samba - Aug 2018 - Can't write to a samba share mounted as an AD user

On Thu, Aug 2, 2018 at 11:11 AM, Rowland Penny via samba <
samba at lists.samba.org> wrote:
> On Thu, 2 Aug 2018 11:02:45 -0400
> pisymbol <pisymbol at gmail.com> wrote:
>
> > Whoops! Replying to all!
> >
> > On Thu, Aug 2, 2018 at 10:55 AM, Rowland Penny via samba <
> > samba at lists.samba.org> wrote:
> >
> > > On Thu, 2 Aug 2018 10:43:26 -0400
> > > pisymbol via samba <samba at lists.samba.org> wrote:
> > >
> > > > Full disclosure: This is an exported share on a QNAP NAS
device.
> > >
> > > Even fuller disclosure ;-)
> > > You haven't given us enough info
> > >
> >
> > I can facilitate though.
> >
> >
> > > What version of Samba is the QNAP NAS using ?
> > >
> >
> > 4.4.16
> >
> > What is in smb.conf ?
> > >
> >
> > A lot of stuff as you can imagine.
>
> Yes and it will remain imaginary until you post it
>
[admin at outerdrive ~]# cat /etc/config/smb.conf
[global]
realm = ACME.COM
passdb backend = smbpasswd
workgroup = ACME
security = ADS       #### NOTE: I had to change this to ADS to get this
toaster oven to join AD
server string encrypt passwords = Yes
username level = 0
map to guest = Bad User
null passwords = yes
max log size = 10
socket options = TCP_NODELAY SO_KEEPALIVE
os level = 20
preferred master = no
dns proxy = No
smb passwd file=/etc/config/smbpasswd
username map = /etc/config/smbusers
guest account = guest
directory mask = 0777
create mask = 0777
oplocks = yes
locking = yes
disable spoolss = no
load printers = yes
veto files = /.AppleDB/.AppleDouble/.AppleDesktop/:2eDS_Store/Network Trash
Folder/Temporary
Items/TheVolumeSettingsFolder/. at __thumb/. at __desc/:2e*/. at __qini/.Qsync/.
at upload_cache/.qsync/.qsync_sn/. at qsys/.streams/.digest/
delete veto files = yes
map archive = no
map system = no
map hidden = no
map read only = no
deadtime = 10
server role = auto
use sendfile = yes
unix extensions = no
store dos attributes = yes
client ntlmv2 auth = yes
dos filetime resolution = no
follow symlinks = yes
wide links = yes
force unknown acl user = yes
template homedir = /share/homes/DOMAIN=%D/%U
inherit acls = yes
domain logons = no
min receivefile size = 256
case sensitive = auto
domain master = auto
local master = no
enhance acl v1 = yes
remove everyone = yes
conn log = no
kernel oplocks = no
min protocol = LANMAN1
smb2 leases = yes
durable handles = yes
kernel share modes = no
posix locking = no
lock directory = /share/CACHEDEV1_DATA/.samba/lock
state directory = /share/CACHEDEV1_DATA/.samba/state
cache directory = /share/CACHEDEV1_DATA/.samba/cache
printcap cache time = 0
acl allow execute always = yes
server signing = disabled
aio read size = 1
aio write size = 0
streams_depot:delete_lost = yes
streams_depot:check_valid = no
fruit:nfs_aces = no
fruit:veto_appledouble = no
winbind expand groups = 1
pid directory = /var/lock
printcap name = /etc/printcap
printing = cups
show add printer wizard = no
host msdfs = yes
winbind enum groups = Yes
winbind enum users = Yes
wins support = no
name resolve order = host bcast
max protocol = SMB2_10
vfs objects =  shadow_copy2 acl_xattr catia fruit qnap_macea streams_depot
aio_pthread

