samba - Jan 2024 - Share access permission errors after upgrade from 4.12.14

On Fri, 19 Jan 2024 10:12:12 +0000
Rowland Penny via samba <samba at lists.samba.org> wrote:
> On Tue, 16 Jan 2024 23:28:24 +0000
> unraidster via samba <samba at lists.samba.org> wrote:
> 
> > On Tuesday, 16 January 2024 at 09:46, Rowland Penny via samba
> > <samba at lists.samba.org> wrote:
> > 
> > > As far as I can see, unraid is based on slackware, so it should
> > > work. Is it possible to check the ownership & permissions set
on
> > > /mnt/user/PrivateShare ?
> > >
> > > Is either apparmor or selinux running ?
> > >
> > > Rowland
> > 
> > Thanks for the reply, I have included some responses below:
> > 
> > The permissions set to /mnt/user/PrivateShare is:
> > 
> > 	drwxrwx---+ 1 ur_admin   ur-lab_access 4.0K May 24  2023
> > PrivateShare/
> > 
> > There is an ACL set on that folder too:
> > 
> > 	getfacl: Removing leading '/' from absolute path names
> > 	# file: mnt/user/PrivateShare/
> > 	# owner: ur_admin
> > 	# group: ur-lab_access
> > 	user::rwx
> > 	user:ur-lab_access:rwx
> > 	user:ur-lab-privateshare-ro:r-x
> > 	user:ur-lab-privateshare-rw:rwx
> > 	group::rwx
> > 	group:ur_admin:rwx
> > 	group:ur-lab_access:rwx
> > 	group:ur-lab-privateshare-ro:r-x
> > 	group:ur-lab-privateshare-rw:rwx
> > 	mask::rwx
> > 	other::---
> > 	default:user::rwx
> > 	default:user:ur_admin:rwx
> > 	default:user:ur-lab-privateshare-ro:r-x
> > 	default:user:ur-lab-privateshare-rw:rwx
> > 	default:group::---
> > 	default:group:ur_admin:rwx
> > 	default:group:ur-lab_access:---
> > 	default:group:ur-lab-privateshare-ro:r-x
> > 	default:group:ur-lab-privateshare-rw:rwx
> > 	default:mask::rwx
> > 	default:other::---
> > 
> > 
> > The rwuser is a member of the ur-lab-privateshare-rw group. I
> > noticed that there are two groups (ur-lab-privateshare-ro and
> > ur-lab-privateshare-rw) setup with a user and a group permission in
> > the ACL. I retested after removing both groups' user permission
> > (leaving the intended group ACL entry for each group) and still
> > received the same error. The non-updated-IDMAP configuration I
> > started the thread with did not have a duplicate user ACL for the
> > groups and therefore I suspect it isn?t contributing to this issue.
> > 
> > apparmor: I tried the following commands to see if apparmor was
> > enabled: cat /sys/module/apparmor/parameters/enabled
> > 	sudo apparmor_status
> > 
> > 	Neither returned a result.
> > 
> > Selinux: I tried the following commands to see if selinux was
> > enabled: sudo getenforce
> > 	sudo sestatus
> > 
> > 	Neither returned a result.
> > 
> > Therefore, I suspect that apparmor and selinux are not
> > installed/enabled.
> > 
> > Best Regards,
> > Unraidster
> > 
> 
> Sorry to be so long in replying to this, but life got in the way.
> 
> You initially had an incorrect smb.conf and you changed it, but by
> doing so you will have changed the user & group IDs, not their names,
> the numbers. You will probably need to change the user & group
> ownership of all directories & files and run 'net cache flush'
as
> root.
> 
> You also say this is on a computer running unraid, did your initial
> smb.conf come from just clicking things on a 'web page' on your
unraid
> box ?
> 
> Rowland
>  
> 
So, I took a wander over to the unraid community forum and found a post
which seems to say that this problem has been going on for nearly a
year, is this correct ?

I was hoping to possibly find a link to the source, but couldn't find
one, so I have no idea just what the default smb.conf is.

Rowland

Hi Rowland,

Thanks for getting back to me, appreciate your time and help. Apologies for the
long response, I have tried to include as much information as possible.

On Friday, 19 January 2024 at 10:12, Rowland Penny via samba <samba at
lists.samba.org> wrote:
> Sorry to be so long in replying to this, but life got in the way.
>
> You initially had an incorrect smb.conf and you changed it, but by
> doing so you will have changed the user & group IDs, not their names,
> the numbers. You will probably need to change the user & group
> ownership of all directories & files and run 'net cache flush'
as root.
>
> You also say this is on a computer running unraid, did your initial
> smb.conf come from just clicking things on a 'web page' on your
unraid
> box ?
>
> Rowland
Here is a summary of how I changed the IDMAP configuration within Unraid 6.9.2.:
	? Configured the idmap within the samba configuration (within Unraid this is
done using a feature they call "Samba extra configuration:" in the GUI
which adds an include to the smb.conf file).
	? Ran "net cache flush"
	? Renamed all of the .tdb files within /var/lib/samba/.  (did wonder if I
should have done this, and if I should have done it before the net cache flush)
	? Started the array (which I believe starts samba).
	? At this stage, the shares are not accessible, even by the owner (ur_admin),
as you stated the ID values will have changed.
	? Ran "chown ur_admin:ur-lab_access" on the /mnt/user and
/mnt/user/PrivateShare as root.
	? Applied Permissions back onto the /mnt/user/PrivateShare folder using a
Windows domain member logged in as TESTLAB\ur_admin via access to the share.
		? Update: UR_Admin User - Change Apply To from "This Folder" to
"This folder, subfolders and files".
		? Add: _RO Group - RO access applied to "This folder, subfolders and
files".
		? Add: _RW Group - RW access applied to "This folder, subfolders and
files".
		? Remove the Everyone Permission
		? Remove the stale IDs
		? Ensure the "Replace all child object permission entries with
inheritable permission entries from this object" option is selected at all
update/add steps.
	? Tested access: share accessible from the rwuser (member of _RW group),
ur_admin, and rouser (member of _RO group) accounts.
	? {I have the environment snapshotted to this state so can return to this point
at any time).
	? As part of your recent message, I applied the recommendations to the smb.conf
file using the "Samba extra configuration:" feature of Unraid to make
the recommended removals from the smb.conf.
		ntlm auth = ntlmv2-only
server min protocol = SMB2_02
		host msdfs = yes
		ldap ssl = start tls
		max open files = 16384
		multicast dns register = yes
		os level = 20
		server multi channel support = yes
		acl allow execute always = no
		aio read size = 1
		aio write size = 1
		dos filemode = no
		inherit acls = no
		inherit permissions = no
		null passwords = no
vfs objects = acl_xattr
acl group control = no
	? Tested access: the share is accessible as detailed above (still Unraid
6.9.2).
	? Upgraded this environment to Unraid 6.12.6 and then attempted access using
the rwuser account results in the errors.
	? Note: The configuration outputs I have posted in all of my previous messages
on the messaging list have been captured by running testparm as root.
	? Note: The "Samba extra configuration:" is modified via the web GUI.

