Cannot list mounted NTFS/FAT32 partitions shared via Samba

Support Network
1

One liner: I can’t even ls the NTFS folder, samba responds with NT_STATUS_ACCESS_DENIED listing \*

I wanted to setup Samba (smbd) to share on my LAN. I followed the arch wiki tutorial, set up an extra user and specified the few folders I wanted.

For tests I let it run on localhost and connect using Dolphin/smbclient. At first it would not let me use my home user’s folder via smb user “smb_leaky” due to the basic permissions issue (/home/leaky was only listable for leaky). When I added “leaky” as supplementary group to “smb_leaky” and set g+x on the /home/leaky folder - I could list the /home/leaky/shared folder via smb.
TLDR: Basic auth and listing works fine.

Next I wanted to share two folders from a mounted NTFS partition. Here comes the issue I can’t overcome.

  • Mounted ntfs-3g part: /run/media/Xpartition
  • Shared path: /run/media/Xpartition/SteamLibrary/
  • /etc/fstab: UUID=__its_uuid__ /run/media/Xpartition ntfs rw,noatime,nosuid,nodev,relatime,uid=1000,gid=1000,default_permissions,allow_other,windows_names 0 0
Permissions along the path 
getfacl /run
getfacl: Removing leading '/' from absolute path names
# file: run
# owner: root
# group: root
user::rwx
group::r-x
other::r-x

getfacl /run/media
getfacl: Removing leading '/' from absolute path names
# file: run/media
# owner: root
# group: root
user::rwx
group::r-x
other::r-x

getfacl /run/media/Xpartition
getfacl: Removing leading '/' from absolute path names
# file: run/media/Xpartition
# owner: leaky
# group: leaky
user::rwx
group::rwx
other::rwx

getfacl /run/media/Xpartition/SteamLibrary
getfacl: Removing leading '/' from absolute path names
# file: run/media/Xpartition/SteamLibrary
# owner: leaky
# group: leaky
user::rwx
group::rwx
other::rwx

drwxrwxrwx 1 leaky leaky 65536 2. Jan 14:05 SteamLibrary

When I try to connect and list the folder with smbclient:

$ smbclient //127.0.0.1/test --user 'smb_leaky' --debuglevel=2

smb: \> ls
NT_STATUS_ACCESS_DENIED listing \*

In log level 3 output I see:

root# journalctl -f -u smb

[2024/01/02 19:11:17.780980,  3] ../../source3/smbd/smb2_server.c:4031(smbd_smb2_request_error_ex)
Jan 02 19:11:17 myhostname smbd[32507]:   smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1] status[NT_STATUS_ACCESS_DENIED] || at ../../source3/smbd/smb2_create.c:360

Again, the listing for the home subfolder works. Answers online usually end with AppArmor/SELinux but I didn’t install those.