[Multimedia]
comment = System default share
path = /share/CACHEDEV1_DATA/Multimedia
browsable = yes
oplocks = yes
ftp write only = no
recycle bin = yes
recycle bin administrators only = no
qbox = no
public = yes
invalid users = "guest"
read list = @"everyone"
write list = "admin"
valid users = "root",@"everyone","admin"
inherit permissions = yes
shadow:snapdir = /share/CACHEDEV1_DATA/_.share/Multimedia/.snapshot
shadow:basedir = /share/CACHEDEV1_DATA/Multimedia
shadow:sort = desc
shadow:format = @GMT-%Y.%m.%d-%H:%M:%S
smb encrypt = disabled
strict allocate = yes
streams_depot:check_valid = yes
mangled names = yes

[Download]
comment = System default share
path = /share/CACHEDEV1_DATA/Download
browsable = yes
oplocks = yes
ftp write only = no
recycle bin = yes
recycle bin administrators only = no
qbox = no
public = yes
invalid users = "guest"
read list write list = "admin"
valid users = "root","admin"
inherit permissions = yes
shadow:snapdir = /share/CACHEDEV1_DATA/_.share/Download/.snapshot
shadow:basedir = /share/CACHEDEV1_DATA/Download
shadow:sort = desc
shadow:format = @GMT-%Y.%m.%d-%H:%M:%S
smb encrypt = disabled
strict allocate = yes
streams_depot:check_valid = yes
mangled names = yes

[Web]
comment = System default share
path = /share/CACHEDEV1_DATA/Web
browsable = yes
oplocks = yes
ftp write only = no
recycle bin = yes
recycle bin administrators only = no
qbox = no
public = yes
invalid users = "guest"
read list write list = "admin"
valid users = "root","admin"
inherit permissions = yes
shadow:snapdir = /share/CACHEDEV1_DATA/_.share/Web/.snapshot
shadow:basedir = /share/CACHEDEV1_DATA/Web
shadow:sort = desc
shadow:format = @GMT-%Y.%m.%d-%H:%M:%S
smb encrypt = disabled
strict allocate = yes
streams_depot:check_valid = yes
mangled names = yes

[Public]
comment = System default share
path = /share/CACHEDEV1_DATA/Public
browsable = yes
oplocks = yes
ftp write only = no
recycle bin = yes
recycle bin administrators only = yes
qbox = no
public = yes
invalid users = "guest"
read list = @"everyone"
write list = "admin",@"ACME\Users"
valid users =
"root",@"everyone","admin",@"ACME\Users"
inherit permissions = yes
shadow:snapdir = /share/CACHEDEV1_DATA/_.share/Public/.snapshot
shadow:basedir = /share/CACHEDEV1_DATA/Public
shadow:sort = desc
shadow:format = @GMT-%Y.%m.%d-%H:%M:%S
smb encrypt = disabled
strict allocate = yes
streams_depot:check_valid = yes
mangled names = yes

[homes]
comment = System default share
path = /share/CACHEDEV1_DATA/homes
browsable = yes
oplocks = yes
ftp write only = no
recycle bin = yes
recycle bin administrators only = no
qbox = no
public = yes
invalid users read list write list = "admin"
valid users = "root","admin"
inherit permissions = yes
shadow:snapdir = /share/CACHEDEV1_DATA/_.share/homes/.snapshot
shadow:basedir = /share/CACHEDEV1_DATA/homes
shadow:sort = desc
shadow:format = @GMT-%Y.%m.%d-%H:%M:%S
smb encrypt = disabled
mangled names = yes

[printers]
use client driver = yes
writable = no
browsable = no
printable = yes
guest ok = yes
path = /var/spool/smb

[home]
comment = Home
path = %H
browsable = yes
oplocks = yes
ftp write only = no
inherit permissions = yes
invalid users = guest
writable = yes
read list = "%u"
write list = "%u"
valid users = "%u"
root preexec = /sbin/create_home -u '%q'
shadow:snapdir = /share/CACHEDEV1_DATA/homes/../_.share/homes/.snapshot
shadow:basedir = %H
shadow:sort = desc
shadow:format = @GMT-%Y.%m.%d-%H:%M:%S