On Fri, 19 Jan 2024 10:12:12 +0000
Rowland Penny via samba <samba at lists.samba.org> wrote:
> So, I took a wander over to the unraid community forum and found a post
> which seems to say that this problem has been going on for nearly a
> year, is this correct ?
>
> I was hoping to possibly find a link to the source, but couldn't find
> one, so I have no idea just what the default smb.conf is.
>
> Rowland
You may have seen my post on the community forums, I have been attempting to
find a resolution to the issue since I first posted earlier last year, and
others have also reported the same error as far back as September 2022. I have
been getting this error since Unraid 6.10.3 which was built with Samba 4.15.7. I
am not sure about the source, but I can try and message the Unraid support team
if there is anything specific you would like me to look into.

I thought a a clean install of Unraid 6.12.6 (without any configuration) may
help with the default smb.conf query. I have included the contents of smb.conf
(and additional included conf files) from a fresh Unraid 6.12.6 install below:

Clean Install .conf files
============================================smb.conf (clean install)
	root at Tower:~# cat /etc/samba/smb.conf
	[global]
		# configurable identification
		include = /etc/samba/smb-names.conf

	# log stuff only to syslog
	logging = syslog at 0

	# we don't do printers
	show add printer wizard = No
	disable spoolss = Yes
	load printers = No
	printing = bsd
	printcap name = /dev/null

	# disable aio by default
	aio read size = 0
	aio write size = 0

	# misc.
	invalid users = root
	unix extensions = No
	wide links = Yes
	use sendfile = Yes
	host msdfs = No

	# ease upgrades from Samba 3.6
	acl allow execute always = Yes
	# permit NTLMv1 authentication
	ntlm auth = Yes

	# default global fruit settings:
	#fruit:aapl = Yes
	#fruit:nfs_aces = Yes
	fruit:nfs_aces = No
	#fruit:copyfile = No
	#fruit:model = MacSamba

	# hook for user-defined samba config
	include = /boot/config/smb-extra.conf

	# auto-configured shares
	include = /etc/samba/smb-shares.conf

smb-names.conf (clean install)
	# Generated names
	netbios name = Tower
	server string = Media server
	hide dot files = no
	server multi channel support = no
	max open files = 40960
	multicast dns register = No
	disable netbios = yes
	server min protocol = SMB2
	security = USER
	workgroup = WORKGROUP
	map to guest = Bad User
	passdb backend = smbpasswd
	null passwords = Yes
	idmap config * : backend = tdb
	idmap config * : range = 3000-7999
	create mask = 0777
	directory mask = 0777
	bind interfaces only = yes
	interfaces = 192.168.66.10/24 127.0.0.1

smb-extra.conf (clean install)
	{file does not exist, contents of "samba extra configration" is
empty}

smb-shares.conf (clean install)
	{file exists, but is empty, no user shares configured yet}

Testparm (clean install)
	root at Tower:~# testparm
	Load smb config files from /etc/samba/smb.conf
	lpcfg_do_global_parameter: WARNING: The "null passwords" option is
deprecated
	Loaded services file OK.
	Weak crypto is allowed by GnuTLS (e.g. NTLM as a compatibility fallback)

	Server role: ROLE_STANDALONE

	Press enter to see a dump of your service definitions

	# Global parameters
	[global]
		bind interfaces only = Yes
		disable netbios = Yes
		disable spoolss = Yes
	#       host msdfs = No
		interfaces = 192.168.66.10/24 127.0.0.1
		load printers = No
		logging = syslog at 0
		map to guest = Bad User
		max open files = 40960
		multicast dns register = No
		ntlm auth = ntlmv1-permitted
		null passwords = Yes
		passdb backend = smbpasswd
		printcap name = /dev/null
		security = USER
		server min protocol = SMB2
		server multi channel support = No
		server string = Media server
		show add printer wizard = No
		smb1 unix extensions = No
		fruit:nfs_aces = No
		idmap config * : range = 3000-7999
		idmap config * : backend = tdb
		acl allow execute always = Yes
		aio read size = 0
		aio write size = 0
		create mask = 0777
		directory mask = 0777
		hide dot files = No
		include = /etc/samba/smb-shares.conf
		invalid users = root
		use sendfile = Yes
		wide links = Yes
==========================================
Please let me know if a similar output as listed above would be useful from a
clean Unraid 6.9.2 install. Again appreciate all of the time and input on this,
thank you.

Unraidster