journactl log when I connect and then ls using smbclient

You can see the ls command output at 20:17:12

20:17:09 smbd[37419]:   Trying _Get_Pwnam(), username as lowercase is smb_leaky
20:17:09 smbd[37419]: [2024/01/02 20:17:09.215133,  5] ../../source3/lib/username.c:159(Get_Pwnam_internals)
20:17:09 smbd[37419]:   Get_Pwnam_internals did find user [smb_leaky]!
20:17:09 smbd[37419]: [2024/01/02 20:17:09.215171,  4] ../../source3/smbd/sec_ctx.c:206(push_sec_ctx)
20:17:09 smbd[37419]:   push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 2
20:17:09 smbd[37419]: [2024/01/02 20:17:09.215191,  4] ../../source3/smbd/uid.c:566(push_conn_ctx)
20:17:09 smbd[37419]:   push_conn_ctx(0) : conn_ctx_stack_ndx = 1
20:17:09 smbd[37419]: [2024/01/02 20:17:09.215208,  4] ../../source3/smbd/sec_ctx.c:317(set_sec_ctx_internal)
20:17:09 smbd[37419]:   setting sec ctx (0, 0) - sec_ctx_stack_ndx = 2
20:17:09 smbd[37419]: [2024/01/02 20:17:09.215226,  5] ../../libcli/security/security_token.c:49(security_token_debug)
20:17:09 smbd[37419]:   Security token: (NULL)
20:17:09 smbd[37419]: [2024/01/02 20:17:09.215243,  5] ../../source3/auth/token_util.c:873(debug_unix_user_token)
20:17:09 smbd[37419]:   UNIX token of user 0
20:17:09 smbd[37419]:   Primary group is 0 and contains 0 supplementary groups
20:17:09 smbd[37419]: [2024/01/02 20:17:09.215278,  4] ../../source3/smbd/sec_ctx.c:443(pop_sec_ctx)
20:17:09 smbd[37419]:   pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 1
20:17:09 smbd[37419]: [2024/01/02 20:17:09.215301,  3] ../../source3/passdb/lookup_sid.c:1720(get_primary_group_sid)
20:17:09 smbd[37419]:   Forcing Primary Group to 'Domain Users' for smb_leaky
20:17:09 smbd[37419]: [2024/01/02 20:17:09.215319,  4] ../../source3/smbd/sec_ctx.c:206(push_sec_ctx)
20:17:09 smbd[37419]:   push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 2
20:17:09 smbd[37419]: [2024/01/02 20:17:09.215337,  4] ../../source3/smbd/uid.c:566(push_conn_ctx)
20:17:09 smbd[37419]:   push_conn_ctx(0) : conn_ctx_stack_ndx = 1
20:17:09 smbd[37419]: [2024/01/02 20:17:09.215355,  4] ../../source3/smbd/sec_ctx.c:317(set_sec_ctx_internal)
20:17:09 smbd[37419]:   setting sec ctx (0, 0) - sec_ctx_stack_ndx = 2
20:17:09 smbd[37419]: [2024/01/02 20:17:09.215374,  5] ../../libcli/security/security_token.c:49(security_token_debug)
20:17:09 smbd[37419]:   Security token: (NULL)
20:17:09 smbd[37419]: [2024/01/02 20:17:09.215390,  5] ../../source3/auth/token_util.c:873(debug_unix_user_token)
20:17:09 smbd[37419]:   UNIX token of user 0
20:17:09 smbd[37419]:   Primary group is 0 and contains 0 supplementary groups
20:17:09 smbd[37419]: [2024/01/02 20:17:09.215424,  4] ../../source3/smbd/sec_ctx.c:443(pop_sec_ctx)
20:17:09 smbd[37419]:   pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 1
20:17:09 smbd[37419]: [2024/01/02 20:17:09.215455,  4] ../../source3/smbd/sec_ctx.c:206(push_sec_ctx)
20:17:09 smbd[37419]:   push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 2
20:17:09 smbd[37419]: [2024/01/02 20:17:09.215476,  4] ../../source3/smbd/uid.c:566(push_conn_ctx)
20:17:09 smbd[37419]:   push_conn_ctx(0) : conn_ctx_stack_ndx = 1
20:17:09 smbd[37419]: [2024/01/02 20:17:09.215500,  4] ../../source3/smbd/sec_ctx.c:317(set_sec_ctx_internal)
20:17:09 smbd[37419]:   setting sec ctx (0, 0) - sec_ctx_stack_ndx = 2
20:17:09 smbd[37419]: [2024/01/02 20:17:09.215517,  5] ../../libcli/security/security_token.c:49(security_token_debug)
20:17:09 smbd[37419]:   Security token: (NULL)
20:17:09 smbd[37419]: [2024/01/02 20:17:09.215535,  5] ../../source3/auth/token_util.c:873(debug_unix_user_token)
20:17:09 smbd[37419]:   UNIX token of user 0
20:17:09 smbd[37419]:   Primary group is 0 and contains 0 supplementary groups
20:17:09 smbd[37419]: [2024/01/02 20:17:09.215568,  4] ../../source3/smbd/sec_ctx.c:443(pop_sec_ctx)
20:17:09 smbd[37419]:   pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 1
20:17:09 smbd[37419]: [2024/01/02 20:17:09.215594,  4] ../../source3/smbd/sec_ctx.c:443(pop_sec_ctx)
20:17:09 smbd[37419]:   pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
20:17:09 smbd[37419]: [2024/01/02 20:17:09.215636,  4] ../../source3/smbd/sec_ctx.c:317(set_sec_ctx_internal)
20:17:09 smbd[37419]:   setting sec ctx (1001, 1001) - sec_ctx_stack_ndx = 0
20:17:09 smbd[37419]: [2024/01/02 20:17:09.215658,  5] ../../libcli/security/security_token.c:53(security_token_debug)
20:17:09 smbd[37419]:   Security token SIDs (8):
20:17:09 smbd[37419]:     SID[  0]: S-1-5-21-1939806183-2778731130-2165616960-1000
20:17:09 smbd[37419]:     SID[  1]: S-1-5-21-1939806183-2778731130-2165616960-513
20:17:09 smbd[37419]:     SID[  2]: S-1-22-2-1001
20:17:09 smbd[37419]:     SID[  3]: S-1-22-2-1000
20:17:09 smbd[37419]:     SID[  4]: S-1-1-0
20:17:09 smbd[37419]:     SID[  5]: S-1-5-2
20:17:09 smbd[37419]:     SID[  6]: S-1-5-11
20:17:09 smbd[37419]:     SID[  7]: S-1-22-1-1001
20:17:09 smbd[37419]:    Privileges (0x               0):
20:17:09 smbd[37419]:    Rights (0x               0):
20:17:09 smbd[37419]: [2024/01/02 20:17:09.215751,  5] ../../source3/auth/token_util.c:873(debug_unix_user_token)
20:17:09 smbd[37419]:   UNIX token of user 1001
20:17:09 smbd[37419]:   Primary group is 1001 and contains 2 supplementary groups
20:17:09 smbd[37419]:   Group[  0]: 1001
20:17:09 smbd[37419]:   Group[  1]: 1000
20:17:09 smbd[37419]: [2024/01/02 20:17:09.215804,  5] ../../source3/smbd/uid.c:294(print_impersonation_info)
20:17:09 smbd[37419]:   print_impersonation_info: Impersonated user: uid=(1001,1001), gid=(0,1001), cwd=[/]
20:17:09 smbd[37419]: [2024/01/02 20:17:09.215825,  4] ../../source3/smbd/sec_ctx.c:317(set_sec_ctx_internal)
20:17:09 smbd[37419]:   setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
20:17:09 smbd[37419]: [2024/01/02 20:17:09.215844,  5] ../../libcli/security/security_token.c:49(security_token_debug)
20:17:09 smbd[37419]:   Security token: (NULL)
20:17:09 smbd[37419]: [2024/01/02 20:17:09.215862,  5] ../../source3/auth/token_util.c:873(debug_unix_user_token)
20:17:09 smbd[37419]:   UNIX token of user 0
20:17:09 smbd[37419]:   Primary group is 0 and contains 0 supplementary groups
20:17:09 smbd[37419]: [2024/01/02 20:17:09.215893,  5] ../../source3/smbd/uid.c:494(smbd_change_to_root_user)
20:17:09 smbd[37419]:   change_to_root_user: now uid=(0,0) gid=(0,0)
20:17:09 smbd[37419]: [2024/01/02 20:17:09.216077,  3] ../../source3/smbd/smb2_service.c:814(make_connection_snum)
20:17:09 smbd[37419]:   v(ipv4:127.0.0.1:40150) signed connect to service test initially as user smb_leaky (uid=1001, gid=1001) (pid 37419)
20:17:09 smbd[37419]: [2024/01/02 20:17:09.216108,  5] ../../libcli/smb/smb2_signing.c:574(smb2_signing_sign_pdu)
20:17:09 smbd[37419]:   signed SMB2 message (sign_algo_id=2)
20:17:12 smbd[37419]: [2024/01/02 20:17:12.671655,  4] ../../source3/smbd/sec_ctx.c:317(set_sec_ctx_internal)
20:17:12 smbd[37419]:   setting sec ctx (1001, 1001) - sec_ctx_stack_ndx = 0
20:17:12 smbd[37419]: [2024/01/02 20:17:12.671762,  5] ../../libcli/security/security_token.c:53(security_token_debug)
20:17:12 smbd[37419]:   Security token SIDs (8):
20:17:12 smbd[37419]:     SID[  0]: S-1-5-21-1939806183-2778731130-2165616960-1000
20:17:12 smbd[37419]:     SID[  1]: S-1-5-21-1939806183-2778731130-2165616960-513
20:17:12 smbd[37419]:     SID[  2]: S-1-22-2-1001
20:17:12 smbd[37419]:     SID[  3]: S-1-22-2-1000
20:17:12 smbd[37419]:     SID[  4]: S-1-1-0
20:17:12 smbd[37419]:     SID[  5]: S-1-5-2
20:17:12 smbd[37419]:     SID[  6]: S-1-5-11
20:17:12 smbd[37419]:     SID[  7]: S-1-22-1-1001
20:17:12 smbd[37419]:    Privileges (0x               0):
20:17:12 smbd[37419]:    Rights (0x               0):
20:17:12 smbd[37419]: [2024/01/02 20:17:12.672005,  5] ../../source3/auth/token_util.c:873(debug_unix_user_token)
20:17:12 smbd[37419]:   UNIX token of user 1001
20:17:12 smbd[37419]:   Primary group is 1001 and contains 2 supplementary groups
20:17:12 smbd[37419]:   Group[  0]: 1001
20:17:12 smbd[37419]:   Group[  1]: 1000
20:17:12 smbd[37419]: [2024/01/02 20:17:12.672127,  4] ../../source3/smbd/vfs.c:937(vfs_ChDir)
20:17:12 smbd[37419]:   vfs_ChDir to /run/media/Xpartition/SteamLibrary
20:17:12 smbd[37419]: [2024/01/02 20:17:12.672384,  5] ../../source3/smbd/vfs.c:999(vfs_ChDir)
20:17:12 smbd[37419]:   vfs_ChDir: vfs_ChDir got /run/media/Xpartition/SteamLibrary
20:17:12 smbd[37419]: [2024/01/02 20:17:12.672556,  5] ../../source3/smbd/uid.c:294(print_impersonation_info)
20:17:12 smbd[37419]:   print_impersonation_info: Impersonated user: uid=(1001,1001), gid=(0,1001), cwd=[/run/media/Xpartition/SteamLibrary]
20:17:12 smbd[37419]: [2024/01/02 20:17:12.672611,  5] ../../lib/dbwrap/dbwrap.c:172(dbwrap_lock_order_lock)
20:17:12 smbd[37419]:   dbwrap_lock_order_lock: check lock order 1 for /var/cache/samba/smbXsrv_tcon_global.tdb
20:17:12 smbd[37419]: [2024/01/02 20:17:12.672685,  5] ../../lib/dbwrap/dbwrap.c:204(dbwrap_lock_order_unlock)
20:17:12 smbd[37419]:   dbwrap_lock_order_unlock: release lock order 1 for /var/cache/samba/smbXsrv_tcon_global.tdb
20:17:12 smbd[37419]: [2024/01/02 20:17:12.672758,  5] ../../source3/smbd/files.c:77(fsp_new)
20:17:12 smbd[37419]:   fsp_new: allocated files structure (1 used)
20:17:12 smbd[37419]: [2024/01/02 20:17:12.672886,  5] ../../source3/smbd/files.c:77(fsp_new)
20:17:12 smbd[37419]:   fsp_new: allocated files structure (2 used)
20:17:12 smbd[37419]: [2024/01/02 20:17:12.673008,  5] ../../lib/dbwrap/dbwrap.c:172(dbwrap_lock_order_lock)
20:17:12 smbd[37419]:   dbwrap_lock_order_lock: check lock order 1 for /var/cache/samba/smbXsrv_open_global.tdb
20:17:12 smbd[37419]: [2024/01/02 20:17:12.673251,  5] ../../lib/dbwrap/dbwrap.c:204(dbwrap_lock_order_unlock)
20:17:12 smbd[37419]:   dbwrap_lock_order_unlock: release lock order 1 for /var/cache/samba/smbXsrv_open_global.tdb
20:17:12 smbd[37419]: [2024/01/02 20:17:12.673310,  5] ../../source3/smbd/open.c:4731(open_directory)
20:17:12 smbd[37419]:   open_directory: opening directory ., access_mask = 0x81, share_access = 0x3 create_options = 0x1, create_disposition = 0x1, file_attributes = 0x10
20:17:12 smbd[37419]: [2024/01/02 20:17:12.673437,  5] ../../source3/smbd/open.c:4931(open_directory)
20:17:12 smbd[37419]:   open_directory: Could not open fd for [.]: NT_STATUS_ACCESS_DENIED
20:17:12 smbd[37419]: [2024/01/02 20:17:12.673491,  5] ../../lib/dbwrap/dbwrap.c:172(dbwrap_lock_order_lock)
20:17:12 smbd[37419]:   dbwrap_lock_order_lock: check lock order 1 for /var/cache/samba/smbXsrv_open_global.tdb
20:17:12 smbd[37419]: [2024/01/02 20:17:12.673538,  5] ../../lib/dbwrap/dbwrap.c:204(dbwrap_lock_order_unlock)
20:17:12 smbd[37419]:   dbwrap_lock_order_unlock: release lock order 1 for /var/cache/samba/smbXsrv_open_global.tdb
20:17:12 smbd[37419]: [2024/01/02 20:17:12.673580,  5] ../../source3/smbd/files.c:1977(file_free)
20:17:12 smbd[37419]:   file_free: freed files structure 225076796 (1 used)
20:17:12 smbd[37419]: [2024/01/02 20:17:12.673628,  3] ../../source3/smbd/smb2_server.c:4031(smbd_smb2_request_error_ex)
20:17:12 smbd[37419]:   smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1] status[NT_STATUS_ACCESS_DENIED] || at ../../source3/smbd/smb2_create.c:360
20:17:12 smbd[37419]: [2024/01/02 20:17:12.673715,  5] ../../source3/smbd/files.c:1977(file_free)
20:17:12 smbd[37419]:   file_free: freed files structure 0 (0 used)

