Re: [Samba] ARGH... once again samba causes permission errors.
Jeff Wiegley wrote: I've been doing unix sys. admin for nearly 20 years and yet EVERY single time I have to setup samba I have configuration problems. Before we start let's clear up some common misunderstandings: I have googled for the answer. I have spent the last six hours doing so and trying various suggestions. Most of these suggestions point to solutions involving chown or chmod. These are not the problems (or I will be very surprised). # cat /etc/samba/smb.conf [global] workgroup = CYTE.COM server string = CyteNAS netbios name = NAS hosts allow = 127., 10.0.10. [nas] comment = NAS path = /mnt/nas force user = nas force group = nas read only = No # cat /etc/samba/smbpasswd nas:500:75891A0CAAF2F9828AE88C0FE87091EF:E8C4E8E10FEE888764D18AD4A0AC61 F5: [U ]:LCT-4C00625E: # grep nas /etc/passwd nas:x:500:500::/mnt/nas:/bin/bash # grep nas /etc/group nas:x:500: # ls -al /mnt/nas total 16 drwxrwxrwx 2 nas nas 4096 May 28 17:01 . drwxrwxrwx 3 root root 4096 May 28 15:04 .. So before you tell me about permission problems please note the following 1) The permissions on all the files is 777... EVERYBODY can do anything. 2) samba IS configured to force the user and group to the owner of the share path anyways. 3) The group and user exist and they have their passwords configured correctly. I can map the share on my Windows 7 workstation. But any attempt to create anything yields a pop-up window that says: You need permission to perform this action nas(\\NAS) Space free: 89.7 GB Total size: 97.0 GB Why am I getting ANY permission problems??? Frankly. I don't think it is a permission problem. (I set log level to 10; the output is long so I won't include it because I looked through it and didn't see any errors reported or any mention of permission denied.) GRRR! It gets worse. a 90GB NAS storage is pretty useless. The NAS is actually a 6TB Raid5 array with an XFS filesystem. But if I actually mount it # /etc/init.d/smb stop # mount /mnt/nas # ls -al /mnt/nas total 8 drwxrwxrwx 2 nas nas 6 May 28 18:11 . drwxrwxrwx 3 root root 4096 May 28 15:04 .. see... no difference in permissions or ownership but now it is a mount point. Now I can't even map the samba share at all. All I get is a window that says: Attemping to connect to \\NAS\nas (Cancel) And it never seems to go away. and yes, under both cases I can simply login as the user nas via ssh and touch/mkdir or do anything I want and the files get created just fine. Frankly I think this is another case of Windows presenting the user with a misleading diagnostic Permission problem when something much more fundamental is going wrong with Samba. Please help. - Jeff Is this NAS thing running SELinux, by any chance? SELinux can give you a whole set of extra permissions problems even when the standard permissions look wide open. Try ls -Z /mnt/nas. Moray. To err is human. To purr, feline -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] ARGH... once again samba causes permission errors.
