Samba login/user permisssion problems with fresh install.

Seventh · 09-07-2008, 03:11 PM

Hello all,

I'm trying to configure a new server running Debian Etch - it's a fileserver that I'm having a bit of a hard time configuring.

Here's my smb.conf:

Quote:

[global]
workgroup = LAB
security = user
server string = %h server
map to guest = Bad User
obey pam restrictions = Yes
passdb backend = tdbsam
encrypt passwords = yes
#passwd program = /usr/bin/passwd %u
#passwd chat = *Enter\snew\sUNIX\spassword:* %n\n *Retype\snew\sUNIX\sp\
assword:* %n\n *password\supdated\ssuccessfully* .
log level = 2
syslog = 0
log file = /var/log/samba/log.%m
max log size = 1000
dns proxy = No
wins server = eth2:129.83.25.3, eth2:129.83.25.1, eth2:128.29.155.50, e\
th2:128.29.239.2
panic action = /usr/share/samba/panic-action %d
invalid users = root
#include = /etc/samba/dhcp.conf

[homes]
comment = Home Directories
path = /knox/bitbucket/profiles/%u
valid users = %S
#valid users = %u
create mask = 0700
directory mask = 0700
browseable = No
read only = No

[vault]
comment = Vault
path = /knox/vault
read only = No
create mask = 0770
directory mask = 0770
guest ok = No

[Maps]
comment = Map Depot
path = /knox/vault/Maps
read only = Yes
create mask = 0770
directory mask = 0775
Read only = Yes
guest ok = Yes

[share]
comment = Share
path = /knox/bitbucket/share
read only = No
create mask = 0774
directory mask = 0775
#guest only = Yes
guest ok = Yes
#admin users = @samba

[public]
comment = Public Storage
path = /knox/bitbucket/public
read only = No
create mask = 0777
directory mask = 0777
guest only = Yes
guest ok = Yes

I have a few shares, and here's what I'm trying to accomplish:

\share - no auth required
\public - same
\vault - requires auth
\maps - no auth, read only

The problem I'm running into right now is that if I create a fresh user, add them to the samba group and db, I'm getting prompted for a login if I just hit the root \\server.domain.com. In previous setups, hitting just the root of the server would always show me the available shares, and only prompt me to login if I tried to access any of the password protected areas.

If anyone could take a peek and perhaps tell me why I'm being prompted for a login when trying to get at anything, I'd really appreciate it.

Thanks!

Woodypecker · 09-07-2008, 05:46 PM

obey pam restrictions (G)
When Samba 3.0 is configured to enable PAM support (i.e. --with-
pam), this parameter will control whether or not Samba should
obey PAM's account and session management directives. The default
behavior is to use PAM for clear text authentication only and to
ignore any account or session management. Note that Samba always
ignores PAM for authentication in the case of encrypt passwords =
yes. The reason is that PAM modules cannot support the chal‐
lenge/response authentication mechanism needed in the presence of
SMB password encryption.

This snippet from man smb.conf should make clear why "obey pam restrictions" is not a good idea here.

Seventh · 09-09-2008, 09:37 AM

Thanks for the reply.

I turned pam restrictions off, but it didn't seem to really do anything. I also removed "invalid users = root" which made my public share work. The biggest problem (of my many, hah) that I have right now is that this share:

Quote:

[Maps]
comment = Map Depot
path = /knox/vault/Maps
read only = Yes
create mask = 0770
directory mask = 0775
guest ok = Yes

Still doesn't let anyone in - neither guests, or authenticated users. I just want to make it a simple share that's available read-only to everyone. I tried 777ing the folder and chown/grping it to both root and samba, and still no dice.

Seventh · 09-09-2008, 10:35 AM

Here's the log error that I get when trying to access the maps share.

Quote:

[2008/09/09 10:33:17, 0] auth/auth_util.c:create_builtin_administrators(785)
create_builtin_administrators: Failed to create Administrators
[2008/09/09 10:33:17, 2] auth/auth_util.c:create_local_nt_token(899)
create_local_nt_token: Failed to create BUILTIN\Administrators group!
[2008/09/09 10:33:17, 0] auth/auth_util.c:create_builtin_users(751)
create_builtin_users: Failed to create Users
[2008/09/09 10:33:17, 2] auth/auth_util.c:create_local_nt_token(926)
create_local_nt_token: Failed to create BUILTIN\Users group!
[2008/09/09 10:33:17, 0] smbd/service.c:make_connection_snum(920)
'/knox/vault/maps' does not exist or permission denied when connecting t
o [Falconview] Error was Permission denied
kursk:/var/log/samba#

The path is correct so it's definitely not the "does not exist" part of it. It pops up a login box and regardless of credentials doesn't let me in. Directory is 777 and owned by root.

Woodypecker · 09-10-2008, 06:29 AM

1. you did do the "smbpasswd -a $USER" for your users wanting to connect?
2. you may need to do the same for "nobody" with a empty password
3. what are the filesystem permissions for the /knox/vault/maps directory, in particular
does the group it belongs to, match one of the groups the users are in? (you may simply change group to nogroup for "nobody" access ...)
4. "read only = yes" and "create mask" won't stick together, but that shouldn't matter ...
5. from the log, and the multiple wins servers you specified, I wonder is the samba server (trying to be) member of a domain?
6. even when the smb.conf looks perfectly valid, do run testparm.
In particular, is "Server role" standalone or anything else?