On Thu, 2 Aug 2018 11:17:47 -0400
pisymbol <pisymbol at gmail.com> wrote:
> On Thu, Aug 2, 2018 at 11:11 AM, Rowland Penny via samba <
> samba at lists.samba.org> wrote:
> 
> > On Thu, 2 Aug 2018 11:02:45 -0400
> > pisymbol <pisymbol at gmail.com> wrote:
> >
> > > Whoops! Replying to all!
> > >
> > > On Thu, Aug 2, 2018 at 10:55 AM, Rowland Penny via samba <
> > > samba at lists.samba.org> wrote:
> > >
> > > > On Thu, 2 Aug 2018 10:43:26 -0400
> > > > pisymbol via samba <samba at lists.samba.org> wrote:
> > > >
> > > > > Full disclosure: This is an exported share on a QNAP
NAS
> > > > > device.
> > > >
> > > > Even fuller disclosure ;-)
> > > > You haven't given us enough info
> > > >
> > >
> > > I can facilitate though.
> > >
> > >
> > > > What version of Samba is the QNAP NAS using ?
> > > >
> > >
> > > 4.4.16
> > >
> > > What is in smb.conf ?
> > > >
> > >
> > > A lot of stuff as you can imagine.
> >
> > Yes and it will remain imaginary until you post it
> >
> 
> [admin at outerdrive ~]# cat /etc/config/smb.conf
> [global]
> realm = ACME.COM
> passdb backend = smbpasswd
> workgroup = ACME
> security = ADS       #### NOTE: I had to change this to ADS to get
> this toaster oven to join AD
> server string > encrypt passwords = Yes
> username level = 0
> map to guest = Bad User
> null passwords = yes
> max log size = 10
> socket options = TCP_NODELAY SO_KEEPALIVE
> os level = 20
> preferred master = no
> dns proxy = No
> smb passwd file=/etc/config/smbpasswd
> username map = /etc/config/smbusers
> guest account = guest
> directory mask = 0777
> create mask = 0777
> oplocks = yes
> locking = yes
> disable spoolss = no
> load printers = yes
> veto files = /.AppleDB/.AppleDouble/.AppleDesktop/:2eDS_Store/Network
> Trash Folder/Temporary
> Items/TheVolumeSettingsFolder/. at __thumb/. at __desc/:2e*/. at
__qini/.Qsync/. at upload_cache/.qsync/.qsync_sn/. at qsys/.streams/.digest/
> delete veto files = yes
> map archive = no
> map system = no
> map hidden = no
> map read only = no
> deadtime = 10
> server role = auto
> use sendfile = yes
> unix extensions = no
> store dos attributes = yes
> client ntlmv2 auth = yes
> dos filetime resolution = no
> follow symlinks = yes
> wide links = yes
> force unknown acl user = yes
> template homedir = /share/homes/DOMAIN=%D/%U
> inherit acls = yes
> domain logons = no
> min receivefile size = 256
> case sensitive = auto
> domain master = auto
> local master = no
> enhance acl v1 = yes
> remove everyone = yes
> conn log = no
> kernel oplocks = no
> min protocol = LANMAN1
> smb2 leases = yes
> durable handles = yes
> kernel share modes = no
> posix locking = no
> lock directory = /share/CACHEDEV1_DATA/.samba/lock
> state directory = /share/CACHEDEV1_DATA/.samba/state
> cache directory = /share/CACHEDEV1_DATA/.samba/cache
> printcap cache time = 0
> acl allow execute always = yes
> server signing = disabled
> aio read size = 1
> aio write size = 0
> streams_depot:delete_lost = yes
> streams_depot:check_valid = no
> fruit:nfs_aces = no
> fruit:veto_appledouble = no
> winbind expand groups = 1
> pid directory = /var/lock
> printcap name = /etc/printcap
> printing = cups
> show add printer wizard = no
> host msdfs = yes
> winbind enum groups = Yes
> winbind enum users = Yes
> wins support = no
> name resolve order = host bcast
> max protocol = SMB2_10
> vfs objects =  shadow_copy2 acl_xattr catia fruit qnap_macea
> streams_depot aio_pthread
> 
> [Multimedia]
> comment = System default share
> path = /share/CACHEDEV1_DATA/Multimedia
> browsable = yes
> oplocks = yes
> ftp write only = no
> recycle bin = yes
