unraidster
2024-Jan-11 08:53 UTC
[Samba] Share access permission errors after upgrade from 4.12.14
Hello, Issue Description After the upgrade of the Unraid server OS (unraid.net) from v6.9.2 to v6.12.6 (which upgrades the version of Samba from 4.12.14 to 4.17.12) access to shares stops working. Error Summary: [2024/01/07 21:52:43.357676, 0, pid=93992, effective(1278739538, 1278738945), real(1278739538, 0)] ../../source3/smbd/smb2_service.c:168(chdir_current_service) chdir_current_service: vfs_ChDir(/mnt/user/PrivateShare) failed: Permission denied. Current token: uid=1278739538, gid=1278738945, 7 groups: 1278739538 1278738945 1278739551 1278739543 1278739547 1278739545 1278739556 Samba is joined to an Active Directory domain as a member server. The following error is found in the log when I attempt to browse to the share using a Windows 10 client signed in as the domain's "rwuser" user account. (Note: worked with the older version of the OS). I have included output from logs/commands that I thought might help answer any subsequent questions that readers may have. Please let me know if there is any additional information I can provide. Thank You. Error Detail: =================[2024/01/07 21:52:43.356009, 4, pid=93992, effective(1278739538, 1278738945), real(1278739538, 0), class=vfs] ../../source3/smbd/vfs.c:938(vfs_ChDir) vfs_ChDir to /mnt/user/PrivateShare [2024/01/07 21:52:43.357676, 0, pid=93992, effective(1278739538, 1278738945), real(1278739538, 0)] ../../source3/smbd/smb2_service.c:168(chdir_current_service) chdir_current_service: vfs_ChDir(/mnt/user/PrivateShare) failed: Permission denied. Current token: uid=1278739538, gid=1278738945, 7 groups: 1278739538 1278738945 1278739551 1278739543 1278739547 1278739545 1278739556 [2024/01/07 21:52:43.357802, 3, pid=93992, effective(1278739538, 1278738945), real(1278739538, 0), class=smb2] ../../source3/smbd/smb2_server.c:3961(smbd_smb2_request_error_ex) smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1] status[NT_STATUS_ACCESS_DENIED] || at ../../source3/smbd/smb2_server.c:3253 [2024/01/07 21:52:43.357809, 10, pid=91942, effective(0, 0), real(0, 0)] ../../source3/smbd/notify_inotify.c:446(inotify_watch) inotify_add_watch for /mnt/user/PublicShare mask 210003c6 returned wd 1 [2024/01/07 21:52:43.357834, 10, pid=93992, effective(1278739538, 1278738945), real(1278739538, 0), class=smb2] ../../source3/smbd/smb2_server.c:3847(smbd_smb2_request_done_ex) smbd_smb2_request_done_ex: mid [15] idx[1] status[NT_STATUS_ACCESS_DENIED] body[8] dyn[yes:1] at ../../source3/smbd/smb2_server.c:4011 [2024/01/07 21:52:43.357843, 10, pid=91942, effective(0, 0), real(0, 0)] ../../source3/smbd/notifyd/notifyd.c:449(notifyd_apply_rec_change) notifyd_apply_rec_change: /mnt/user/PublicShare has 2 instances [2024/01/07 21:52:43.357855, 10, pid=93992, effective(1278739538, 1278738945), real(1278739538, 0), class=smb2_credits] ../../source3/smbd/smb2_server.c:975(smb2_set_operation_credit) smb2_set_operation_credit: smb2_set_operation_credit: requested 1, charge 1, granted 1, current possible/max 8161/8192, total granted/max/low/range 32/8192/16/32 Directory Permissions ========================/ drwxr-xr-x 20 root root /mnt/ drwxr-xr-x 9 root root /mnt/user/ drwxrwxrwx 1 ur_admin ur-lab_access /mnt/user/PrivateShare/ drwxrwx---+ 1 ur_admin ur-lab_access ACL root at UR-Lab:~# getfacl /mnt/user/PrivateShare getfacl: Removing leading '/' from absolute path names # file: mnt/user/PrivateShare # owner: ur_admin # group: ur-lab_access user::rwx user:ur_admin:rwx group::rwx group:ur-lab_access:rwx group:ur-lab-privateshare-ro:r-x group:ur-lab-privateshare-rw:rwx mask::rwx other::--- default:user::rwx default:user:ur_admin:rwx default:group::--- default:group:ur-lab_access:rwx default:group:ur-lab-privateshare-ro:r-x default:group:ur-lab-privateshare-rw:rwx default:mask::rwx default:other::--- WB