Jeff, I'm no expert, but my understanding is that the FORCE USER and FORCE GROUP configuration statements only define the *ownership* of created files, not who is allowed to create them. My inference from your post suggests that might be what you're expecting - apologies if that's not correct. May be a naive suggestion, but I'd try the following: To the share definition, add guest ok = no write list = nas Also, when browsing the server (not the share) from your Windows client, see if the share appears in the list of server-shared resources. If it does, right-click and check the properties of the share and let it tell you who *it* thinks owns the share/has permissions to it. That might be some helpful info. If not, my apologies. -David On Sat, May 29, 2010 at 3:21 AM, Jeff Wiegley je...@csun.edu wrote: I've been doing unix sys. admin for nearly 20 years and yet EVERY single time I have to setup samba I have configuration problems. Before we start let's clear up some common misunderstandings: I have googled for the answer. I have spent the last six hours doing so and trying various suggestions. Most of these suggestions point to solutions involving chown or chmod. These are not the problems (or I will be very surprised). # cat /etc/samba/smb.conf [global] workgroup = CYTE.COM server string = CyteNAS netbios name = NAS hosts allow = 127., 10.0.10. [nas] comment = NAS path = /mnt/nas force user = nas force group = nas read only = No # cat /etc/samba/smbpasswd nas:500:75891A0CAAF2F9828AE88C0FE87091EF:E8C4E8E10FEE888764D18AD4A0AC61F5:[U ]:LCT-4C00625E: # grep nas /etc/passwd nas:x:500:500::/mnt/nas:/bin/bash # grep nas /etc/group nas:x:500: # ls -al /mnt/nas total 16 drwxrwxrwx 2 nas nas 4096 May 28 17:01 . drwxrwxrwx 3 root root 4096 May 28 15:04 .. So before you tell me about permission problems please note the following 1) The permissions on all the files is 777... EVERYBODY can do anything. 2) samba IS configured to force the user and group to the owner of the share path anyways. 3) The group and user exist and they have their passwords configured correctly. I can map the share on my Windows 7 workstation. But any attempt to create anything yields a pop-up window that says: You need permission to perform this action nas(\\NAS) Space free: 89.7 GB Total size: 97.0 GB Why am I getting ANY permission problems??? Frankly. I don't think it is a permission problem. (I set log level to 10; the output is long so I won't include it because I looked through it and didn't see any errors reported or any mention of permission denied.) GRRR! It gets worse. a 90GB NAS storage is pretty useless. The NAS is actually a 6TB Raid5 array with an XFS filesystem. But if I actually mount it # /etc/init.d/smb stop # mount /mnt/nas # ls -al /mnt/nas total 8 drwxrwxrwx 2 nas nas 6 May 28 18:11 . drwxrwxrwx 3 root root 4096 May 28 15:04 .. see... no difference in permissions or ownership but now it is a mount point. Now I can't even map the samba share at all. All I get is a window that says: Attemping to connect to \\NAS\nas (Cancel) And it never seems to go away. and yes, under both cases I can simply login as the user nas via ssh and touch/mkdir or do anything I want and the files get created just fine. Frankly I think this is another case of Windows presenting the user with a misleading diagnostic Permission problem when something much more fundamental is going wrong with Samba. Please help. - Jeff -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] ARGH... once again samba causes permission errors.
On 05/29/2010 03:21 AM, Jeff Wiegley wrote: I've been doing unix sys. admin for nearly 20 years and yet EVERY single time I have to setup samba I have configuration problems. Jeff, With all respect, please note that Samba is not your usual UNIX networking toolset - it implements SMB/CIFS, a technology that is overloaded with its own specific requirements that need to be understood and correctly handled. Have you read the books: Samba3-ByExample (http://www.samba.org/samba/docs/Samba3-ByExample.pdf) Samba3-HOWTO (http://www.samba.org/samba/docs/Samba3-HOWTO.pdf) These may help to alleviate some of your discomfort with Samba. There are other Samba books, unfortunately all (even the two above) are quite out of date. Not withstanding that they are out of date, the above can still be of value (particularly Samba3-ByExample) because it provides worked example network deployment configurations. Additionally, you may find some useful pointers on the Samba Wiki at: http://wiki.samba.org Before we start let's clear up some common misunderstandings: I have googled for the answer. I have spent the last six hours doing so and trying various suggestions. Most of these suggestions point to solutions involving chown or chmod. These are not the problems (or I will be very surprised). Googling is a good thing (most of the time), but when it comes to Samba issues this will usually turn up a lot of complaints about problems and very few reports that explain how each was solved - if it was solved in the first place. # cat /etc/samba/smb.conf [global] workgroup = CYTE.COM Do NOT use a '.' character in a workgroup/domain name. In MS Windows NT4 (the protocols Samba3 implements) this is not a supported character. It would be better to just declare the workgroup name as CYTE or 'CYTE-COM server string = CyteNAS netbios name = NAS hosts allow = 127., 10.0.10. Is this devices multi-homed? If it is then hosts allow is probably a good things - if not, it is best to start without it and add it later when you know the configuration is working. For diagnostic purposes add the following to the [global] stanza: log file = %L-%m.log max log size = 0 log level = 3 map to guest = bad user When the network is finally stable, and diagnostics are no longer needed, reduce the log level to either 0 or 1. [nas] comment = NAS path = /mnt/nas force user = nas force group = nas read only = No # cat /etc/samba/smbpasswd nas:500:75891A0CAAF2F9828AE88C0FE87091EF:E8C4E8E10FEE888764D18AD4A0AC61F5:[U ]:LCT-4C00625E: What version of Samba are you using? If it is later than 3.0.x (in other words 3.2.x, 3.3.x, 3.4.x, 3.5.x) the default is to use tdbsam, not smbpasswd. If you particularly want to use smbpasswd to store the SMB/CIFS credentials, specify the following in [global] passdb backend = smbpasswd:/etc/samba/smbpasswd # grep nas /etc/passwd nas:x:500:500::/mnt/nas:/bin/bash # grep nas /etc/group nas:x:500: # ls -al /mnt/nas total 16 drwxrwxrwx 2 nas nas 4096 May 28 17:01 . drwxrwxrwx 3 root root 4096 May 28 15:04 .. So before you tell me about permission problems please note the following 1) The permissions on all the files is 777... EVERYBODY can do anything. 2) samba IS configured to force the user and group to the owner of the share path anyways. 3) The group and user exist and they have their passwords configured correctly. I can map the share on my Windows 7 workstation. But any attempt to create anything yields a pop-up window that says: You need permission to perform this action nas(\\NAS) Space free: 89.7 GB Total size: 97.0 GB Why am I getting ANY permission problems??? Frankly. I don't think it is a permission problem. (I set log level to 10; the output is long so I won't include it because I looked through it and didn't see any errors reported or any mention of permission denied.) GRRR! As much as you may not like scanning samba log files, this is the only way to diagnose what is going wrong. It gets worse. a 90GB NAS storage is pretty useless. The NAS is actually a 6TB Raid5 array with an XFS filesystem. But if I actually mount it # /etc/init.d/smb stop # mount /mnt/nas # ls -al /mnt/nas total 8 drwxrwxrwx 2 nas nas 6 May 28 18:11 . drwxrwxrwx 3 root root 4096 May 28 15:04 .. see... no difference in permissions or ownership but now it is a mount point. OK, we feel your pain, but instead of complaining to this list you are better served asking how to diagnose the problem so you can find a solution. Now I can't even map the samba share at all. All I get is a window that says: Attemping to connect to \\NAS\nas (Cancel) And it never seems to go away. and yes, under both
Re: [Samba] ARGH... once again samba causes permission errors.
On 6/1/2010 12:03 PM, John H Terpstra had this to say: # cat /etc/samba/smb.conf [global] workgroup = CYTE.COM Do NOT use a '.' character in a workgroup/domain name. In MS Windows NT4 (the protocols Samba3 implements) this is not a supported character. It would be better to just declare the workgroup name as CYTE or 'CYTE-COM Hmmm ... my Win2003 AD NetBIOS (or short name) has a . in it. Does that mean I should replace the . with - in the WORKGROUP name? (I presume that using a . in the REALM is OK). In my case, I would be using SECURITY=ADS and IDMAP=AD. -- Michael J. Leone, mailto:tur...@mike-leone.com PGP Fingerprint: 0AA8 DC47 CB63 AE3F C739 6BF9 9AB4 1EF6 5AA5 BCDF Photo Gallery: http://www.flickr.com/photos/mikeleonephotos Mister, can you tell me who I am? Do you think I stand out? Or am I just a face in the crowd? A Face in the Crowd, The Kinks -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] ARGH... once again samba causes permission errors.