> recycle bin administrators only = no
> qbox = no
> public = yes
> invalid users = "guest"
> read list = @"everyone"
> write list = "admin"
> valid users = "root",@"everyone","admin"
> inherit permissions = yes
> shadow:snapdir = /share/CACHEDEV1_DATA/_.share/Multimedia/.snapshot
> shadow:basedir = /share/CACHEDEV1_DATA/Multimedia
> shadow:sort = desc
> shadow:format = @GMT-%Y.%m.%d-%H:%M:%S
> smb encrypt = disabled
> strict allocate = yes
> streams_depot:check_valid = yes
> mangled names = yes
> 
> [Download]
> comment = System default share
> path = /share/CACHEDEV1_DATA/Download
> browsable = yes
> oplocks = yes
> ftp write only = no
> recycle bin = yes
> recycle bin administrators only = no
> qbox = no
> public = yes
> invalid users = "guest"
> read list > write list = "admin"
> valid users = "root","admin"
> inherit permissions = yes
> shadow:snapdir = /share/CACHEDEV1_DATA/_.share/Download/.snapshot
> shadow:basedir = /share/CACHEDEV1_DATA/Download
> shadow:sort = desc
> shadow:format = @GMT-%Y.%m.%d-%H:%M:%S
> smb encrypt = disabled
> strict allocate = yes
> streams_depot:check_valid = yes
> mangled names = yes
> 
> [Web]
> comment = System default share
> path = /share/CACHEDEV1_DATA/Web
> browsable = yes
> oplocks = yes
> ftp write only = no
> recycle bin = yes
> recycle bin administrators only = no
> qbox = no
> public = yes
> invalid users = "guest"
> read list > write list = "admin"
> valid users = "root","admin"
> inherit permissions = yes
> shadow:snapdir = /share/CACHEDEV1_DATA/_.share/Web/.snapshot
> shadow:basedir = /share/CACHEDEV1_DATA/Web
> shadow:sort = desc
> shadow:format = @GMT-%Y.%m.%d-%H:%M:%S
> smb encrypt = disabled
> strict allocate = yes
> streams_depot:check_valid = yes
> mangled names = yes
> 
> [Public]
> comment = System default share
> path = /share/CACHEDEV1_DATA/Public
> browsable = yes
> oplocks = yes
> ftp write only = no
> recycle bin = yes
> recycle bin administrators only = yes
> qbox = no
> public = yes
> invalid users = "guest"
> read list = @"everyone"
> write list = "admin",@"ACME\Users"
> valid users =
"root",@"everyone","admin",@"ACME\Users"
> inherit permissions = yes
> shadow:snapdir = /share/CACHEDEV1_DATA/_.share/Public/.snapshot
> shadow:basedir = /share/CACHEDEV1_DATA/Public
> shadow:sort = desc
> shadow:format = @GMT-%Y.%m.%d-%H:%M:%S
> smb encrypt = disabled
> strict allocate = yes
> streams_depot:check_valid = yes
> mangled names = yes
> 
> [homes]
> comment = System default share
> path = /share/CACHEDEV1_DATA/homes
> browsable = yes
> oplocks = yes
> ftp write only = no
> recycle bin = yes
> recycle bin administrators only = no
> qbox = no
> public = yes
> invalid users > read list > write list = "admin"
> valid users = "root","admin"
> inherit permissions = yes
> shadow:snapdir = /share/CACHEDEV1_DATA/_.share/homes/.snapshot
> shadow:basedir = /share/CACHEDEV1_DATA/homes
> shadow:sort = desc
> shadow:format = @GMT-%Y.%m.%d-%H:%M:%S
> smb encrypt = disabled
> mangled names = yes
> 
> [printers]
> use client driver = yes
> writable = no
> browsable = no
> printable = yes
> guest ok = yes
> path = /var/spool/smb
> 
> [home]
> comment = Home
> path = %H
> browsable = yes
> oplocks = yes
> ftp write only = no
> inherit permissions = yes
> invalid users = guest
> writable = yes
> read list = "%u"
> write list = "%u"
> valid users = "%u"
> root preexec = /sbin/create_home -u '%q'
> shadow:snapdir
> = /share/CACHEDEV1_DATA/homes/../_.share/homes/.snapshot
> shadow:basedir = %H shadow:sort = desc
> shadow:format = @GMT-%Y.%m.%d-%H:%M:%S
Was this NAS a 'standalone server' at some point ?