Info for Users and groups ========================ur_admin root at UR-Lab:~# wbinfo -n ur_admin S-1-5-21-3759969785-1361971536-1710822149-1107 SID_USER (1) rwuser root at UR-Lab:~# wbinfo -n rwuser S-1-5-21-3759969785-1361971536-1710822149-1106 SID_USER (1) root at UR-Lab:~# id 1278739538 uid=1278739538(rwuser) gid=1278738945(domain users) groups=1278738945(domain users),1278739538(rwuser),1278739551(ur_users),1278739543(ur-lab-privateshare-rw),1278739547(b-rw),1278739545(ur-lab-privateshare-a-rw),1278739556(ubuntu_share_rw) ur-lab-privateshare-rw root at UR-Lab:~# wbinfo -n ur-lab-privateshare-rw S-1-5-21-3759969785-1361971536-1710822149-1111 SID_DOM_GROUP (2) ur-lab-privateshare-ro root at UR-Lab:~# wbinfo -n ur-lab-privateshare-ro S-1-5-21-3759969785-1361971536-1710822149-1110 SID_DOM_GROUP (2) Testparm Output ==============Load smb config files from /etc/samba/smb.conf lpcfg_do_global_parameter: WARNING: The "null passwords" option is deprecated Loaded services file OK. Weak crypto is allowed by GnuTLS (e.g. NTLM as a compatibility fallback) Server role: ROLE_DOMAIN_MEMBER Press enter to see a dump of your service definitions # Global parameters [global] bind interfaces only = Yes disable spoolss = Yes host msdfs = No interfaces = 192.168.66.4 127.0.0.1 ldap ssl = no load printers = No log file = /var/log/samba/samba.log logging = syslog at 0 max open files = 40960 multicast dns register = No ntlm auth = ntlmv1-permitted null passwords = Yes os level = 100 printcap name = /dev/null realm = TESTLAB.COM security = ADS server min protocol = NT1 server multi channel support = No server string = Media server show add printer wizard = No smb1 unix extensions = No winbind use default domain = Yes workgroup = TESTLAB fruit:nfs_aces = No idmap config * : range = 10000-4000000000 idmap config * : backend = hash acl allow execute always = Yes acl group control = Yes aio read size = 0 aio write size = 0 dos filemode = Yes hide dot files = No include = /etc/samba/smb-shares.conf inherit acls = Yes inherit permissions = Yes invalid users = root map acl inherit = Yes use sendfile = Yes wide links = Yes [PrivateShare] path = /mnt/user/PrivateShare read only = No [PrivateShare-A] path = /mnt/user/PrivateShare-A read only = No [PrivateShare-B] path = /mnt/user/PrivateShare-B read only = No [PublicShare] path = /mnt/user/PublicShare read only = No =======================================Not sure if it is of any use, I noticed a log entry which includes the phrase security_token_debug. This includes the IDs of the groups that the user account is a member of. [2024/01/07 21:52:43.271094, 5, pid=93992, effective(0, 0), real(0, 0)] ../../libcli/security/security_token.c:51(security_token_debug) Security token SIDs (19): SID[ 0]: S-1-5-21-3759969785-1361971536-1710822149-1106 SID[ 1]: S-1-5-21-3759969785-1361971536-1710822149-513 SID[ 2]: S-1-5-21-3759969785-1361971536-1710822149-1119 SID[ 3]: S-1-5-21-3759969785-1361971536-1710822149-1111 SID[ 4]: S-1-5-21-3759969785-1361971536-1710822149-1115 SID[ 5]: S-1-5-21-3759969785-1361971536-1710822149-1113 SID[ 6]: S-1-5-21-3759969785-1361971536-1710822149-1124 SID[ 7]: S-1-18-1 SID[ 8]: S-1-1-0 SID[ 9]: S-1-5-2 SID[ 10]: S-1-5-11 SID[ 11]: S-1-22-1-1278739538 SID[ 12]: S-1-22-2-1278738945 SID[ 13]: S-1-22-2-1278739538 SID[ 14]: S-1-22-2-1278739551 SID[ 15]: S-1-22-2-1278739543 SID[ 16]: S-1-22-2-1278739547 SID[ 17]: S-1-22-2-1278739545 SID[ 18]: S-1-22-2-1278739556 Privileges (0x 0): Rights (0x 0): [2024/01/07 21:52:43.271202, 5, pid=93992, effective(0, 0), real(0, 0)] ../../source3/auth/token_util.c:873(debug_unix_user_token) UNIX token of user 1278739538 Primary group is 1278738945 and contains 7 supplementary groups Group[ 0]: 1278739538 Group[ 1]: 1278738945 Group[ 2]: 1278739551 Group[ 3]: 1278739543 Group[ 4]: 1278739547 Group[ 5]: 1278739545 Group[ 6]: 1278739556 ============================================== I am planning to move to the RID IDMAP backend and have tested a RID based IDMAP config within the lab. This did not seem to make a difference in relation to the issue above and therefore I have not used it in the scenario above to keep troubleshooting as simple as possible for now. This is my first time posting to the list and please let me know if there is anything I can do differently to make the process better. Thank You,