On Tue, Jun 1, 2010 at 1:36 PM, Mike Leone tur...@mike-leone.com wrote: Hmmm ... my Win2003 AD NetBIOS (or short name) has a . in it. Does that mean I should replace the . with - in the WORKGROUP name? (I presume that using a . in the REALM is OK). See: http://support.microsoft.com/kb/909264 The period is apparently supported for non-DNS names in NT4, but should not be used in later (AD) versions. As NetBIOS names are flat, not tiered or hierarchical like DNS names, the period would not mean the same regardless. Best bet is to take John's advice and not use them in NetBIOS names. For a domain like example.com I would generally use EXAMPLE as the workgropup or domain NetBIOS name when possible - other considerations, length etc. need to be taken into account. In general I avoid the _ character as it is not valid in DNS names. Chris -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] ARGH... once again samba causes permission errors. SOLVED
On Sun, May 30, 2010 at 06:24:49PM -0700, Jeff Wiegley wrote: Ok, I was able to fix both of my problems and they are both related to SELinux problems First: I am assuming that you are like me and that you have an excellent background in systems administration (I teach it at a university for a living.) So you've configured chmod permissions and chown user and group ownerships on directories and files to correctly allow the desired access. You have configured samba to force a reasonable user or group or you have logged in with reasonable user credentials. But you're still not able to create file/folder or maybe you can't map certain paths. You've probably been frustrated by the endless posts and suggestions telling you to fix the fundamental things described in the previous paragraph. If you have taken care of the fundamental permission items but\ you are seeing either of the following: A) You can map a share but whenever you try to create a new folder or file windows pops up an error dialog (Try again). B) You can map certain paths but now others (particularly a path equivalent to a mount point (XFS/Raid5 filesystem in my case. Well, I'm running CentOS 5.5 and it has SELinux enabled by default but the context on the share path is probably not allowing samba. you can check the context of the path with the -Z switch ls: [r...@nas samba]# ls -ldZ /mnt drwxr-xr-x root root system_u:object_r:mnt_t /mnt In this case the context is mnt_t, you need to change the context to samba_share_t [r...@nas samba]# chcon -t samba_share_t /mnt/nas [r...@nas samba]# ls -adZ /mnt/nas drwxr-x--- nas nas system_u:object_r:samba_share_t /mnt/nas Now your share should both mount and allow the creation/deletion of folders/files. Warning: I am old, I learned system administration and practiced it for a decade in industry before SELinux was even invented. I do not pretend to begin to understand this [possibly overly] complicated security system. ... make this permanent: semanage fcontext -a -t samba_share_t /mnt/nas Regards Adam Przybyla -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] ARGH... once again samba causes permission errors. SOLVED
Ok, I was able to fix both of my problems and they are both related to SELinux problems First: I am assuming that you are like me and that you have an excellent background in systems administration (I teach it at a university for a living.) So you've configured chmod permissions and chown user and group ownerships on directories and files to correctly allow the desired access. You have configured samba to force a reasonable user or group or you have logged in with reasonable user credentials. But you're still not able to create file/folder or maybe you can't map certain paths. You've probably been frustrated by the endless posts and suggestions telling you to fix the fundamental things described in the previous paragraph. If you have taken care of the fundamental permission items but\ you are seeing either of the following: A) You can map a share but whenever you try to create a new folder or file windows pops up an error dialog (Try again). B) You can map certain paths but now others (particularly a path equivalent to a mount point (XFS/Raid5 filesystem in my case. Well, I'm running CentOS 5.5 and it has SELinux enabled by default but the context on the share path is probably not allowing samba. you can check the context of the path with the -Z switch ls: [r...@nas samba]# ls -ldZ /mnt drwxr-xr-x root root system_u:object_r:mnt_t /mnt In this case the context is mnt_t, you need to change the context to samba_share_t [r...@nas samba]# chcon -t samba_share_t /mnt/nas [r...@nas samba]# ls -adZ /mnt/nas drwxr-x--- nas nas system_u:object_r:samba_share_t /mnt/nas Now your share should both mount and allow the creation/deletion of folders/files. Warning: I am old, I learned system administration and practiced it for a decade in industry before SELinux was even invented. I do not pretend to begin to understand this [possibly overly] complicated security system. - Jeff -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] ARGH... once again samba causes permission errors.
Quoting Jeff Wiegley (je...@csun.edu): Before we start let's clear up some common misunderstandings: I have googled for the answer. I have spent the last six hours doing so and trying various suggestions. Most of these suggestions point to solutions involving chown or chmod. These are not the problems (or I will be very surprised). Some more info (and less ranting) would help: - samba version - logs on the samba server side when you experience these problems -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
