Rowland Penny
2024-Jan-24 10:51 UTC
[Samba] Share access permission errors after upgrade from 4.12.14
On Tue, 23 Jan 2024 21:47:27 +0000 unraidster via samba <samba at lists.samba.org> wrote:> Hi Rowland, > > Thanks for getting back to me, appreciate your time and help. > Apologies for the long response, I have tried to include as much > information as possible. > > On Friday, 19 January 2024 at 10:12, Rowland Penny via samba > <samba at lists.samba.org> wrote: > > > Sorry to be so long in replying to this, but life got in the way. > > > > You initially had an incorrect smb.conf and you changed it, but by > > doing so you will have changed the user & group IDs, not their > > names, the numbers. You will probably need to change the user & > > group ownership of all directories & files and run 'net cache > > flush' as root. > > > > You also say this is on a computer running unraid, did your initial > > smb.conf come from just clicking things on a 'web page' on your > > unraid box ? > > > > Rowland > > Here is a summary of how I changed the IDMAP configuration within > Unraid 6.9.2.: > ? Configured the idmap within the samba configuration (within > Unraid this is done using a feature they call "Samba extra > configuration:" in the GUI which adds an include to the smb.conf > file). > ? Ran "net cache flush" > ? Renamed all of the .tdb files within /var/lib/samba/. (did > wonder if I should have done this, and if I should have done it > before the net cache flush) > ? Started the array (which I believe starts samba). > ? At this stage, the shares are not accessible, even by the > owner (ur_admin), as you stated the ID values will have changed. > ? Ran "chown ur_admin:ur-lab_access" on the /mnt/user and > /mnt/user/PrivateShare as root. > ? Applied Permissions back onto the /mnt/user/PrivateShare > folder using a Windows domain member logged in as TESTLAB\ur_admin > via access to the share. ? Update: UR_Admin User - Change Apply To > from "This Folder" to "This folder, subfolders and files". ? Add: _RO > Group - RO access applied to "This folder, subfolders and files". ? > Add: _RW Group - RW access applied to "This folder, subfolders and > files". ? Remove the Everyone Permission ? Remove the stale IDs ? > Ensure the "Replace all child object permission entries with > inheritable permission entries from this object" option is selected > at all update/add steps. > ? Tested access: share accessible from the rwuser (member of > _RW group), ur_admin, and rouser (member of _RO group) accounts. > ? {I have the environment snapshotted to this state so can > return to this point at any time). > ? As part of your recent message, I applied the > recommendations to the smb.conf file using the "Samba extra > configuration:" feature of Unraid to make the recommended removals > from the smb.conf. ntlm auth = ntlmv2-only server min protocol > SMB2_02 host msdfs = yes ldap ssl = start tls > max open files = 16384 > multicast dns register = yes > os level = 20 > server multi channel support = yes > acl allow execute always = no > aio read size = 1 > aio write size = 1 > dos filemode = no > inherit acls = no > inherit permissions = no > null passwords = no > vfs objects = acl_xattr > acl group control = no > ? Tested access: the share is accessible as detailed above > (still Unraid 6.9.2). > ? Upgraded this environment to Unraid 6.12.6 and then > attempted access using the rwuser account results in the errors. > ? Note: The configuration outputs I have posted in all of my > previous messages on the messaging list have been captured by running > testparm as root. > ? Note: The "Samba extra configuration:" is modified via the > web GUI. > > On Fri, 19 Jan 2024 10:12:12 +0000 > Rowland Penny via samba <samba at lists.samba.org> wrote: > > > So, I took a wander over to the unraid community forum and found a > > post which seems to say that this problem has been going on for > > nearly a year, is this correct ? > > > > I was hoping to possibly find a link to the source, but couldn't > > find one, so I have no idea just what the default smb.conf is. > > > > Rowland > > You may have seen my post on the community forums, I have been > attempting to find a resolution to the issue since I first posted > earlier last year, and others have also reported the same error as > far back as September 2022. I have been getting this error since > Unraid 6.10.3 which was built with Samba 4.15.7. I am not sure about > the source, but I can try and message the Unraid support team if > there is anything specific you would like me to look into. > > I thought a a clean install of Unraid 6.12.6 (without any > configuration) may help with the default smb.conf query. I have > included the contents of smb.conf (and additional included conf > files) from a fresh Unraid 6.12.6 install below: > > Clean Install .conf files > ============================================> smb.conf (clean install) > root at Tower:~# cat /etc/samba/smb.conf > [global] > # configurable identification > include = /etc/samba/smb-names.conf > > # log stuff only to syslog > logging = syslog at 0 > > # we don't do printers > show add printer wizard = No > disable spoolss = Yes > load printers = No > printing = bsd > printcap name = /dev/null > > # disable aio by default > aio read size = 0 > aio write size = 0 > > # misc. > invalid users = root > unix extensions = No > wide links = Yes > use sendfile = Yes > host msdfs = No > > # ease upgrades from Samba 3.6 > acl allow execute always = Yes > # permit NTLMv1 authentication > ntlm auth = Yes > > # default global fruit settings: > #fruit:aapl = Yes > #fruit:nfs_aces = Yes > fruit:nfs_aces = No > #fruit:copyfile = No > #fruit:model = MacSamba > > # hook for user-defined samba config > include = /boot/config/smb-extra.conf > > # auto-configured shares > include = /etc/samba/smb-shares.conf > > smb-names.conf (clean install) > # Generated names > netbios name = Tower > server string = Media server > hide dot files = no > server multi channel support = no > max open files = 40960 > multicast dns register = No > disable netbios = yes > server min protocol = SMB2 > security = USER > workgroup = WORKGROUP > map to guest = Bad User > passdb backend = smbpasswd > null passwords = Yes > idmap config * : backend = tdb > idmap config * : range = 3000-7999 > create mask = 0777 > directory mask = 0777 > bind interfaces only = yes > interfaces = 192.168.66.10/24 127.0.0.1 > > smb-extra.conf (clean install) > {file does not exist, contents of "samba extra configration" > is empty} > > smb-shares.conf (clean install) > {file exists, but is empty, no user shares configured yet} >I rearranged the smb.conf above and added comments: [global] netbios name = Tower server string = Media server security = USER workgroup = WORKGROUP bind interfaces only = yes interfaces = 192.168.66.10/24 127.0.0.1 # we don't do printers show add printer wizard = No disable spoolss = Yes load printers = No printing = bsd printcap name = /dev/null # log stuff only to syslog logging = syslog at 0 use sendfile = Yes hide dot files = no # why ? You do not usually need to see them. server multi channel support = no # reasonable, your unraid device probably only has one network device. max open files = 40960 # why ? You shouldn't need to touch this. multicast dns register = No # why ? netbios is turned off below, might be a good idea to use Avahi. disable netbios = yes server min protocol = SMB2 # This is the default and has been for quite sometime. map to guest = Bad User passdb backend = smbpasswd # The 'smbpasswd' backend was replaced years ago by the tdbsam backend. null passwords = Yes # This is just plain stupidity. idmap config * : backend = tdb # This and the line below are not required on a standalone server. idmap config * : range = 3000-7999 create mask = 0777 # This and the line below would be better set in the shares. directory mask = 0777 # disable aio by default aio read size = 0 # Why ? This could potentially slow things down. aio write size = 0 # Why ? This could potentially slow things down. # misc. invalid users = root # Old school, use acls. unix extensions = No # This is only here to allow the next line. wide links = Yes # Not a good idea, very insecure. host msdfs = No # ease upgrades from Samba 3.6 # Pardon ? 3.6 Died 8 years ago acl allow execute always = Yes # permit NTLMv1 authentication ntlm auth = Yes # Why ? # default global fruit settings: # Non of which will have any affect because non of the apple vfs objects are turned on. #fruit:aapl = Yes #fruit:nfs_aces = Yes fruit:nfs_aces = No #fruit:copyfile = No #fruit:model = MacSamba It is for a standalone server. Can you please join it to the domain and then post the new smb.conf , I am looking to see what the default idmap backend is for the domain. Rowland
unraidster
2024-Jan-24 17:31 UTC
[Samba] Share access permission errors after upgrade from 4.12.14
On Wednesday, 24 January 2024 at 10:51, Rowland Penny via samba <samba at lists.samba.org> wrote:> I rearranged the smb.conf above and added comments: > > [global] > netbios name = Tower > server string = Media server > security = USER > workgroup = WORKGROUP > bind interfaces only = yes > interfaces = 192.168.66.10/24 127.0.0.1 > > # we don't do printers > show add printer wizard = No > disable spoolss = Yes > load printers = No > printing = bsd > printcap name = /dev/null > > # log stuff only to syslog > logging = syslog at 0 > > use sendfile = Yes > > hide dot files = no # why ? You do not usually need to see them. > server multi channel support = no # reasonable, your unraid device probably only has one network device. > max open files = 40960 # why ? You shouldn't need to touch this. > multicast dns register = No # why ? netbios is turned off below, might be a good idea to use Avahi. > disable netbios = yes > server min protocol = SMB2 # This is the default and has been for quite sometime. > map to guest = Bad User > passdb backend = smbpasswd # The 'smbpasswd' backend was replaced years ago by the tdbsam backend. > null passwords = Yes # This is just plain stupidity. > idmap config * : backend = tdb # This and the line below are not required on a standalone server. > idmap config * : range = 3000-7999 > create mask = 0777 # This and the line below would be better set in the shares. > directory mask = 0777 > > > # disable aio by default > aio read size = 0 # Why ? This could potentially slow things down. > aio write size = 0 # Why ? This could potentially slow things down. > > # misc. > invalid users = root # Old school, use acls. > unix extensions = No # This is only here to allow the next line. > wide links = Yes # Not a good idea, very insecure. > host msdfs = No > > # ease upgrades from Samba 3.6 # Pardon ? 