says:
>
>"You need permission to perform this action"
>                               nas(\\NAS)
>                               Space free: 89.7 GB
>                               Total size: 97.0 GB
>
>Why am I getting ANY permission problems??? Frankly. I don't think it
is
>a permission problem. (I set log level to 10; the output is long so I
>won't
>include it because I looked through it and didn't see any errors
reported
>or any mention of permission denied.)
>
>GRRRRRRR!
>
>It gets worse. a 90GB NAS storage is pretty useless. The NAS is
actually
>a 6TB Raid5 array with an XFS filesystem. But if I actually mount
it....
>
># /etc/init.d/smb stop
># mount /mnt/nas
># ls -al /mnt/nas
>total 8
>drwxrwxrwx 2 nas  nas     6 May 28 18:11 .
>drwxrwxrwx 3 root root 4096 May 28 15:04 ..
>
>see... no difference in permissions or ownership but now it is a mount
>point.
>
>Now I can't even map the samba share at all. All I get is a window
>that says:
>
>    "Attemping to connect to \\NAS\nas"
>           (Cancel)
>
>And it never seems to go away.
>
>and yes, under both cases I can simply login as the user nas via
>ssh and touch/mkdir or do anything I want and the files get created
>just fine. Frankly I think this is another case of Windows presenting
>the user with a misleading diagnostic "Permission" problem when
>something much more fundamental is going wrong with Samba.
>
>Please help.
>
>- Jeff
>
Is this NAS thing running SELinux, by any chance?  SELinux can give you
a whole set of extra permissions problems even when the standard
permissions look wide open.  Try "ls -Z /mnt/nas".



Moray.
"To err is human.? To purr, feline"

Jeff,

I'm no expert, but my understanding is that the FORCE USER and FORCE GROUP
configuration statements only define the *ownership* of created files,  not
who is allowed to create them. My inference from your post suggests that
might be what you're expecting - apologies if that's not correct.

May be a naive suggestion, but I'd try the following:

To the share definition, add

"guest ok = no"
"write list = nas"

Also, when browsing the server (not the share) from your Windows client, see
if the share appears in the list of server-shared resources. If it does,
right-click and check the properties of the share and let it tell you who
*it* thinks owns the share/has permissions to it. That might be some helpful
info. If not, my apologies.

-David



On Sat, May 29, 2010 at 3:21 AM, Jeff Wiegley <jeffw at csun.edu> wrote:
> I've been doing unix sys. admin for nearly 20 years and yet EVERY
single
> time I have to setup samba I have configuration problems.
>
> Before we start let's clear up some common misunderstandings: I have
> googled for the answer. I have spent the last six hours doing so and trying
> various "suggestions". Most of these suggestions point to
solutions
> involving chown or chmod.  These are not the problems (or I will be
> very surprised).
>
> # cat /etc/samba/smb.conf
> [global]
>        workgroup = CYTE.COM
>        server string = CyteNAS
>        netbios name = NAS
>        hosts allow = 127., 10.0.10.
>
> [nas]
>        comment = NAS
>        path = /mnt/nas
>        force user = nas
>        force group = nas
>        read only = No
>
> # cat /etc/samba/smbpasswd
>
nas:500:75891A0CAAF2F9828AE88C0FE87091EF:E8C4E8E10FEE888764D18AD4A0AC61F5:[U
>          ]:LCT-4C00625E:
>
> # grep nas /etc/passwd
> nas:x:500:500::/mnt/nas:/bin/bash
>
> # grep nas /etc/group
> nas:x:500:
>
> # ls -al /mnt/nas
> total 16
> drwxrwxrwx 2 nas  nas  4096 May 28 17:01 .
> drwxrwxrwx 3 root root 4096 May 28 15:04 ..
>
> So before you tell me about "permission" problems please note the
following
>  1) The permissions on all the files is 777... EVERYBODY can do anything.
>  2) samba IS configured to force the user and group to the owner of the
> share
>      path anyways.
>  3) The group and user exist and they have their passwords configured
>       correctly.
>
> I can map the share on my Windows 7 workstation. But any attempt to
> create anything yields a pop-up window that says:
>
> "You need permission to perform this action"
>                              nas(\\NAS)
>                              Space free: 89.7 GB
>                              Total size: 97.0 GB
>
> Why am I getting ANY permission problems??? Frankly. I don't think it
is
> a permission problem. (I set log level to 10; the output is long so I
won't
> include it because I looked through it and didn't see any errors
reported
> or any mention of permission denied.)
>
> GRRRRRRR!
>
> It gets worse. a 90GB NAS storage is pretty useless. The NAS is actually
> a 6TB Raid5 array with an XFS filesystem. But if I actually mount it....
>
> # /etc/init.d/smb stop
> # mount /mnt/nas
> # ls -al /mnt/nas
> total 8
> drwxrwxrwx 2 nas  nas     6 May 28 18:11 .
> drwxrwxrwx 3 root root 4096 May 28 15:04 ..
>
> see... no difference in permissions or ownership but now it is a mount
> point.
>
> Now I can't even map the samba share at all. All I get is a window
> that says:
>
>   "Attemping to connect to \\NAS\nas"
>          (Cancel)
>
> And it never seems to go away.
>
> and yes, under both cases I can simply login as the user nas via
> ssh and touch/mkdir or do anything I want and the files get created
> just fine. Frankly I think this is another case of Windows presenting
> the user with a misleading diagnostic "Permission" problem when
> something much more fundamental is going wrong with Samba.
>
> Please help.
>
> - Jeff
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

On 05/29/2010 03:21 AM, Jeff Wiegley wrote:
> I've been doing unix sys. admin for nearly 20 years and yet EVERY
single
> time I have to setup samba I have configuration problems.
Jeff,

With all respect, please note that Samba is not your usual UNIX
networking toolset - it implements SMB/CIFS, a technology that is
overloaded with its own specific requirements that need to be understood
and correctly handled.

Have you read the books:
Samba3-ByExample  (http://www.samba.org/samba/docs/Samba3-ByExample.pdf)
Samba3-HOWTO      (http://www.samba.org/samba/docs/Samba3-HOWTO.pdf)

These may help to alleviate some of your discomfort with Samba.  There
are other Samba books, unfortunately all (even the two above) are quite
out of date. Not withstanding that they are out of date, the above can
still be of value (particularly Samba3-ByExample) because it provides
worked example network deployment configurations.

Additionally, you may find some useful pointers on the Samba Wiki at:
http://wiki.samba.org
> Before we start let's clear up some common misunderstandings: I have
> googled for the answer. I have spent the last six hours doing so and trying
> various "suggestions". Most of these suggestions point to
solutions
> involving chown or chmod.  These are not the problems (or I will be
> very surprised).
Googling is a good thing (most of the time), but when it comes to Samba
issues this will usually turn up a lot of complaints about problems and
very few reports that explain how each was solved - if it was solved in
the first place.
> # cat /etc/samba/smb.conf
> [global]
>         workgroup = CYTE.COM
Do NOT use a '.' character in a workgroup/domain name. In MS Windows NT4
(the protocols Samba3 implements) this is not a supported character. It
would be better to just declare the workgroup name as "CYTE" or
'CYTE-COM"
>         server string = CyteNAS
>         netbios name = NAS
>         hosts allow = 127., 10.0.10.
Is this devices multi-homed? If it is then "hosts allow" is probably a
good things - if not, it is best to start without it and add it later
when you know the configuration is working.

For diagnostic purposes add the following to the [global] stanza:

	log file = %L-%m.log
	max log size = 0
	log level = 3
	map to guest = bad user

When the network is finally stable, and diagnostics are no longer
needed, reduce the "log level" to either 0 or 1.
> [nas]
>         comment = NAS
>         path = /mnt/nas
>         force user = nas
>         force group = nas
>         read only = No
> 
> # cat /etc/samba/smbpasswd
>
nas:500:75891A0CAAF2F9828AE88C0FE87091EF:E8C4E8E10FEE888764D18AD4A0AC61F5:[U
> ]:LCT-4C00625E:
What version of Samba are you using?  If it is later than 3.0.x (in
other words 3.2.x, 3.3.x, 3.4.x, 3.5.x) the default is to use tdbsam,
not smbpasswd.  If you particularly want to use smbpasswd to store the
SMB/CIFS credentials, specify the following in [global]
	passdb backend = smbpasswd:/etc/samba/smbpasswd
> # grep nas /etc/passwd
> nas:x:500:500::/mnt/nas:/bin/bash
> 
> # grep nas /etc/group
> nas:x:500:
> 
> # ls -al /mnt/nas
> total 16
> drwxrwxrwx 2 nas  nas  4096 May 28 17:01 .
> drwxrwxrwx 3 root root 4096 May 28 15:04 ..
> 
> So before you tell me about "permission" problems please note the
following
>   1) The permissions on all the files is 777... EVERYBODY can do anything.
>   2) samba IS configured to force the user and group to the owner of the
> share
>       path anyways.
>   3) The group and user exist and they have their passwords configured
>        correctly.
> 
> I can map the share on my Windows 7 workstation. But any attempt to
> create anything yields a pop-up window that says:
> 
> "You need permission to perform this action"
>                               nas(\\NAS)
>                               Space free: 89.7 GB
>                               Total size: 97.0 GB
> 
> Why am I getting ANY permission problems??? Frankly. I don't think it
is
> a permission problem. (I set log level to 10; the output is long so I
won't
> include it because I looked through it and didn't see any errors
reported
> or any mention of permission denied.)
> 
> GRRRRRRR!
As much as you may not like scanning samba log files, this is the only
way to diagnose what is going wrong.
> It gets worse. a 90GB NAS storage is pretty useless. The NAS is actually
> a 6TB Raid5 array with an XFS filesystem. But if I actually mount it....
> 
> # /etc/init.d/smb stop
> # mount /mnt/nas
> # ls -al /mnt/nas
> total 8
> drwxrwxrwx 2 nas  nas     6 May 28 18:11 .
> drwxrwxrwx 3 root root 4096 May 28 15:04 ..
> 
> see... no difference in permissions or ownership but now it is a mount
> point.
OK, we feel your pain, but instead of complaining to this list you are
better served asking how to diagnose the problem so you can find a solution.
> Now I can't even map the samba share at all. All I get is a window
> that says:
> 
>    "Attemping to connect to \\NAS\nas"
>           (Cancel)
> 
> And it never seems to go away.
> 
> and yes, under both cases I can simply login as the user nas via
> ssh and touch/mkdir or do anything I want and the files get created
> just fine. Frankly I think this is another case of Windows presenting
> the user with a misleading diagnostic "Permission" problem when
> something much more fundamental is going wrong with Samba.
The log files are your sole pathway to a solution.

If you just want a solution to the problem, you could also consider
getting commercial Samba support from one of the support providers at:
http://www.samba.org/samba/support

- John T.