Notably:

20:17:12 smbd[37419]:   vfs_ChDir: vfs_ChDir got /run/media/Xpartition/SteamLibrary
20:17:12 smbd[37419]: [2024/01/02 20:17:12.672556,  5] ../../source3/smbd/uid.c:294(print_impersonation_info)
20:17:12 smbd[37419]:   print_impersonation_info: Impersonated user: uid=(1001,1001), gid=(0,1001), cwd=[/run/media/Xpartition/SteamLibrary]

20:17:12 smbd[37419]: [2024/01/02 20:17:12.673310,  5] ../../source3/smbd/open.c:4731(open_directory)
20:17:12 smbd[37419]:   open_directory: opening directory ., access_mask = 0x81, share_access = 0x3 create_options = 0x1, create_disposition = 0x1, file_attributes = 0x10
20:17:12 smbd[37419]: [2024/01/02 20:17:12.673437,  5] ../../source3/smbd/open.c:4931(open_directory)
20:17:12 smbd[37419]:   open_directory: Could not open fd for [.]: NT_STATUS_ACCESS_DENIED

My Manjaro user is uid/gid 1000 and the new samba share user is uid/gid 1001, plus supplementary group 1000. From my understanding, there’s nothing on the path that’d block smb user’s ability to list the directory. For a sanity check:

su -s /bin/bash smb_leaky and then cd’ing into /home/leaky/shared works and /run/media/Xpartition/SteamLibrary works too. Touching, rm’ing files too. So it’s not a pure Unix permission issue.

But the /run/media mounts don’t work with Samba :frowning:

Cleaned from comments config file /etc/samba/smb.conf:

[global]
   workgroup = WORKGROUP

   server string = myHost PC
   netbios name = myhostname
   server role = standalone server

   security = user

   logging = systemd
   log level = 5

   max log size = 50

   interfaces = 127.0.0.1/8

   bind interfaces only = yes

load printers = no

# Windows 8.1+
server min protocol = SMB2
server max protocol = SMB3

   dns proxy = no

#============================ Share Definitions ==============================
[homes]
   comment = Home Directories
   browsable = no
   writable = no

   comment = All Printers
   path = /usr/spool/samba
   browsable = no
# Change 'guest ok' from 'no' to 'yes' to allow the 'guest account' user to print
   guest ok = no
   writable = no
   printable = no

[game2archive]
  comment = Game Archive
  path = /run/media/Xpartition/Game-Versions
  valid users = smb_leaky
  public = no
  writable = yes
  inherit acls = yes

[steamonx]
  comment = Steam Library on X
  path = /run/media/Xpartition/SteamLibrary
  valid users = smb_leaky
  public = no
  writable = no
  guest ok = yes
  inherit acls = yes

[leakygit]
   comment = Leaky Git Folder
   path = /home/leaky/git/
   valid users = smb_leaky
   public = no
   writable = yes
   inherit acls = yes

[test]
  comment = Test Share
  path = /run/media/Xpartition/SteamLibrary
  valid users = smb_leaky
  public = no
  writable = yes
2

It does not make any sense to combine these two, choose one.