It certainly looks like it to me, two things point that way, one you
are using the deprecated 'smbpasswd' 'passdb backend' and the
other is
that you have no authentication lines in smb.conf. Without
authentication, the only user who could connect, would be the guest
user, but you have explicitly denied this with 'invalid users
"guest"'

Rowland

On Thu, Aug 2, 2018 at 11:56 AM, Rowland Penny via samba <
samba at lists.samba.org> wrote:
> On Thu, 2 Aug 2018 11:17:47 -0400
> pisymbol <pisymbol at gmail.com> wrote:
>
> Was this NAS a 'standalone server' at some point ?
>
Well I don't know what you are asking. The NAS is new, booted up, promptly
joined to AD.

> It certainly looks like it to me, two things point that way, one you
> are using the deprecated 'smbpasswd' 'passdb backend' and
the other is
> that you have no authentication lines in smb.conf. Without
> authentication, the only user who could connect, would be the guest
> user, but you have explicitly denied this with 'invalid users >
"guest"'
>
>
Again, I can mount the CIFS drive from Linux AS WELL AS log into the NAS
using my AD domain creds?

-aps

If I’m not confused though, I believe pisymbol CAN get a mount. 

It’s just that the mount has read-only access despite the file ownership and
modes being set to give full read-write?

-E
> On Aug 2, 2018, at 8:56 AM, Rowland Penny via samba <samba at
lists.samba.org> wrote:
> 
> On Thu, 2 Aug 2018 11:17:47 -0400
> pisymbol <pisymbol at gmail.com <mailto:pisymbol at gmail.com>>
wrote:
> 
>> On Thu, Aug 2, 2018 at 11:11 AM, Rowland Penny via samba <
>> samba at lists.samba.org> wrote:
>> 
>>> On Thu, 2 Aug 2018 11:02:45 -0400
>>> pisymbol <pisymbol at gmail.com> wrote:
>>> 
>>>> Whoops! Replying to all!
>>>> 
>>>> On Thu, Aug 2, 2018 at 10:55 AM, Rowland Penny via samba <
>>>> samba at lists.samba.org> wrote:
>>>> 
>>>>> On Thu, 2 Aug 2018 10:43:26 -0400
>>>>> pisymbol via samba <samba at lists.samba.org> wrote:
>>>>> 
>>>>>> Full disclosure: This is an exported share on a QNAP
NAS
>>>>>> device.
>>>>> 
>>>>> Even fuller disclosure ;-)
>>>>> You haven't given us enough info
>>>>> 
>>>> 
>>>> I can facilitate though.
>>>> 
>>>> 
>>>>> What version of Samba is the QNAP NAS using ?
>>>>> 
>>>> 
>>>> 4.4.16
>>>> 
>>>> What is in smb.conf ?
>>>>> 
>>>> 
>>>> A lot of stuff as you can imagine.
>>> 
>>> Yes and it will remain imaginary until you post it
>>> 
>> 
>> [admin at outerdrive ~]# cat /etc/config/smb.conf
>> [global]
>> realm = ACME.COM
>> passdb backend = smbpasswd
>> workgroup = ACME
>> security = ADS       #### NOTE: I had to change this to ADS to get
>> this toaster oven to join AD
>> server string >> encrypt passwords = Yes
>> username level = 0
>> map to guest = Bad User
>> null passwords = yes
>> max log size = 10
>> socket options = TCP_NODELAY SO_KEEPALIVE
>> os level = 20
>> preferred master = no
>> dns proxy = No
>> smb passwd file=/etc/config/smbpasswd
>> username map = /etc/config/smbusers
>> guest account = guest
>> directory mask = 0777
>> create mask = 0777
>> oplocks = yes
>> locking = yes
>> disable spoolss = no
>> load printers = yes
