Raymond Page
2018-May-25 16:13 UTC
[Samba] Fwd: NT_STATUS_ACCESS_DENIED for guest account to public share
Hi list, I'm using samba-4.7.6-r0 and attempting to establish a public samba share where any anonymous user can write to the share. I have an issue where the 'guest' (uid 405) account is unable to write to a directory owned by that uid. If the gid or world writable bits are set, I can write to my share, but not as the guest uid. I need assistance troubleshooting why I cannot write as the guest account to my share. My problem: # touch test.txt # smbclient -U% //easystore/public -c 'put test.txt test1.txt' NT_STATUS_ACCESS_DENIED opening remote file \test1.txt My local filesystem: # ls -lad /mnt/share drwxr-xr-x 5 guest users 4096 May 25 15:18 /mnt/share My user details: # getent passwd guest guest:x:405:100:guest:/dev/null:/sbin/nologin # pdbedit -L -v ^$ EOL My smbstatus (ran windows 10 client to hold open the share path locks): # smbstatus Samba version 4.7.6 PID Username Group Machine Protocol Version Encryption Signing ---------------------------------------------------------------------------------------------------------------------------------------- 24844 guest users 192.168.50.131 (ipv4:192.168.X.X :54932) SMB3_11 - - 24852 guest users 192.168.50.185 (ipv4:192.168.X.X :57840) SMB3_11 - - 24851 guest users 192.168.50.185 (ipv4:192.168.X.X :57839) SMB3_11 - - Service pid Machine Connected at Encryption Signing --------------------------------------------------------------------------------------------- public 24852 192.168.X.X Fri May 25 15:44:07 2018 UTC - - public 24844 192.168.X.X Fri May 25 15:43:41 2018 UTC - - IPC$ 24852 192.168.X.X Fri May 25 15:44:07 2018 UTC - - IPC$ 24851 192.168.X.X Fri May 25 15:44:06 2018 UTC - - public 24851 192.168.X.X Fri May 25 15:44:06 2018 UTC - - Locked files: Pid Uid DenyMode Access R/W Oplock SharePath Name Time -------------------------------------------------------------------------------------------------- 24851 405 DENY_NONE 0x100081 RDONLY NONE /mnt/share . Fri May 25 15:44:06 2018 24851 405 DENY_NONE 0x100081 RDONLY NONE /mnt/share . Fri May 25 15:44:06 2018 24851 405 DENY_NONE 0x100081 RDONLY NONE /mnt/share . Fri May 25 15:44:07 2018 24852 405 DENY_NONE 0x100080 RDONLY NONE /mnt/share . Fri May 25 15:44:07 2018 24851 405 DENY_NONE 0x100081 RDONLY NONE /mnt/share . Fri May 25 15:44:08 2018 24851 405 DENY_ALL 0x100080 RDONLY NONE /mnt/share . Fri May 25 15:44:12 2018 My smb.conf: [global] syslog = 7 netbios name = SHARE workgroup = WORKGROUP security = user map to guest = Bad User guest account = guest #username map = /etc/samba/smbusers dns proxy = no #log level = all log file = /var/log/samba/%m.log browsable = yes #read only = yes guest ok = no writable = no printable = no [printers] comment = All Printers path = /usr/spool/samba browseable = yes printable = yes [homes] comment = User Home Directories browsable = yes writable = yes [public] comment = Public Share path = /mnt/share public = yes guest only = yes read only = no writable = yes printable = no #force user = guest create mask = 0644 directory mask = 0755 -- Raymond Page
Rowland Penny
2018-May-25 16:41 UTC
[Samba] Fwd: NT_STATUS_ACCESS_DENIED for guest account to public share
On Fri, 25 May 2018 12:13:44 -0400 Raymond Page via samba <samba at lists.samba.org> wrote:> Hi list, > > I'm using samba-4.7.6-r0 and attempting to establish a public samba > share where any anonymous user can write to the share. > > I have an issue where the 'guest' (uid 405) account is unable to > write to a directory owned by that uid. If the gid or world writable > bits are set, I can write to my share, but not as the guest uid. I > need assistance troubleshooting why I cannot write as the guest > account to my share. > > My problem: > # touch test.txt > # smbclient -U% //easystore/public -c 'put test.txt test1.txt' > NT_STATUS_ACCESS_DENIED opening remote file \test1.txt > > My local filesystem: > # ls -lad /mnt/share > drwxr-xr-x 5 guest users 4096 May 25 15:18 /mnt/share > > My user details: > # getent passwd guest > guest:x:405:100:guest:/dev/null:/sbin/nologin > # pdbedit -L -v > ^$ EOL > > My smbstatus (ran windows 10 client to hold open the share path > locks): # smbstatus > > Samba version 4.7.6 > PID Username Group Machine > Protocol Version Encryption Signing > ---------------------------------------------------------------------------------------------------------------------------------------- > 24844 guest users 192.168.50.131 > (ipv4:192.168.X.X :54932) SMB3_11 - - > 24852 guest users 192.168.50.185 > (ipv4:192.168.X.X :57840) SMB3_11 - - > 24851 guest users 192.168.50.185 > (ipv4:192.168.X.X :57839) SMB3_11 - - > > Service pid Machine Connected at > Encryption Signing > --------------------------------------------------------------------------------------------- > public 24852 192.168.X.X Fri May 25 15:44:07 2018 UTC - > - > public 24844 192.168.X.X Fri May 25 15:43:41 2018 UTC - > - > IPC$ 24852 192.168.X.X Fri May 25 15:44:07 2018 UTC - > - > IPC$ 24851 192.168.X.X Fri May 25 15:44:06 2018 UTC - > - > public 24851 192.168.X.X Fri May 25 15:44:06 2018 UTC - > - > > Locked files: > Pid Uid DenyMode Access R/W Oplock > SharePath Name Time > -------------------------------------------------------------------------------------------------- > 24851 405 DENY_NONE 0x100081 RDONLY NONE > /mnt/share . Fri May 25 15:44:06 2018 > 24851 405 DENY_NONE 0x100081 RDONLY NONE > /mnt/share . Fri May 25 15:44:06 2018 > 24851 405 DENY_NONE 0x100081 RDONLY NONE > /mnt/share . Fri May 25 15:44:07 2018 > 24852 405 DENY_NONE 0x100080 RDONLY NONE > /mnt/share . Fri May 25 15:44:07 2018 > 24851 405 DENY_NONE 0x100081 RDONLY NONE > /mnt/share . Fri May 25 15:44:08 2018 > 24851 405 DENY_ALL 0x100080 RDONLY NONE > /mnt/share . Fri May 25 15:44:12 2018 > > My smb.conf: > [global] > syslog = 7 > netbios name = SHARE > workgroup = WORKGROUP > security = user > map to guest = Bad User > guest account = guest > #username map = /etc/samba/smbusers > dns proxy = no > #log level = all > log file = /var/log/samba/%m.log > browsable = yes > #read only = yes > guest ok = no > writable = no > printable = no > > [printers] > comment = All Printers > path = /usr/spool/samba > browseable = yes > printable = yes > > [homes] > comment = User Home Directories > browsable = yes > writable = yes > > [public] > comment = Public Share > path = /mnt/share > public = yes > guest only = yes > read only = no > writable = yes > printable = no > #force user = guest > create mask = 0644 > directory mask = 0755 > > -- > Raymond PageThree things, does 'guest' exist in /etc/passwd and Samba ? Remove 'guest ok = no' from [global] and add 'guest ok = yes' to the shares. Finally, just who is it that is telling people to add 'read only' AND 'writable = yes' ? They are the same setting (goes off muttering to himself) Rowland
Raymond Page
2018-May-25 17:11 UTC
[Samba] Fwd: NT_STATUS_ACCESS_DENIED for guest account to public share
Rowland, The 'guest' user exists in /etc/passwd, and there are no users defined in tdb backend. 1. /etc/passwd: guest:x:405:100:guest:/dev/null:/sbin/nologin 2. pdbedit -L -v: ^$ EOL 3. smb.conf updated as suggested - smbclient -U% //share/public -c 'put test1.txt foobar' NT_STATUS_ACCESS_DENIED opening remote file \foobar Modifying the settings as suggested made no impact, functionally we just disabled the global defaults and doubly defined the local share settings. The person saying using 'read only = no' AND 'writable = yes' is probably the same person suggesting 'guest ok = yes' AND 'public = yes'. I like my redundant configuration settings to reinforce what I'm stating so that if I'm thinking about denying vs enabling access, I have an option to clearly latch onto. Output from testparam: [global] dns proxy = No guest account = guest log file = /var/log/samba/%m.log map to guest = Bad User netbios name = SHARE security = USER idmap config * : backend = tdb [printers] browseable = No comment = All Printers path = /usr/spool/samba printable = Yes [homes] comment = User Home Directories read only = No [public] comment = Public Share create mask = 0644 guest ok = Yes guest only = Yes