Rowland Penny
2024-Jan-11 10:36 UTC
[Samba] Share access permission errors after upgrade from 4.12.14
On Thu, 11 Jan 2024 08:53:38 +0000 unraidster via samba <samba at lists.samba.org> wrote:> Hello, > > Issue Description > After the upgrade of the Unraid server OS (unraid.net) from v6.9.2 to > v6.12.6 (which upgrades the version of Samba from 4.12.14 to 4.17.12) > access to shares stops working. > > Error Summary: > [2024/01/07 21:52:43.357676, 0, pid=93992, effective(1278739538, > 1278738945), real(1278739538, 0)] > ../../source3/smbd/smb2_service.c:168(chdir_current_service) > chdir_current_service: vfs_ChDir(/mnt/user/PrivateShare) failed: > Permission denied. Current token: uid=1278739538, gid=1278738945, 7 > groups: 1278739538 1278738945 1278739551 1278739543 1278739547 > 1278739545 1278739556 > > Samba is joined to an Active Directory domain as a member server. The > following error is found in the log when I attempt to browse to the > share using a Windows 10 client signed in as the domain's "rwuser" > user account. (Note: worked with the older version of the OS). > > I have included output from logs/commands that I thought might help > answer any subsequent questions that readers may have. Please let me > know if there is any additional information I can provide. Thank You. > > Error Detail: > =================> [2024/01/07 21:52:43.356009, 4, pid=93992, effective(1278739538, > 1278738945), real(1278739538, 0), class=vfs] > ../../source3/smbd/vfs.c:938(vfs_ChDir) vfs_ChDir to > /mnt/user/PrivateShare [2024/01/07 21:52:43.357676, 0, pid=93992, > effective(1278739538, 1278738945), real(1278739538, 0)] > ../../source3/smbd/smb2_service.c:168(chdir_current_service) > chdir_current_service: vfs_ChDir(/mnt/user/PrivateShare) failed: > Permission denied. Current token: uid=1278739538, gid=1278738945, 7 > groups: 1278739538 1278738945 1278739551 1278739543 1278739547 > 1278739545 1278739556 [2024/01/07 21:52:43.357802, 3, pid=93992, > effective(1278739538, 1278738945), real(1278739538, 0), class=smb2] > ../../source3/smbd/smb2_server.c:3961(smbd_smb2_request_error_ex) > smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1] > status[NT_STATUS_ACCESS_DENIED] || at > ../../source3/smbd/smb2_server.c:3253 [2024/01/07 21:52:43.357809, > 10, pid=91942, effective(0, 0), real(0, 0)] > ../../source3/smbd/notify_inotify.c:446(inotify_watch) > inotify_add_watch for /mnt/user/PublicShare mask 210003c6 returned wd > 1 [2024/01/07 21:52:43.357834, 10, pid=93992, effective(1278739538, > 1278738945), real(1278739538, 0), class=smb2] > ../../source3/smbd/smb2_server.c:3847(smbd_smb2_request_done_ex) > smbd_smb2_request_done_ex: mid [15] idx[1] > status[NT_STATUS_ACCESS_DENIED] body[8] dyn[yes:1] at > ../../source3/smbd/smb2_server.c:4011 [2024/01/07 21:52:43.357843, > 10, pid=91942, effective(0, 0), real(0, 0)] > ../../source3/smbd/notifyd/notifyd.c:449(notifyd_apply_rec_change) > notifyd_apply_rec_change: /mnt/user/PublicShare has 2 instances > [2024/01/07 21:52:43.357855, 10, pid=93992, effective(1278739538, > 1278738945), real(1278739538, 0), class=smb2_credits] > ../../source3/smbd/smb2_server.c:975(smb2_set_operation_credit) > smb2_set_operation_credit: smb2_set_operation_credit: requested 1, > charge 1, granted 1, current possible/max 8161/8192, total > granted/max/low/range 32/8192/16/32 > > Directory Permissions > ========================> / > drwxr-xr-x 