Can't Connect to Samba share but I can SSH and I can connect to other shares

rob215x · 11 March 2024 23:56

Hi. On my local network I have Windows PCs, Macs, and my main Manjaro workstation. I just built a second Manjaro machine (computer name is BEELINK2) and I cannot connect to any Samba share on that machine.

I followed [root tip] [How To] Samba Server From Scratch
I CAN SSH to BEELINK2 from any other machine on my network
On the BEELINK2, I CAN connect to my Macbook and my Windows shares.
On other machines, I DO see the shared folders, “public” and “office” but log in is always denied, whether I try anonymous, or my username and password.
I DID add my username and password to Samba using smbpasswd

Maybe I missed something obvious but everything else works and I can’t figure out why it won’t accept my credentials. I’ve been frustrated with this for the whole weekend. Any help is appreciated.

Here’s my smb.conf:


[global]
   workgroup = WORKGROUP
   server string = Samba File Server
   server role = standalone server   
   log file = /var/log/samba/%m.log
   max log size = 1000
   guest account = nobody
   obey pam restrictions = yes
   unix password sync = yes
   passwd program = /usr/bin/passwd %u
   passwd chat = *New*UNIX*password* %n\n *ReType*new*UNIX*password* %n\n *passwd:*all*authentication*tokens*updated*successfully*
   pam password change = yes

[public]
  path = /srv/samba/public
  public = yes
  writable = yes
  printable = no

[data]
  path = /srv/samba/data
  public = no
  writable = yes
  printable = no
  guest ok = no

rob215x · 12 March 2024 06:31

Most of the other threads I found on the internet were solved because people forgot to do: sudo smbpasswd -a username but as I described above, I did that from the start. I even did it again just to be sure.

I’m still trying things and searching for answers. I feel like setting up a Samba share shouldn’t be this difficult.

linux-aarhus · 12 March 2024 07:18

Why?

System administration has never been easy - there is a reason why good system admins does not come cheap.

When I wrote the above mentioned guide it was not written from memory - it was hands on … using a Pi with a minimal Manjaro system.

I will retrace the guide - see if I forgot something - in fact I already spotted one thing - I forgot to mention you need enable and start the smb service - but I reckon you figured that out yourself

EDIT

As I used CLI to set all this up - one thing to bear in mind - the first user created on a Manjaro system does not belong to the group users which in the context also will block that user from writing to the public share.

Public share is writable by users so - even though your username can login into the service - you will need to add your username to users to be able to write to the public share

rob215x · 12 March 2024 07:24

I really appreciate your guides! I’m currently on Samba - ArchWiki trying to figure out if I missed anything. Btw, this is a brand new Manjaro installation. I downloaded the latest XFCE image just a couple of days ago.

I feel like I’m missing something simple because everything else works.

EDIT

Public share is writable by users so - even though your username can login into the service - you will need to add your username to users to be able to write to the public share

Yes! I figured that part out earlier! So now I CAN write to the public share on the local machine.

The problem is, I cannot connect to ANY share (/public or /office, anonymous or username/password) from any other machine. It just goes right back to the password prompt again. I have a Macbook, a Windows 11 box, and my main Manjaro machine that I built in 2019. None will connect.

EDIT2
Not sure if this helps any but this is what I get from my older machine…

$ nmblookup -A 192.168.1.203
Looking up status of 192.168.1.203
	BEELINK2        <00> -         B <ACTIVE> 
	BEELINK2        <03> -         B <ACTIVE> 
	BEELINK2        <20> -         B <ACTIVE> 
	WORKGROUP       <00> - <GROUP> B <ACTIVE> 
	WORKGROUP       <1e> - <GROUP> B <ACTIVE> 

	MAC Address = 00-00-00-00-00-00

$ smbclient -L \\BEELINK2
Password for [WORKGROUP\design215]:
Anonymous login successful

	Sharename       Type      Comment
	---------       ----      -------
	public          Disk      
	data            Disk      
	IPC$            IPC       IPC Service (Samba File Server)
SMB1 disabled -- no workgroup available

linux-aarhus · 12 March 2024 08:00

It looks ok apart from the anonymous login which you shouldn’t have if the user design215 is authenticated

rob215x · 12 March 2024 08:17

Yeah, I’m not sure why my machine (design215) asked for a password first. When I try to do the Anonymous login from the File Manager, I get this…

Screenshot_2024-03-12_03-57-59

But it shows that its mounted.

My public folder on BEELINK2 is:
drwxrwxr-x 2 root users 4096 Mar 11 19:42 public

What should the /data folder have for permissions? I didn’t see that in your guide.

linux-aarhus · 12 March 2024 08:37

The guide is advancing - and the initial values are changed during configuration - as you tag along.

Initially everything is root owned - see the [root tip] [How To] Samba Server From Scratch section

[root tip] [How To] Samba Server From Scratch

# ls -l /data
drwxr-xr-x 3 root root   4096 Aug 10 01:29 media
drwxrwx--- 2 root office 4096 Oct 16 10:40 office
drwxrwxr-x 2 root users  4096 Oct 16 09:48 public

At the end - after creating the users - the tree has changes related to the admin user created as part of the exercise.

EDIT

I think there is a difference between local mode and root.

The guide is written using root and it is quite possible that using using sudo to add a user is different from the user changing own password.

rob215x · 12 March 2024 09:10

Ok yes, I remember that part. Instead of “admin” I used my regular username on that machine, since it already had a home directory and is a member of the office and users groups.

So, on the BEELINK2 machine, I just noticed something…

$ smbclient -L BEELINK2 -U rob215x
Password for [WORKGROUP\rob215x]:
session setup failed: NT_STATUS_LOGON_FAILURE

$ smbclient -L BEELINK2
Password for [WORKGROUP\rob215x]:
Anonymous login successful

	Sharename       Type      Comment
	---------       ----      -------
	public          Disk      
	data            Disk      
	IPC$            IPC       IPC Service (Samba File Server)
SMB1 disabled -- no workgroup available

Does that make any sense?

I may not answer right away because its 5am here and I need some sleep but I appreciate all of your help!

rob215x · 12 March 2024 20:03

I should have ended with “shouldn’t be this difficult… on THIS machine.” But I do agree with you.

As I said earlier, the BEELINK2 is a brand new XFCE Manjaro install. Its a 4 inch SBC using a Celeron 5105 processor, 16GB RAM, and a 512GB SSD. I’m tempted to just run the installer all over again, but I also want to figure out what’s going on here. Besides Samba and its associated programs, I’ve only installed Chrome and Thunar Shares.

I can SSH in and out, I can connect OUT to all of my other SMB shares on the network (Mac and Windows), I just cannot connect IN. It feels like something is conflicting with the authentication or there’s a permissions issue somewhere, but I haven’t found it yet.

UPDATE

My samba logs are filled with these…

[2024/03/12 06:01:22.811201,  0] ../../source3/auth/pampass.c:592(smb_pam_account)
  smb_pam_account: PAM: UNKNOWN PAM ERROR (9) during Account Management for User: rob215x
[2024/03/12 06:01:22.811243,  0] ../../source3/auth/pampass.c:800(smb_pam_accountcheck)
  smb_pam_accountcheck: PAM: Account Validation Failed - Rejecting User rob215x!
[2024/03/12 06:01:23.613335,  0] ../../source3/auth/pampass.c:592(smb_pam_account)
  smb_pam_account: PAM: UNKNOWN PAM ERROR (9) during Account Management for User: rob215x
[2024/03/12 06:01:23.613376,  0] ../../source3/auth/pampass.c:800(smb_pam_accountcheck)
  smb_pam_accountcheck: PAM: Account Validation Failed - Rejecting User rob215x!
[2024/03/12 06:01:23.631346,  0] ../../source3/auth/pampass.c:592(smb_pam_account)
  smb_pam_account: PAM: UNKNOWN PAM ERROR (9) during Account Management for User: rob215x
[2024/03/12 06:01:23.631389,  0] ../../source3/auth/pampass.c:800(smb_pam_accountcheck)
  smb_pam_accountcheck: PAM: Account Validation Failed - Rejecting User rob215x!

