SOLVED CIFS: all but one shares stopped working out of nothing

[weingeist]

Hi all

I am really frustrated, I don't know how to proceed with my home server. When trying to mount my shares on my Linux Mint notebook, all but one suddenly fail due to permission error:

Code:

mount -t cifs //192.168.*.*/user0 /media/user0/ -o username=dl,password="***",iocharset=utf8,noauto,uid=1001,gid=5001
mount error(13): Permission denied
Refer to the mount.cifs(8) manual page (e.g. man mount.cifs)

My data structure in my volume is as follow:

Code:

root@hostname:/mnt/vol1 # ll
total 34
drwxrwx---  8 dl    home   8 Aug 17  2019 Media/
drwxrwx---  8 root  wheel  8 Aug  2 20:29 userdata/

and an examplary user dataset:

Code:

root@hostname:/mnt/vol1 # ll userdata/
drwxrwx---  12 dl     home  12 Jun 29 09:31 user0/

All users are part of the home group, therefore the 770 permissions. ACL's are not set and therefore (probably) by default:

Code:

# file: Media/
# owner: dl
# group: home
            owner@:rwxp--aARWcCos:-------:allow
            group@:rwxp--a-R-c--s:-------:allow
         everyone@:------a-R-c--s:-------:allow

# file: userdata/user0/
# owner: dl
# group: home
            owner@:rwxp--aARWcCos:-------:allow
            group@:rwxp--a-R-c--s:-------:allow
         everyone@:------a-R-c--s:-------:allow

Media is the only share, that is correctly mounting. But permissions and owner are identical, share settings as well. So why s one working and the other (all others for that matter) aren't?


All user datasets get the permission denied error on the Linux notebook. Similar errors are found on a Windows machine and on my AndSMB app on my phone, so the client shouldn't be the problem. And the really weird part is, that this problem started out of nothing (2 weeks ago). I upgraded from 11.3-RELEASE to 11.3-U3.1 end of May, and after the permission problem started to U4.1, which didn't change anything.

I have created new shares on existing datasets, new datasets, setting ACL's on the test datasets but no luck.

Any ideas from you guys? Would appreciate any help, since I can't properly access my data except through nextcloud.
Cheers
weingeist

 

[Samuel Tai]

This sounds like a problem with the client level. 11.3 by default disables SMB1 and NTLMv1 authentication. Please show testparm -s from both the client and the FreeNAS server.

 

[weingeist]

Hi Samuel

Thank you for your quick answer! I saw the two checkmarks in Services > SMB settings to enable v1 of SMB and NTML, but no change. Hope the testparm output helps:

Here you go:
client:

Show

Code:

~# testparm -s
Load smb config files from /etc/samba/smb.conf
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
WARNING: The "syslog" option is deprecated
Processing section "[printers]"
Processing section "[print$]"
Loaded services file OK.
Server role: ROLE_STANDALONE

# Global parameters
[global]
    dns proxy = No
    log file = /var/log/samba/log.%m
    map to guest = Bad User
    max log size = 1000
    obey pam restrictions = Yes
    pam password change = Yes
    panic action = /usr/share/samba/panic-action %d
    passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
    passwd program = /usr/bin/passwd %u
    server role = standalone server
    server string = %h server (Samba, Ubuntu)
    syslog = 0
    unix password sync = Yes
    usershare allow guests = Yes
    idmap config * : backend = tdb


[printers]
    browseable = No
    comment = All Printers
    create mask = 0700
    path = /var/spool/samba
    printable = Yes


[print$]
    comment = Printer Drivers
    path = /var/lib/samba/printers

and server:

Show

Code:

root@hostname:~ # testparm -s
Load smb config files from /usr/local/etc/smb4.conf
Loaded services file OK.
Server role: ROLE_STANDALONE

# Global parameters
[global]
    aio max threads = 2
    bind interfaces only = Yes
    disable spoolss = Yes
    dns proxy = No
    enable web service discovery = Yes
    kernel change notify = No
    load printers = No
    logging = file
    max log size = 51200
    nsupdate command = /usr/local/bin/samba-nsupdate -g
    restrict anonymous = 2
    server min protocol = SMB2_02
    server role = standalone server
    server string = FreeNAS Server
    unix extensions = No
    idmap config *: range = 90000001-100000000
    idmap config * : backend = tdb
    allocation roundup size = 0
    create mask = 0770
    directory mask = 0770
    directory name cache size = 0
    dos filemode = Yes
    include = /usr/local/etc/smb4_share.conf


[user0]
    aio write size = 0
    ea support = No
    mangled names = illegal
    path = /mnt/vol1/userdata/user0
    read only = No
    veto files = /.windows/.mac/
    vfs objects = streams_xattr shadow_copy_zfs zfs_space zfsacl
    zfsacl:expose_snapdir = True
    nfs4:acedup = merge
    nfs4:chown = true