20 root root > > /mnt/ > drwxr-xr-x 9 root root > > /mnt/user/ > drwxrwxrwx 1 ur_admin ur-lab_access > > /mnt/user/PrivateShare/ > drwxrwx---+ 1 ur_admin ur-lab_access > > ACL > root at UR-Lab:~# getfacl /mnt/user/PrivateShare > getfacl: Removing leading '/' from absolute path names > # file: mnt/user/PrivateShare > # owner: ur_admin > # group: ur-lab_access > user::rwx > user:ur_admin:rwx > group::rwx > group:ur-lab_access:rwx > group:ur-lab-privateshare-ro:r-x > group:ur-lab-privateshare-rw:rwx > mask::rwx > other::--- > default:user::rwx > default:user:ur_admin:rwx > default:group::--- > default:group:ur-lab_access:rwx > default:group:ur-lab-privateshare-ro:r-x > default:group:ur-lab-privateshare-rw:rwx > default:mask::rwx > default:other::--- > > > WB Info for Users and groups > ========================> ur_admin > root at UR-Lab:~# wbinfo -n ur_admin > S-1-5-21-3759969785-1361971536-1710822149-1107 SID_USER (1) > > rwuser > root at UR-Lab:~# wbinfo -n rwuser > S-1-5-21-3759969785-1361971536-1710822149-1106 SID_USER (1) > root at UR-Lab:~# id 1278739538 > uid=1278739538(rwuser) gid=1278738945(domain users) > groups=1278738945(domain > users),1278739538(rwuser),1278739551(ur_users),1278739543(ur-lab-privateshare-rw),1278739547(b-rw),1278739545(ur-lab-privateshare-a-rw),1278739556(ubuntu_share_rw) > > ur-lab-privateshare-rw > root at UR-Lab:~# wbinfo -n ur-lab-privateshare-rw > S-1-5-21-3759969785-1361971536-1710822149-1111 SID_DOM_GROUP > (2) > > ur-lab-privateshare-ro > root at UR-Lab:~# wbinfo -n ur-lab-privateshare-ro > S-1-5-21-3759969785-1361971536-1710822149-1110 SID_DOM_GROUP > (2) > > Testparm Output > ==============> Load smb config files from /etc/samba/smb.conf > lpcfg_do_global_parameter: WARNING: The "null passwords" option is > deprecated Loaded services file OK. > Weak crypto is allowed by GnuTLS (e.g. NTLM as a compatibility > fallback) > > Server role: ROLE_DOMAIN_MEMBER > > Press enter to see a dump of your service definitions > > # Global parameters > [global] > bind interfaces only = Yes > disable spoolss = Yes > host msdfs = No > interfaces = 192.168.66.4 127.0.0.1 > ldap ssl = no > load printers = No > log file = /var/log/samba/samba.log > logging = syslog at 0 > max open files = 40960 > multicast dns register = No > ntlm auth = ntlmv1-permitted > null passwords = Yes > os level = 100 > printcap name = /dev/null > realm = TESTLAB.COM > security = ADS > server min protocol = NT1 > server multi channel support = No > server string = Media server > show add printer wizard = No > smb1 unix extensions = No > winbind use default domain = Yes > workgroup = TESTLAB > fruit:nfs_aces = No > idmap config * : range = 10000-4000000000 > idmap config * : backend = hash > acl allow execute always = Yes > acl group control = Yes > aio read size = 0 > aio write size = 0 > dos filemode = Yes > hide dot files = No > include = /etc/samba/smb-shares.conf > inherit acls = Yes > inherit permissions = Yes > invalid users = root > map acl inherit = Yes > use sendfile = Yes > wide links = Yes > > > [PrivateShare] > path = /mnt/user/PrivateShare > read only = No > > > [PrivateShare-A] > path = /mnt/user/PrivateShare-A > read only = No > > > [PrivateShare-B] > path = /mnt/user/PrivateShare-B > read only = No > > > [PublicShare] > path = /mnt/user/PublicShare > read only = No > =======================================> Not sure if it is of any use, I noticed a log entry which includes > the phrase security_token_debug. This includes the IDs of the groups > that the user account is a member of. > > [2024/01/07 21:52:43.271094, 5, pid=93992, effective(0, 0), > real(0, 0)] > ../../libcli/security/security_token.c:51(security_token_debug) > Security token SIDs (19): SID[ 0]: > S-1-5-21-3759969785-1361971536-1710822149-1106 SID[ 1]: > S-1-5-21-3759969785-1361971536-1710822149-513 SID[ 2]: > S-1-5-21-3759969785-1361971536-1710822149-1119 SID[ 3]: > S-1-5-21-3759969785-1361971536-1710822149-1111 SID[ 4]: > S-1-5-21-3759969785-1361971536-1710822149-1115 SID[ 5]: > S-1-5-21-3759969785-1361971536-1710822149-1113 SID[ 6]: > S-1-5-21-3759969785-1361971536-1710822149-1124 SID[ 7]: S-1-18-1 > SID[ 8]: S-1-1-0 SID[ 9]: S-1-5-2 > SID[ 10]: S-1-5-11 > SID[ 11]: S-1-22-1-1278739538 > SID[ 12]: S-1-22-2-1278738945 > SID[ 13]: S-1-22-2-1278739538 > SID[ 14]: S-1-22-2-1278739551 > SID[ 15]: S-1-22-2-1278739543 > SID[ 16]: S-1-22-2-1278739547 > SID[ 17]: S-1-22-2-1278739545 > SID[ 18]: S-1-22-2-1278739556 > Privileges (0x 0): > Rights (0x 0): > [2024/01/07 21:52:43.271202, 5, pid=93992, effective(0, 0), > real(0, 0)] > ../../source3/auth/token_util.c:873(debug_unix_user_token) UNIX token > of user 1278739538 Primary group is 1278738945 and contains 7 > supplementary groups Group[ 0]: 1278739538 Group[ 1]: 1278738945 > Group[ 2]: 1278739551 > Group[ 3]: 1278739543 > Group[ 4]: 1278739547 > Group[ 5]: 1278739545 > Group[ 6]: 1278739556 > > ==============================================> > I am planning to move to the RID IDMAP backend and have tested a RID > based IDMAP config within the lab. This did not seem to make a > difference in relation to the issue above and therefore I have not > used it in the scenario above to keep troubleshooting as simple as > possible for now. > > This is my first time posting to the list and please let me know if > there is anything I can do differently to make the process better. > > Thank You, > >Is winbind running ? Are you using sssd ? To be honest, your 'idmap config' block isn't correct, you have: idmap config * : range = 10000-4000000000 idmap config * : backend = hash Lets start with the idmap backend. If you run 'man idmap_hash', the very top of that file has this: IDMAP_HASH(8) System Administration tools IDMAP_HASH(8) NAME idmap_hash - DO NOT USE THIS BACKEND Never mind that you should really only use the 'tdb' backend with the default (*) domain, the manpage itself tells you not to use this backend. You also do not seem to have any 'idmap config' lines for the TESTLAB domain. I would expect to see 'idmap config' lines similar to these: idmap config * : backend = tdb idmap config * : range = 3000-7999 idmap config TESTLAB : backend = rid idmap config TESTLAB : range = 10000-4000000000 Do you have any computers that must use SMBv1 ? (windows XP or earlier) If not, you can probably remove these lines: ntlm auth = ntlmv1-permitted server min protocol = NT1/etc/samba/smb-shares.conf For various reasons, I would also remove these lines: host msdfs = No ldap ssl = no max open files = 40960 multicast dns register = No os level = 100 server multi channel support = No acl allow execute always = Yes acl group control = Yes aio read size = 0 aio write size = 0 dos filemode = Yes inherit acls = Yes inherit permissions = Yes/etc/samba/smb-shares.conf invalid users = root fruit:nfs_aces = No I would definitely remove this line: null passwords = Yes All accounts should have a password, if only for security. I would also add this line: vfs objects = acl_xattr If your users are going to connect to the Samba server and have a home directory, you might like to add: template homedir = /home/%U Otherwise they will get the default path of '/home/TESTLAB/%U' If they are going to actually log into the server, you should also set: template shell = /bin/bash Or the default '/bin/false' will be used and they will not be able to log in. Finally, what is in '/etc/samba/smb-shares.conf' ? Rowland
Possibly Parallel Threads
- Share access permission errors after upgrade from 4.12.14
- Share access permission errors after upgrade from 4.12.14
- Share access permission errors after upgrade from 4.12.14
- Share access permission errors after upgrade from 4.12.14
- Share access permission errors after upgrade from 4.12.14