path = /mnt/share read only = No -- Raymond Page On Fri, May 25, 2018 at 12:42 PM Rowland Penny via samba < samba at lists.samba.org> wrote:> On Fri, 25 May 2018 12:13:44 -0400 > Raymond Page via samba <samba at lists.samba.org> wrote: > > > Hi list, > > > > I'm using samba-4.7.6-r0 and attempting to establish a public samba > > share where any anonymous user can write to the share. > > > > I have an issue where the 'guest' (uid 405) account is unable to > > write to a directory owned by that uid. If the gid or world writable > > bits are set, I can write to my share, but not as the guest uid. I > > need assistance troubleshooting why I cannot write as the guest > > account to my share. > > > > My problem: > > # touch test.txt > > # smbclient -U% //easystore/public -c 'put test.txt test1.txt' > > NT_STATUS_ACCESS_DENIED opening remote file \test1.txt > > > > My local filesystem: > > # ls -lad /mnt/share > > drwxr-xr-x 5 guest users 4096 May 25 15:18 /mnt/share > > > > My user details: > > # getent passwd guest > > guest:x:405:100:guest:/dev/null:/sbin/nologin > > # pdbedit -L -v > > ^$ EOL > > > > My smbstatus (ran windows 10 client to hold open the share path > > locks): # smbstatus > > > > Samba version 4.7.6 > > PID Username Group Machine > > Protocol Version Encryption Signing > > > ---------------------------------------------------------------------------------------------------------------------------------------- > > 24844 guest users 192.168.50.131 > > (ipv4:192.168.X.X :54932) SMB3_11 - - > > 24852 guest users 192.168.50.185 > > (ipv4:192.168.X.X :57840) SMB3_11 - - > > 24851 guest users 192.168.50.185 > > (ipv4:192.168.X.X :57839) SMB3_11 - - > > > > Service pid Machine Connected at > > Encryption Signing > > > --------------------------------------------------------------------------------------------- > > public 24852 192.168.X.X Fri May 25 15:44:07 2018 UTC - > > - > > public 24844 192.168.X.X Fri May 25 15:43:41 2018 UTC - > > - > > IPC$ 24852 192.168.X.X Fri May 25 15:44:07 2018 UTC - > > - > > IPC$ 24851 192.168.X.X Fri May 25 15:44:06 2018 UTC - > > - > > public 24851 192.168.X.X Fri May 25 15:44:06 2018 UTC - > > - > > > > Locked files: > > Pid Uid DenyMode Access R/W Oplock > > SharePath Name Time > > > -------------------------------------------------------------------------------------------------- > > 24851 405 DENY_NONE 0x100081 RDONLY NONE > > /mnt/share . Fri May 25 15:44:06 2018 > > 24851 405 DENY_NONE 0x100081 RDONLY NONE > > /mnt/share . Fri May 25 15:44:06 2018 > > 24851 405 DENY_NONE 0x100081 RDONLY NONE > > /mnt/share . Fri May 25 15:44:07 2018 > > 24852 405 DENY_NONE 0x100080 RDONLY NONE > > /mnt/share . Fri May 25 15:44:07 2018 > > 24851 405 DENY_NONE 0x100081 RDONLY NONE > > /mnt/share . Fri May 25 15:44:08 2018 > > 24851 405 DENY_ALL 0x100080 RDONLY NONE > > /mnt/share . Fri May 25 15:44:12 2018 > > > > My smb.conf: > > [global] > > syslog = 7 > > netbios name = SHARE > > workgroup = WORKGROUP > > security = user > > map to guest = Bad User > > guest account = guest > > #username map = /etc/samba/smbusers > > dns proxy = no > > #log level = all > > log file = /var/log/samba/%m.log > > browsable = yes > > #read only = yes > > guest ok = no > > writable = no > > printable = no > > > > [printers] > > comment = All Printers > > path = /usr/spool/samba > > browseable = yes > > printable = yes > > > > [homes] > > comment = User Home Directories > > browsable = yes > > writable = yes > > > > [public] > > comment = Public Share > > path = /mnt/share > > public = yes > > guest only = yes > > read only = no > > writable = yes > > printable = no > > #force user = guest > > create mask = 0644 > > directory mask = 0755 > > > > -- > > Raymond Page > > Three things, does 'guest' exist in /etc/passwd and Samba ? > Remove 'guest ok = no' from [global] and add 'guest ok = yes' to the > shares. > Finally, just who is it that is telling people to add 'read > only' AND 'writable = yes' ? They are the same setting (goes off > muttering to himself) > > Rowland > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >