Samba problem after 7.05.2018 update

samba

#1

Update went smoothly but there is an issue with samba.

I know that service names where changed so I enabled and started smb and nmb. I went to Dolphin to check if shares are visible in network and I came across an issue: it asked me for user and password… while the share was always open for guest and possible to modify (all permissions granted) so systems were never asking for anything or allowed for choosing guest and empty password. I tried to enter “guest” as user manually and leave password blank but it wasn’t accepted.
Clearly aside deamons there are some other changes that we must be aware off and change our configs accordingly…

I see smb.conf.pacnew and compared it with my old conf.

So far I see only this dfferentce:
my conf:
map to guest = bad user

conf.pacnew:
map to guest = Bad Password

However that’s nothing new.
Here is my smb.conf

[global]
   workgroup = WORKGROUP
   dns proxy = no
   log file = /var/log/samba/%m.log
   max log size = 1000
   client max protocol = NT1
   server role = standalone server
   passdb backend = tdbsam
   obey pam restrictions = yes
   unix password sync = yes
   passwd program = /usr/bin/passwd %u
   passwd chat = *New*UNIX*password* %n\n *ReType*new*UNIX*password* %n\n *passwd:*all*authentication*tokens*updated*successfully*
   pam password change = yes
   map to guest = bad user
   usershare allow guests = yes
   name resolve order = lmhosts bcast host wins
   security = user
   guest account = nobody
   usershare path = /var/lib/samba/usershare
   usershare max shares = 100
   usershare allow guests = yes
   usershare owner only = yes
   group = sambashare
   force create mode = 0070
   force directory mode = 0070
   wide links = yes
   follow symlinks = yes

I can’t even test it, because Dolphin throws “no access” constantly once I closed the creditial window. smb and nmb restart, Dolphin restart, nothing helps. I would probably have restart system to check it out again. This is ridiculous. I love Plasma but the worst samba implementation is in Plasma.

On other computers I also lost access, because “I’m not the owner”, which is weird, because I still have usershare allow guests = yes and other lines needed for easy guest access.
I’m browsing samba documentation and cannot find what has changed :frowning:

I would suspect usershare owner only = yes but it is explained as:

This parameter controls whether the pathname exported by a user defined shares must be owned by the user creating the user defined share or not. If set to True (the default) then smbd checks that the directory path being shared is owned by the user who owns the usershare file defining this share and refuses to create the share if not. If set to False then no such check is performed and any directory path may be exported regardless of who owns it.

So still, not this one. Previously shares were working ok and this update changed something and yet I cannot see anything that would create that issue. Here are release notes:

https://www.samba.org/samba/history/samba-4.8.1.html

Any idea how to make samba usable again?


Cannot mount NAS drive with CIFS
SAMBA and GUFW after updates no longer working
[SOLVED] Cannot log in with Active Directory user
Ошибка очередного обновления
#2

This was announced in our Troubleshoot guide already.

Samba units renamed

Note: In samba 4.8.0-1, the units were renamed from smbd.service and nmbd.service to smb.service and nmb.service.

To provide basic file sharing through SMB start/enable smb.service and/or nmb.service services. See the smbd(8) and nmbd(8) man pages for details, as the nmb.service service may not always be required.


Directory permissions differ

Directory permissions differ on /var/lib/samba/private/
filesystem: 755 package: 700

sudo chmod 700 /var/lib/samba/private/


Slow Shutdown KDE because of doublecmd-qt5
#3

I did:

sudo chmod 700 /var/lib/samba/private/

and it didn’t help. Still it asks me for credentials and dolphin still is unable to unlock itself once I close credentials window (until next reboot).

EDIT: in status I see:

maj 07 20:52:41 alienware-PC smbd[3155]:   Share 'Share' has wide links and unix extensions enabled. These parameters are incompatible. Wide link>
maj 07 20:52:42 alienware-PC smbd[3195]: [2018/05/07 20:52:42.733765,  0] ../source3/param/loadparm.c:4531(widelinks_warning)
maj 07 20:52:42 alienware-PC smbd[3195]:   Share 'IPC$' has wide links and unix extensions enabled. These parameters are incompatible. Wide links>
maj 07 20:52:42 alienware-PC smbd[3195]: [2018/05/07 20:52:42.767417,  0] ../source3/param/loadparm.c:4531(widelinks_warning)
maj 07 20:52:42 alienware-PC smbd[3195]:   Share 'Obejrzane' has wide links and unix extensions enabled. These parameters are incompatible. Wide >
maj 07 20:57:06 alienware-PC smbd[3135]: pam_unix(samba:session): session closed for user nobody
maj 07 20:57:06 alienware-PC smbd[3195]: pam_unix(samba:session): session closed for user nobody
maj 07 20:57:25 alienware-PC smbd[16117]: [2018/05/07 20:57:25.340215,  0] ../source3/param/loadparm.c:4531(widelinks_warning)
maj 07 20:57:25 alienware-PC smbd[16117]:   Share 'IPC$' has wide links and unix extensions enabled. These parameters are incompatible. Wide link>
maj 07 20:57:25 alienware-PC smbd[16117]: pam_unix(samba:session): session closed for user nobody

I guess I have to get rid of unix extensions parameter then.


#4

Then you might read this:

Changes made to PAM

pam 1.3.0-2 no longer ships pam_unix2 module and pam_unix_*.so compatibility symlinks. Before upgrading, review PAM configuration files in the /etc/pam.d directory and replace removed modules with pam_unix.so. Users of pam_unix2 should also reset their passwords after such change. Defaults provided by pambase package do not need any modifications.

Check grep -rn 'pam_unix[2_]' /etc/pam.d, if no output, you need to do nothing.

Also check if the right samba services got enabled, as they got renamed. More about Samba in general you may find here.


#5

Yes, I got that name difference. If I hadn’t, I wouldn’t see my shares at all. The issue is I cannot access them.

I did:

grep -rn 'pam_unix[2_]' /etc/pam.d

and had no output so I guess I’m good.

Honestly, I have no idea what this PAM is, so I don’t understand fully what happened and what needs to be done. Am I right if this grep output is empty I don’t need to do anything?

If so, where is this “unix extensions enabled” part in my smb.conf? I cannot see it :frowning:


#6

For wide links see here and unix extensions here. Follow the Arch-Wiki for troubleshooting.


#7

i think it’s enabled by default
and if wide links is enabled with unix extension it will be disabled (wide links) automatically. the reason of the warnings in logs


#8

Thanks, I added:

unix extensions = no

This got rid of messages about incompatibility but it din’t help with “this folder doesn’t belong to you”

So far there is no solution and samba simply doesn’t work properly :frowning:


#9

I have no pam_unix2 module and pam_unix_*.so, but I also don't have pam_unix.so. If that's ok? If I understand correctly pam_unix.so is needed only if I had pam_unix2 module and pam_unix_*.so, but since I didn't, then all is good?

If so, then what about samba. Or maybe since now I do need pam_unix.so? Or maybe samba has nothing to do with it?

I think I’m spinning…


#10

i don’t think it’s pam related… it’s the usual pam logs when a session is open/closed by it… nothing to worry about


#11

See also here:


#12

I’m not sure if we package samba aurselves or not, but upstream Arch changed their pkgbuild to build and install smb.service, and nmb.service files directly from upstream samba:

+              --with-systemd \
+              --systemd-install-services \

So as of today, the commands are now:

sudo systemctl start smb nmb
sudo systemctl enable smb nmb

As per samba’s smb.service.in and nmb.service.in files:

https://github.com/samba-team/samba/tree/master/packaging/systemd

PS. This also effects winbindd.service --> winbind.service.in = winbind.service


#13

We use upstream samba. Only manjaro-settings-samba we maintain ourselves …


#14

It looks so far as since this version of samba some another default (hidden, not showed in conf) setting was changed and to allow true guest sharing we must add/change something, at least that’s my working theory at the moment…


#15

So it works for privileged users but not for guests?


#16

Did you read any of the post that that told you that the service names have changed?
smbd.service --> smb.service
nmbd.service --> nmb.service

Also, did you set your home directory to be accessed by others or “nobody” so things past it can be seen/shared?

sudo chmod o+x /home/{username}”

or better yet:

sudo setfacl -m user:nobody:x /home/{username}

Dolphin will not share, if this is not done.


#17

If it is so, should this be added to the Announcement wiki?


#18

No, this is a no brainer, it’s basic file and folder permissions 101…
By default no one except you, and/or root, have access to your home directory.

This is discussed in the Arch wiki for samba, as well as sddm, acl, etc.
https://wiki.archlinux.org/index.php/samba#Verify_folder_access_by_guest
https://wiki.archlinux.org/index.php/SDDM#User_Icon_.28Avatar.29

And from here:
https://wiki.archlinux.org/index.php/Access_Control_Lists#Granting_execution_permissions_for_private_files_to_a_Web_Server

I quote:

Remember: Execution permissions to a directory are necessary for a process to list the directory’s content.

In other words, how can /home/{user_name}/{your_share} be visible to the smb process, if /home/{user_Name} is not set as executable. You might be able to access it, but it will appear empty.

This applies even on personal folders. Try turning the exec bit off for yourself, group, and others on any folder in your home directory. Now try to open that folder and see what happens, not even you will be able to read it’s contents.


SAMBA: net usershare add: cannot convert name "Everyone" to a SID
SMB4K Epmty workgroup
#19

The share belongs to me and yet when I tried to use my user’s credentials, samba didn’t accept it. So there was only one thing to try: root and… it came through. So what gives?
Shared folders belong to me. /var/lib/samba/usershare/ belongs to root, but the share files in it belong to me as well. smb.conf belongs to root.


#20

This doesn’t mean it would work now, since they may have improved a wrong security policy/behavior, so maybe a configuration change maybe needed, IMHO.
I suggest you try some things to see what makes it to work as you want.

  • delete and re-create your samba shares
  • guest account = guest if a guest user exists. The nobody account is blocked I think.
  • map to guest = bad password as it was introduced with pacnew
  • usershare owner only = no or another option. Check manpage