UPDATE 2

I tried connecting with user “hans” as described in @linux-aarhus tutorial, and I get this in /var/log/samba/192.168.1.71.log:

[2024/03/13 00:06:25.153180,  0] ../../source3/auth/pampass.c:592(smb_pam_account)
  smb_pam_account: PAM: UNKNOWN PAM ERROR (9) during Account Management for User: hans
[2024/03/13 00:06:25.153247,  0] ../../source3/auth/pampass.c:800(smb_pam_accountcheck)
  smb_pam_accountcheck: PAM: Account Validation Failed - Rejecting User hans!
[2024/03/13 00:06:46.737296,  0] ../../source3/auth/pampass.c:592(smb_pam_account)
  smb_pam_account: PAM: UNKNOWN PAM ERROR (9) during Account Management for User: hans
[2024/03/13 00:06:46.737360,  0] ../../source3/auth/pampass.c:800(smb_pam_accountcheck)
  smb_pam_accountcheck: PAM: Account Validation Failed - Rejecting User hans!

At this point, I wonder if there is no problem with my Samba configuration but something else is broken?

Could my problem be related to this post?? …

linux-aarhus · 13 March 2024 05:40

I have been retracing the guide you followed - apart from some phrasing and clarifications - the guide works as expected on a pristine Manjaro ARM system.

It is important to understand the guide to fully take advantage of it.

Doing some thinking - of course I cannot be sure - it could relate to apparmor.

Yesterday I tested on a pristine Plasma edition - but that edition is my custom ISO which do not include apparmor.

Either disable apparmor or see the AppArmor troubleshooting in the [root tip] [How To] Basic Samba Setup and Troubleshooting topic

rob215x · 13 March 2024 05:44

Thanks! I am currently reinstalling the Manjaro OS and I’m going to start from scratch. I’m going to follow your guide before I install anything else.

EDIT 1
Okay I have a fresh Manjaro install on my BEELINK2 machine. I have done all the updates and I’ve enabled SSH. I am now logged into BEELINK2 from my main Manjaro workstation. I will try your suggested link as a test: [root tip] [How To] Share and Access NTFS devices using Samba

EDIT 2
I don’t have an NTFS formatted device so I just set the permissions for the ntfs folder to 777 so its the same as the picture in your guide. Here are the results:

My workstation mounts the share but CANNOT connect because it says “Permission Denied”
My Macbook mounts the share but when I try to copy a file, it says, “Items can’t be copied to “ntfs” because you don’t have permission to read them.”

# ls -l /srv/samba
total 8
drwxrwxrwx 2 root root 4096 Mar 13 02:10 ntfs
drwxr-xr-x 2 root root 4096 Mar 13 02:10 public

EDIT 3
I’m on this guide now: [root tip] [How To] Basic Samba Setup and Troubleshooting

EDIT 4
Okay, I have SOMETHING working!! I have the following set up:

My smb.conf:

[global]
   workgroup = WORKGROUP
   server string = Manjaro Samba Server
   server role = standalone server
   log file = /var/log/samba/log.%m
   max log size = 1000
   guest account = nobody
   map to guest = Bad Password

   min protocol = SMB2
   max protocol = SMB3

  usershare path = /var/lib/samba/usershares
  usershare max shares = 100
  usershare allow guests = yes
  usershare owner only = yes
  
[public]
   path = /srv/samba/public
   public = yes
   writable = yes
   printable = no

Then I also did:

$ sudo aa-complain /etc/apparmor.d/usr.sbin.smbd
Setting /etc/apparmor.d/usr.sbin.smbd to complain mode.

$ sudo aa-complain /usr/bin/smbd
Setting /usr/bin/smbd to complain mode.
Warning: profile smbd represents multiple programs
Warning: profile smbd represents multiple programs

$ sudo aa-complain samba-dcerpcd samba-bgqd samba-rpcd samba-rpcd-classic samba-rpcd-spoolss
Setting /etc/apparmor.d/samba-dcerpcd to complain mode.
Setting /etc/apparmor.d/samba-bgqd to complain mode.
Setting /etc/apparmor.d/samba-rpcd to complain mode.
Setting /etc/apparmor.d/samba-rpcd-classic to complain mode.
Setting /etc/apparmor.d/samba-rpcd-spoolss to complain mode.

