Rowland Penny
2024-Jan-19 10:41 UTC
[Samba] Share access permission errors after upgrade from 4.12.14
On Fri, 19 Jan 2024 10:12:12 +0000 Rowland Penny via samba <samba at lists.samba.org> wrote:> On Tue, 16 Jan 2024 23:28:24 +0000 > unraidster via samba <samba at lists.samba.org> wrote: > > > On Tuesday, 16 January 2024 at 09:46, Rowland Penny via samba > > <samba at lists.samba.org> wrote: > > > > > As far as I can see, unraid is based on slackware, so it should > > > work. Is it possible to check the ownership & permissions set on > > > /mnt/user/PrivateShare ? > > > > > > Is either apparmor or selinux running ? > > > > > > Rowland > > > > Thanks for the reply, I have included some responses below: > > > > The permissions set to /mnt/user/PrivateShare is: > > > > drwxrwx---+ 1 ur_admin ur-lab_access 4.0K May 24 2023 > > PrivateShare/ > > > > There is an ACL set on that folder too: > > > > getfacl: Removing leading '/' from absolute path names > > # file: mnt/user/PrivateShare/ > > # owner: ur_admin > > # group: ur-lab_access > > user::rwx > > user:ur-lab_access:rwx > > user:ur-lab-privateshare-ro:r-x > > user:ur-lab-privateshare-rw:rwx > > group::rwx > > group:ur_admin:rwx > > group:ur-lab_access:rwx > > group:ur-lab-privateshare-ro:r-x > > group:ur-lab-privateshare-rw:rwx > > mask::rwx > > other::--- > > default:user::rwx > > default:user:ur_admin:rwx > > default:user:ur-lab-privateshare-ro:r-x > > default:user:ur-lab-privateshare-rw:rwx > > default:group::--- > > default:group:ur_admin:rwx > > default:group:ur-lab_access:--- > > default:group:ur-lab-privateshare-ro:r-x > > default:group:ur-lab-privateshare-rw:rwx > > default:mask::rwx > > default:other::--- > > > > > > The rwuser is a member of the ur-lab-privateshare-rw group. I > > noticed that there are two groups (ur-lab-privateshare-ro and > > ur-lab-privateshare-rw) setup with a user and a group permission in > > the ACL. I retested after removing both groups' user permission > > (leaving the intended group ACL entry for each group) and still > > received the same error. The non-updated-IDMAP configuration I > > started the thread with did not have a duplicate user ACL for the > > groups and therefore I suspect it isn?t contributing to this issue. > > > > apparmor: I tried the following commands to see if apparmor was > > enabled: cat /sys/module/apparmor/parameters/enabled > > sudo apparmor_status > > > > Neither returned a result. > > > > Selinux: I tried the following commands to see if selinux was > > enabled: sudo getenforce > > sudo sestatus > > > > Neither returned a result. > > > > Therefore, I suspect that apparmor and selinux are not > > installed/enabled. > > > > Best Regards, > > Unraidster > > > > Sorry to be so long in replying to this, but life got in the way. > > You initially had an incorrect smb.conf and you changed it, but by > doing so you will have changed the user & group IDs, not their names, > the numbers. You will probably need to change the user & group > ownership of all directories & files and run 'net cache flush' as > root. > > You also say this is on a computer running unraid, did your initial > smb.conf come from just clicking things on a 'web page' on your unraid > box ? > > Rowland > >So, I took a wander over to the unraid community forum and found a post which seems to say that this problem has been going on for nearly a year, is this correct ? I was hoping to possibly find a link to the source, but couldn't find one, so I have no idea just what the default smb.conf is. Rowland
unraidster
2024-Jan-23 21:47 UTC
[Samba] Share access permission errors after upgrade from 4.12.14
Hi Rowland, Thanks for getting back to me, appreciate your time and help. Apologies for the long response, I have tried to include as much information as possible. On Friday, 19 January 2024 at 10:12, Rowland Penny via samba <samba at lists.samba.org> wrote:> Sorry to be so long in replying to this, but life got in the way. > > You initially had an incorrect smb.conf and you changed it, but by > doing so you will have changed the user & group IDs, not their names, > the numbers. You will probably need to change the user & group > ownership of all directories & files and run 'net cache flush' as root. > > You also say this is on a computer running unraid, did your initial > smb.conf come from just clicking things on a 'web page' on your unraid > box ? > > RowlandHere is a summary of how I changed the IDMAP configuration within Unraid 6.9.2.: ? Configured the idmap within the samba configuration (within Unraid this is done using a feature they call "Samba extra configuration:" in the GUI which adds an include to the smb.conf file). ? Ran "net cache flush" ? Renamed all of the .tdb files within /var/lib/samba/. (did wonder if I should have done this, and if I should have done it before the net cache flush) ? Started the array (which I believe starts samba). ? At this stage, the shares are not accessible, even by the owner (ur_admin), as you stated the ID values will have changed. ? Ran "chown ur_admin:ur-lab_access" on the /mnt/user and /mnt/user/PrivateShare as root. ? Applied Permissions back onto the /mnt/user/PrivateShare folder using a Windows domain member logged in as TESTLAB\ur_admin via access to the share. ? Update: UR_Admin User - Change Apply To from "This Folder" to "This folder, subfolders and files". ? Add: _RO Group - RO access applied to "This folder, subfolders and files". ? Add: _RW Group - RW access applied to "This folder, subfolders and files". ? Remove the Everyone Permission ? Remove the stale IDs ? Ensure the "Replace all child object permission entries with inheritable permission entries from this object" option is selected at all update/add