Why not mounting as suggested in Archlinux wiki?

3

Permissions are set on NTFS at mount time. So you need to adjust gid=, so that it is the same group id. 1000 must be then leaky and smb_leaky 1001? Check it with id smb_leaky.

Commonly you should create group like sambashare and attach to any user, which need access. Adding user groups to each other is a really bad practice.

4

…,noatime,…,relatime,…

Thanks, I had intended to only use the relatime after reading the kernel docs. Thankfully mount indicates the latter parameter (relatime) is applied in this situation.

I have an extra partition I can play with. Mounting NTFS with mount /dev/sdd3 sdd3 -o defaults,uid=1001,gid=1001 results in (implicitly ntfs-3g):

/dev/sdd3 on /run/media/sdd3 type fuseblk (rw,nosuid,nodev,relatime,user_id=0,group_id=0,default_permissions,allow_other,blks
ize=4096)

Mount folder sdd3:

drwxrwxrwx 1 sambashare sambashare   8192  7. Jan 17:18 sdd3

And files/directories:

-rwxrwxrwx 1 sambashare sambashare     511  1. Aug 2019   show-matching.sh
drwxrwxrwx 1 sambashare sambashare       0  7. Oct 2019   singlefolder

What used to be smb_leaky is now the sambashare user/group with the same 1001 uid/gid. I had updated the config too. Apart from the mount options, the setup is still the same and the permission issue persists. I.e. the mount is done in the name of sambashare but that user still can’t access the mount path.

smbclient -L localipv6address --user 'sambashare' --debuglevel=2
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
.......
Password for [WORKGROUP\sambashare]:
Cannot do GSE to an IP address

        Sharename       Type      Comment
        ---------       ----      -------
...
        test            Disk      Test Share
        IPC$            IPC       IPC Service (vRyzen PC)
        sambashare      Disk      Home Directories


smbclient //fe80::8eaf:c947:eb69:342a%enp8s0/test --user 'sambashare'
Password for [WORKGROUP\sambashare]:
Try "help" to get a list of possible commands.
smb: \> ls
NT_STATUS_ACCESS_DENIED listing \*
The config again 
[test]
  comment = Test Share
  path = /run/media/sdd3
  valid users = sambashare
  public = yes
  writable = yes

Sanity check again: su as sambashare still works and has rwx permissions in terminal.

5

I tried to reproduce:

File: /etc/samba/smb.conf

[test]
  comment = Test Share
  path = /tmp/sambashare/
  valid users = smbaccess
  public = yes
  writable = yes

Add user and share:

sudo useradd -M smbaccess
sudo smbpasswd -a smbaccess
mkdir -p /tmp/sambashare
sudo chown -R smbaccess:smbaccess /tmp/sambashare

Start the server:

sudo smbd --foreground --no-process-group --debuglevel=8 --debug-stdout 

open_directory: opening directory ., access_mask = 0x80, share_access = 0x7 create_options = 0x1, create_disposition = 0x1, file_attributes = 0x10
dbwrap_lock_order_lock: check lock order 1 for /var/cache/samba/locking.tdb
dbwrap_lock_order_unlock: release lock order 1 for /var/cache/samba/locking.tdb
fget_ea_dos_attribute: Cannot get attribute from EA on file .: Error = Keine Daten verfügbar
dos_mode_debug_print: fdos_mode returning (0x10): "d"
file_free: freed files structure 0 (1 used)
change_to_user_impersonate: Skipping user change - already user
print_impersonation_info: Impersonated user: uid=(1007,1007), gid=(0,1009), cwd=[/tmp/sambashare]
smbd_do_qfsinfo: level = 1003
smbd_do_qfsinfo : SMB_QUERY_FS_SIZE_INFO bsize=1024, cSectorUnit=2, cBytesSector=512, cUnitTotal=16094040, cUnitAvail=16094012

$ smbclient //localhost/test --user 'smbaccess'                                      1 ✘ 
Password for [WORKGROUP\smbaccess]:
Try "help" to get a list of possible commands.
smb: \> ls
  .                                   D        0  Sun Jan  7 22:17:45 2024
  ..                                  D        0  Sun Jan  7 22:17:45 2024
  folder                              D        0  Sun Jan  7 22:17:45 2024

		16094036 blocks of size 1024. 16084032 blocks available
smb: \> mkdir folder1
smb: \> ls
  .                                   D        0  Sun Jan  7 22:23:40 2024
  ..                                  D        0  Sun Jan  7 22:23:40 2024
  folder                              D        0  Sun Jan  7 22:17:45 2024
  folder1                             D        0  Sun Jan  7 22:23:40 2024

		16094036 blocks of size 1024. 16084032 blocks available
smb: \>

Ok this works.

Now trying ntfs…

Create a ntfs image:

sudo dd status=progress if=/dev/zero of=/tmp/disk.img bs=1M count=1000 && sync
sudo cfdisk /tmp/disk.img
sudo losetup --partscan --show --find /tmp/disk.img

Format and mount:

sudo mkfs.ntfs -Q -v -F -L share /dev/loop0p1
sudo mount -t ntfs -m -o uid=1007,gid=1009 /dev/loop0p1 /run/media/share

ls -la /run/media/share                                                                                total 4
drwxrwxrwx 1 smbaccess smbaccess 4096 Jan  7 22:31 .
drwxr-xr-x 4 root      root        80 Jan  7 22:33 ..

File: /etc/samba/smb.conf

[test]
  comment = Test Share
  path = /tmp/sambashare/
  valid users = smbaccess
  public = yes
  writable = yes

[share]
  comment = Test Share
  path = /run/media/share
  valid users = smbaccess
  public = yes
  writable = yes

And yes, it is reproducible:

$ smbclient //localhost/ntfs --user 'smbaccess' 
Password for [WORKGROUP\smbaccess]:
Try "help" to get a list of possible commands.
smb: \> ls
NT_STATUS_ACCESS_DENIED listing \*
smb: \> q

No actually not…I’m just scratching my head. After trying and trying again, it works everywhere now and if don’t care about the ownership. :rofl: Must be some sort of bug in samba or what is more reasonable: a reboot or at least a relogin was needed, because the new user/group needs to be “settled”.

Anyway… it works now and I am not able to reproduce your problem anymore.

I saw similar issue here: Comment #3 : Bug #2009858 : Bugs : samba package : Ubuntu but version 4.13.

6

Mount the ntfs drive:

sudo mount -t ntfs-3g -o nofail,noatime,rw,uid=USERMANE,gid=USERNAME,dmask=0022,fmask=0133 /path/to/mountpoint

The trick I use is to add a system-user that I add a smbpasswd to. IE, this is the username and password I use to connect with smbclient.

Exampe:

sudo useradd --system --no-create-home --no-user-group --shell /usr/bin/nologin smbuser
sudo smbpasswd -a smbuser

I then use following smb config:

[samba] #this will be the "folder name"
path = /path/to/mountpoint
browsable = yes
writable = yes
read only = no
force user = YOUR_USERNAME #not smbuser
create mask = 0644
direcotry mask = 0755
public = no

You can test your setting with: testparm /etc/samba/smb.conf

I then mount that samba share in fstab, in a systemd mount unit or manually (on the client computer where you want to access the samba share).
The actual mount command would look something like this, take info and use in the method you use to mount: (username is the system-user you created earlier and the password is the pass you added with smbpasswd)

sudo mount -t cifs -o vers=3,_netdev,rw,noatime,cache=loose,user=smbuser,pass=PASSWORD,dir_mode=0755,file_mode=0644 //ip.number.goes.here/samba /mnt/whatever_folder_you_want

Usermane and password can instead be saved in a file and used in options f.ex: credentials=/home/USERNAME/.smbcredentials

Hope it helps.

7