On my Macbook, I was able to mount the /public folder using my username and password, then I was able to drag a file to the /public folder.

Now, I’m going to edit some of the settings to make it more secure (I’m only using this within my home network, but I still want to enable the firewall and remove the guest account)

EDIT 5 (final one for tonight)
In smb.conf, I changed “public = yes” to “guest ok = no” then restarted all 3 machines. I was still able to access the share with my username and password. So, that’s GREAT!! However, I want to start tightening up the security, one part at a time, and see if there is a specific line in smb.conf or some other action that makes it fail. I’ll report what I find and hopefully it can help someone else.

Have a great night (or morning)

linux-aarhus · 13 March 2024 05:53

The guide you are looking at is intended for a more advanced sharing scenario and perhaps it is what you want.

The basics are the same including the subtle differences between system users and samba users but the security setup, the user and group filesystem permission schemes, that is what makes the guide more complicated.

But if a more simple sharing is what you are trying to achieve - there is other shorter guides which doesn’t go into deep considerations on server security and user permissions.

The Basic Samba Setup and Troubleshooting section #manjaro-samba-server is one example.

Another example is the ultra simple [root tip] [How To] Share and Access NTFS devices using Samba

Also an example [root tip] [How To] Troubleshoot samba share write protection when accessed from Windows

rob215x · 13 March 2024 21:04

Okay, I think I have everything working. Unfortunately I was not able to figure out why it wasn’t working the first time. But here’s what I have now…

I enabled the firewall as per your instructions:

$ sudo systemctl enable --now firewalld
Created symlink /etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service → /usr/lib/systemd/system/firewalld.service.
Created symlink /etc/systemd/system/multi-user.target.wants/firewalld.service → /usr/lib/systemd/system/firewalld.service.

$ sudo firewall-cmd --permanent --zone="home" --list-services
dhcpv6-client mdns samba-client ssh

$ sudo firewall-cmd --permanent --zone="public" --list-services
dhcpv6-client ssh

$ sudo firewall-cmd --permanent --zone="home" --add-source="192.168.1.0/24"
success

$ sudo firewall-cmd --permanent --zone="home" --add-service="samba"
success

rebooted all 3 machines and I was still able to connect to my shares!

Next, I added the PAM stuff back into smb.conf along with the 2 folders I actually want to share, I removed the public folder, and I set usershare allow guests = no:

[global]
  workgroup = WORKGROUP
  server string = Manjaro Samba Server
  server role = standalone server
  log file = /var/log/samba/log.%m
  max log size = 1000
  guest account = nobody
  map to guest = Bad Password

  min protocol = SMB2
  max protocol = SMB3

  obey pam restrictions = yes
  unix password sync = yes
  passwd program = /usr/bin/passwd %u
  pam password change = yes
  
  usershare path = /var/lib/samba/usershares
  usershare max shares = 100
  usershare allow guests = no
  usershare owner only = yes
  
[documents]
  path = /home/rob215x/Documents
  guest ok = no
  writable = yes
  printable = no
  force user = rob215x

[video]
  path = /home/rob215x/Videos
  guest ok = no
  writable = yes
  printable = no
  force user = rob215x

rebooted all 3 machines AGAIN and I was still able to connect to my shares!

I tried the anonymous login and I was denied (this is what I want!)
I tried a different username and I was denied (good!)

So, in conclusion, I don’t know why it wasn’t working before. Besides some typo or mistake I’m not aware of, there are 3 main differences in this install:

I did NOT install Thunar-shares-plugin this time.
I ran all of the apparmor commands listed in your guide.
I did NOT add the PAM stuff to my smb.conf until AFTER I had the shares working.

@linux-aarhus let me know if you have any thoughts and if I should mark this as solved. Thanks!!