3.6 Died 8 years ago > acl allow execute always = Yes > # permit NTLMv1 authentication > ntlm auth = Yes # Why ? > > # default global fruit settings: # Non of which will have any affect because non of the apple vfs objects are turned on. > #fruit:aapl = Yes > #fruit:nfs_aces = Yes > fruit:nfs_aces = No > #fruit:copyfile = No > #fruit:model = MacSamba > > It is for a standalone server. > > Can you please join it to the domain and then post the new smb.conf , I > am looking to see what the default idmap backend is for the domain. > > RowlandHi, I assumed that the rearranged config you provided was for feedback, I haven't made any changes to the configuration based on those comments. I'll send a message to the Unraid support team with a link to this post when I get to an output with the issue. I have been including outputs from testparm. I assumed that the command's output is the configuration that is used by smbd after the smb.conf and all included .conf files have been processed, like a resultant configuration. Is that correct? (wanted to validate that, that is the configuration that I should expect is used by the system and there isn't anything in the .conf files that could be modifying the configuration). I noticed that if I set a property to the default value (as specified in the man pages) that it would disappear from the testparm output, I assumed this is because testparm will "filter" out any properties with system default value. The .conf exports and testparm output was from a clean install. I have joined the Unraid server to the same TESTLAB domain as my previous lab Unraid server. Please find the updated smb.conf below: smb.conf: root at Tower:~# cat /etc/samba/smb.conf [global] # configurable identification include = /etc/samba/smb-names.conf # log stuff only to syslog logging = syslog at 0 # we don't do printers show add printer wizard = No disable spoolss = Yes load printers = No printing = bsd printcap name = /dev/null # disable aio by default aio read size = 0 aio write size = 0 # misc. invalid users = root unix extensions = No wide links = Yes use sendfile = Yes host msdfs = No # ease upgrades from Samba 3.6 acl allow execute always = Yes # permit NTLMv1 authentication ntlm auth = Yes # default global fruit settings: #fruit:aapl = Yes #fruit:nfs_aces = Yes fruit:nfs_aces = No #fruit:copyfile = No #fruit:model = MacSamba # hook for user-defined samba config include = /boot/config/smb-extra.conf # auto-configured shares include = /etc/samba/smb-shares.conf Output from Testparm: root at Tower:~# testparm Load smb config files from /etc/samba/smb.conf lpcfg_do_global_parameter: WARNING: The "null passwords" option is deprecated Loaded services file OK. Weak crypto is allowed by GnuTLS (e.g. NTLM as a compatibility fallback) Server role: ROLE_DOMAIN_MEMBER Press enter to see a dump of your service definitions # Global parameters [global] bind interfaces only = Yes disable netbios = Yes disable spoolss = Yes host msdfs = No interfaces = 192.168.66.10/24 127.0.0.1 ldap ssl = no load printers = No logging = syslog at 0 max open files = 40960 multicast dns register = No ntlm auth = ntlmv1-permitted null passwords = Yes printcap name = /dev/null realm = TESTLAB.COM security = ADS server min protocol = SMB2 server multi channel support = No server string = Media server show add printer wizard = No smb1 unix extensions = No winbind use default domain = Yes workgroup = TESTLAB fruit:nfs_aces = No idmap config * : range = 10000-4000000000 idmap config * : backend = hash acl allow execute always = Yes acl group control = Yes aio read size = 0 aio write size = 0 dos filemode = Yes hide dot files = No include = /etc/samba/smb-shares.conf inherit acls = Yes inherit permissions = Yes invalid users = root map acl inherit = Yes use sendfile = Yes wide links = Yes I wasn't able to find the IDMAP lines in the smb.conf. Found them within the smb-names.conf file: root at Tower:~# cat /etc/samba/smb-names.conf # Generated names netbios name = Tower server string = Media server hide dot files = no server multi channel support = no max open files = 40960 multicast dns register = No disable netbios = yes server min protocol = SMB2 security = ADS workgroup = TESTLAB realm = testlab.com null passwords = Yes idmap config * : backend = hash idmap config * : range = 10000-4000000000 winbind use default domain = Yes ldap ssl = No nt acl support = Yes acl map full control = Yes acl group control = Yes inherit acls = Yes inherit permissions = Yes map acl inherit = Yes dos filemode = Yes bind interfaces only = yes interfaces = 192.168.66.10/24 127.0.0.1 Please let me know if there any anything else to change/try/capture. Thanks, Unraidster
Reasonably Related Threads
- Share access permission errors after upgrade from 4.12.14
- Share access permission errors after upgrade from 4.12.14
- Share access permission errors after upgrade from 4.12.14
- Share access permission errors after upgrade from 4.12.14
- Share access permission errors after upgrade from 4.12.14