>> veto files = /.AppleDB/.AppleDouble/.AppleDesktop/:2eDS_Store/Network
>> Trash Folder/Temporary
>> Items/TheVolumeSettingsFolder/. at __thumb/. at __desc/:2e*/. at
__qini/.Qsync/. at upload_cache/.qsync/.qsync_sn/. at qsys/.streams/.digest/
>> delete veto files = yes
>> map archive = no
>> map system = no
>> map hidden = no
>> map read only = no
>> deadtime = 10
>> server role = auto
>> use sendfile = yes
>> unix extensions = no
>> store dos attributes = yes
>> client ntlmv2 auth = yes
>> dos filetime resolution = no
>> follow symlinks = yes
>> wide links = yes
>> force unknown acl user = yes
>> template homedir = /share/homes/DOMAIN=%D/%U
>> inherit acls = yes
>> domain logons = no
>> min receivefile size = 256
>> case sensitive = auto
>> domain master = auto
>> local master = no
>> enhance acl v1 = yes
>> remove everyone = yes
>> conn log = no
>> kernel oplocks = no
>> min protocol = LANMAN1
>> smb2 leases = yes
>> durable handles = yes
>> kernel share modes = no
>> posix locking = no
>> lock directory = /share/CACHEDEV1_DATA/.samba/lock
>> state directory = /share/CACHEDEV1_DATA/.samba/state
>> cache directory = /share/CACHEDEV1_DATA/.samba/cache
>> printcap cache time = 0
>> acl allow execute always = yes
>> server signing = disabled
>> aio read size = 1
>> aio write size = 0
>> streams_depot:delete_lost = yes
>> streams_depot:check_valid = no
>> fruit:nfs_aces = no
>> fruit:veto_appledouble = no
>> winbind expand groups = 1
>> pid directory = /var/lock
>> printcap name = /etc/printcap
>> printing = cups
>> show add printer wizard = no
>> host msdfs = yes
>> winbind enum groups = Yes
>> winbind enum users = Yes
>> wins support = no
>> name resolve order = host bcast
>> max protocol = SMB2_10
>> vfs objects =  shadow_copy2 acl_xattr catia fruit qnap_macea
>> streams_depot aio_pthread
>> 
>> [Multimedia]
>> comment = System default share
>> path = /share/CACHEDEV1_DATA/Multimedia
>> browsable = yes
>> oplocks = yes
>> ftp write only = no
>> recycle bin = yes
>> recycle bin administrators only = no
>> qbox = no
>> public = yes
>> invalid users = "guest"
>> read list = @"everyone"
>> write list = "admin"
>> valid users = "root",@"everyone","admin"
>> inherit permissions = yes
>> shadow:snapdir = /share/CACHEDEV1_DATA/_.share/Multimedia/.snapshot
>> shadow:basedir = /share/CACHEDEV1_DATA/Multimedia
>> shadow:sort = desc
>> shadow:format = @GMT-%Y.%m.%d-%H:%M:%S
>> smb encrypt = disabled
>> strict allocate = yes
>> streams_depot:check_valid = yes
>> mangled names = yes
>> 
>> [Download]
>> comment = System default share
>> path = /share/CACHEDEV1_DATA/Download
>> browsable = yes
>> oplocks = yes
>> ftp write only = no
>> recycle bin = yes
>> recycle bin administrators only = no
>> qbox = no
>> public = yes
>> invalid users = "guest"
>> read list >> write list = "admin"
>> valid users = "root","admin"
>> inherit permissions = yes
>> shadow:snapdir = /share/CACHEDEV1_DATA/_.share/Download/.snapshot
>> shadow:basedir = /share/CACHEDEV1_DATA/Download
>> shadow:sort = desc
>> shadow:format = @GMT-%Y.%m.%d-%H:%M:%S
>> smb encrypt = disabled