[user1]
    aio write size = 0
    ea support = No
    mangled names = illegal
    path = /mnt/vol1/userdata/user1
    read only = No
    vfs objects = streams_xattr shadow_copy_zfs zfs_space zfsacl
    nfs4:acedup = merge
    nfs4:chown = true


[Media]
    aio write size = 0
    ea support = No
    mangled names = illegal
    path = /mnt/vol1/Media
    read only = No
    veto files = /.windows/.mac/
    vfs objects = streams_xattr shadow_copy_zfs zfs_space zfsacl
    zfsacl:expose_snapdir = True
    nfs4:acedup = merge
    nfs4:chown = true


[user2]
    aio write size = 0
    ea support = No
    mangled names = illegal
    path = /mnt/vol1/userdata/user2
    read only = No
    veto files = /.windows/.mac/
    vfs objects = streams_xattr shadow_copy_zfs zfs_space zfsacl
    zfsacl:expose_snapdir = True
    nfs4:acedup = merge
    nfs4:chown = true


[user3]
    aio write size = 0
    ea support = No
    mangled names = illegal
    path = /mnt/vol1/userdata/user3
    read only = No
    vfs objects = streams_xattr shadow_copy_zfs ixnas
    nfs4:acedup = merge
    nfs4:chown = true

 

[Samuel Tai]

Those checkboxes won't take effect until after a restart of the SMB service. I don't see anything obviously wrong. What version of Mint, and what do the log.smbd logs in /var/log/samba4 indicate when you get the deny?

 

[weingeist]

Those checkboxes won't take effect until after a restart of the SMB service.

Ok, good to know. I always did that, just because I wasn't sure it was necessary.

Mint version:

Code:

~$ cat /etc/issue
Linux Mint 19.3 Tricia \n \l

The samba log output (on the server, that is) when trying to mount user0 share is this:

Show

Code:

[2020/08/05 23:18:19.838768,  2] ../../source3/param/loadparm.c:2812(lp_do_section)
  Processing section "[user0]"
[2020/08/05 23:18:19.838980,  2] ../../source3/param/loadparm.c:2812(lp_do_section)
  Processing section "[user1]"
[2020/08/05 23:18:19.839121,  2] ../../source3/param/loadparm.c:2812(lp_do_section)
  Processing section "[Media]"
[2020/08/05 23:18:19.839284,  2] ../../source3/param/loadparm.c:2812(lp_do_section)
  Processing section "[user2]"
[2020/08/05 23:18:19.839775,  2] ../../source3/param/loadparm.c:2812(lp_do_section)
  Processing section "[user3]"
[2020/08/05 23:18:19.845787,  2] ../../source3/auth/auth.c:316(auth_check_ntlm_password)
  check_ntlm_password:  authentication for user [dl] -> [dl] -> [dl] succeeded
[2020/08/05 23:18:19.875453,  2] ../../source3/smbd/service.c:851(make_connection_snum)
   (ipv4:192.168.*.*client*:53310) connect to service user0 initially as user dl (uid=1001, gid=5001) (pid 24121)
[2020/08/05 23:18:19.878685,  0] ../../source3/smbd/uid.c:448(change_to_user_internal)
  change_to_user_internal: chdir_current_service() failed!
[2020/08/05 23:18:19.885191,  0] ../../source3/smbd/uid.c:448(change_to_user_internal)
  change_to_user_internal: chdir_current_service() failed!
[2020/08/05 23:18:19.888626,  0] ../../source3/smbd/uid.c:448(change_to_user_internal)
  change_to_user_internal: chdir_current_service() failed!
[2020/08/05 23:18:19.891666,  2] ../../source3/smbd/service.c:1131(close_cnum)
   (ipv4:192.168.*.*client*:53310) closed connection to service user0

weird. authentification seems ok, but there is some change directory failure?

 

[Samuel Tai]

OK, that's because

Code:

root@hostname:/mnt/vol1 # ll
total 34
drwxrwx---  8 dl    home   8 Aug 17  2019 Media/
drwxrwx---  8 root  wheel  8 Aug  2 20:29 userdata/

the userdata directory doesn't allow any other accounts/groups to traverse through it. It's restricted to only root and wheel. Try setting this to chmod 777 /mnt/vol1/userdata. You may also need to do the same for chmod 777 /mnt/vol1.

 

[weingeist]

Ok, now I feel stupid. I even seem to remember now, that I wanted to reset the user permissions and probably did a chmod -R 770 userdata . Unfortunately I didn't access it for quite some time locally and didn't think about that anymore.

What I was not aware was the traverse aspect. I didn't know that the entire path (?) of a share needs to have r-x permissions, am I correct? /mnt and /mnt/vol1 both have 755, so that's what I'm assuming.

Anyways, this was a very quick fix, thank you very much Samuel!

Cheers
weingeist

 

[anodos]

What I was not aware was the traverse aspect. I didn't know that the entire path (?) of a share needs to have r-x permissions, am I correct?

Users need "Execute / Traverse" (x) for every path component that they need to traverse. This is the same as in Windows, except bypassing the traverse check is enabled by default in Windows (but this can vary depending on organization / IT staff).