steps. ? Tested access: share accessible from the rwuser (member of _RW group), ur_admin, and rouser (member of _RO group) accounts. ? {I have the environment snapshotted to this state so can return to this point at any time). ? As part of your recent message, I applied the recommendations to the smb.conf file using the "Samba extra configuration:" feature of Unraid to make the recommended removals from the smb.conf. ntlm auth = ntlmv2-only server min protocol = SMB2_02 host msdfs = yes ldap ssl = start tls max open files = 16384 multicast dns register = yes os level = 20 server multi channel support = yes acl allow execute always = no aio read size = 1 aio write size = 1 dos filemode = no inherit acls = no inherit permissions = no null passwords = no vfs objects = acl_xattr acl group control = no ? Tested access: the share is accessible as detailed above (still Unraid 6.9.2). ? Upgraded this environment to Unraid 6.12.6 and then attempted access using the rwuser account results in the errors. ? Note: The configuration outputs I have posted in all of my previous messages on the messaging list have been captured by running testparm as root. ? Note: The "Samba extra configuration:" is modified via the web GUI. On Fri, 19 Jan 2024 10:12:12 +0000 Rowland Penny via samba <samba at lists.samba.org> wrote:> So, I took a wander over to the unraid community forum and found a post > which seems to say that this problem has been going on for nearly a > year, is this correct ? > > I was hoping to possibly find a link to the source, but couldn't find > one, so I have no idea just what the default smb.conf is. > > RowlandYou may have seen my post on the community forums, I have been attempting to find a resolution to the issue since I first posted earlier last year, and others have also reported the same error as far back as September 2022. I have been getting this error since Unraid 6.10.3 which was built with Samba 4.15.7. I am not sure about the source, but I can try and message the Unraid support team if there is anything specific you would like me to look into. I thought a a clean install of Unraid 6.12.6 (without any configuration) may help with the default smb.conf query. I have included the contents of smb.conf (and additional included conf files) from a fresh Unraid 6.12.6 install below: Clean Install .conf files ============================================smb.conf (clean install) root at Tower:~# cat /etc/samba/smb.conf [global] # configurable identification include = /etc/samba/smb-names.conf # log stuff only to syslog logging = syslog at 0 # we don't do printers show add printer wizard = No disable spoolss = Yes load printers = No printing = bsd printcap name = /dev/null # disable aio by default aio read size = 0 aio write size = 0 # misc. invalid users = root unix extensions = No wide links = Yes use sendfile = Yes host msdfs = No # ease upgrades from Samba 3.6 acl allow execute always = Yes # permit NTLMv1 authentication ntlm auth = Yes # default global fruit settings: #fruit:aapl = Yes #fruit:nfs_aces = Yes fruit:nfs_aces = No #fruit:copyfile = No #fruit:model = MacSamba # hook for user-defined samba config include = /boot/config/smb-extra.conf # auto-configured shares include = /etc/samba/smb-shares.conf smb-names.conf (clean install) # Generated names netbios name = Tower server string = Media server hide dot files = no server multi channel support = no max open files = 40960 multicast dns register = No disable netbios = yes server min protocol = SMB2 security = USER workgroup = WORKGROUP map to guest = Bad User passdb backend = smbpasswd null passwords = Yes idmap config * : backend = tdb idmap config * : range = 3000-7999 create mask = 0777 directory mask = 0777 bind interfaces only = yes interfaces = 192.168.66.10/24 127.0.0.1 smb-extra.conf (clean install) {file does not exist, contents of "samba extra configration" is empty} smb-shares.conf (clean install) {file exists, but is empty, no user shares configured yet} Testparm (clean install) root at Tower:~# testparm Load smb config files from /etc/samba/smb.conf lpcfg_do_global_parameter: WARNING: The "null passwords" option is deprecated Loaded services file OK. Weak crypto is allowed by GnuTLS (e.g. NTLM as a compatibility fallback) Server role: ROLE_STANDALONE Press enter to see a dump of your service definitions # Global parameters [global] bind interfaces only = Yes disable netbios = Yes disable spoolss = Yes # host msdfs = No interfaces = 192.168.66.10/24 127.0.0.1 load printers = No logging = syslog at 0 map to guest = Bad User max open files = 40960 multicast dns register = No ntlm auth = ntlmv1-permitted null passwords = Yes passdb backend = smbpasswd printcap name = /dev/null security = USER server min protocol = SMB2 server multi channel support = No server string = Media server show add printer wizard = No smb1 unix extensions = No fruit:nfs_aces = No idmap config * : range = 3000-7999 idmap config * : backend = tdb acl allow execute always = Yes aio read size = 0 aio write size = 0 create mask = 0777 directory mask = 0777 hide dot files = No include = /etc/samba/smb-shares.conf invalid users = root use sendfile = Yes wide links = Yes ========================================== Please let me know if a similar output as listed above would be useful from a clean Unraid 6.9.2 install. Again appreciate all of the time and input on this, thank you. Unraidster
Apparently Analagous Threads
- Share access permission errors after upgrade from 4.12.14
- Share access permission errors after upgrade from 4.12.14
- Share access permission errors after upgrade from 4.12.14
- Share access permission errors after upgrade from 4.12.14
- Share access permission errors after upgrade from 4.12.14