>> strict allocate = yes
>> streams_depot:check_valid = yes
>> mangled names = yes
>> 
>> [Web]
>> comment = System default share
>> path = /share/CACHEDEV1_DATA/Web
>> browsable = yes
>> oplocks = yes
>> ftp write only = no
>> recycle bin = yes
>> recycle bin administrators only = no
>> qbox = no
>> public = yes
>> invalid users = "guest"
>> read list >> write list = "admin"
>> valid users = "root","admin"
>> inherit permissions = yes
>> shadow:snapdir = /share/CACHEDEV1_DATA/_.share/Web/.snapshot
>> shadow:basedir = /share/CACHEDEV1_DATA/Web
>> shadow:sort = desc
>> shadow:format = @GMT-%Y.%m.%d-%H:%M:%S
>> smb encrypt = disabled
>> strict allocate = yes
>> streams_depot:check_valid = yes
>> mangled names = yes
>> 
>> [Public]
>> comment = System default share
>> path = /share/CACHEDEV1_DATA/Public
>> browsable = yes
>> oplocks = yes
>> ftp write only = no
>> recycle bin = yes
>> recycle bin administrators only = yes
>> qbox = no
>> public = yes
>> invalid users = "guest"
>> read list = @"everyone"
>> write list = "admin",@"ACME\Users"
>> valid users =
"root",@"everyone","admin",@"ACME\Users"
>> inherit permissions = yes
>> shadow:snapdir = /share/CACHEDEV1_DATA/_.share/Public/.snapshot
>> shadow:basedir = /share/CACHEDEV1_DATA/Public
>> shadow:sort = desc
>> shadow:format = @GMT-%Y.%m.%d-%H:%M:%S
>> smb encrypt = disabled
>> strict allocate = yes
>> streams_depot:check_valid = yes
>> mangled names = yes
>> 
>> [homes]
>> comment = System default share
>> path = /share/CACHEDEV1_DATA/homes
>> browsable = yes
>> oplocks = yes
>> ftp write only = no
>> recycle bin = yes
>> recycle bin administrators only = no
>> qbox = no
>> public = yes
>> invalid users >> read list >> write list =
"admin"
>> valid users = "root","admin"
>> inherit permissions = yes
>> shadow:snapdir = /share/CACHEDEV1_DATA/_.share/homes/.snapshot
>> shadow:basedir = /share/CACHEDEV1_DATA/homes
>> shadow:sort = desc
>> shadow:format = @GMT-%Y.%m.%d-%H:%M:%S
>> smb encrypt = disabled
>> mangled names = yes
>> 
>> [printers]
>> use client driver = yes
>> writable = no
>> browsable = no
>> printable = yes
>> guest ok = yes
>> path = /var/spool/smb
>> 
>> [home]
>> comment = Home
>> path = %H
>> browsable = yes
>> oplocks = yes
>> ftp write only = no
>> inherit permissions = yes
>> invalid users = guest
>> writable = yes
>> read list = "%u"
>> write list = "%u"
>> valid users = "%u"
>> root preexec = /sbin/create_home -u '%q'
>> shadow:snapdir
>> = /share/CACHEDEV1_DATA/homes/../_.share/homes/.snapshot
>> shadow:basedir = %H shadow:sort = desc
>> shadow:format = @GMT-%Y.%m.%d-%H:%M:%S
> 
> Was this NAS a 'standalone server' at some point ?
> 
> It certainly looks like it to me, two things point that way, one you
> are using the deprecated 'smbpasswd' 'passdb backend' and
the other is
> that you have no authentication lines in smb.conf. Without
> authentication, the only user who could connect, would be the guest
> user, but you have explicitly denied this with 'invalid users >
"guest"'
> 
> Rowland
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
<https://lists.samba.org/mailman/options/samba>