LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Server (http://www.linuxquestions.org/questions/linux-server-73/)
-   -   Samba conf, samba4 (http://www.linuxquestions.org/questions/linux-server-73/samba-conf-samba4-4175441591/)

florian_mrt 12-15-2012 04:02 PM

Samba conf, samba4
 
It's rare for me to post on LQ, but in these rare occasions when I am completely running out of ideas for a particular problem, I try to go and seek some advice. This case, I have a problem with Samba conf that I am banging my head against a wall for several days now.

I have a wireless (encrypted) LAN for a small group of people, and all users (using Win7, winXP, Win8, Mac, Android, and god-knows-what-else-we-have), share an internet connection from a tethered mobile phone via USB to a Fedora 18 x64 box that we all share access to. That's working fine.

The problem is getting samba on the Fedora box to work; we want to use it for file sharing, web testing/hosting, viewing very legal movies and other Jazz. I want the folder /home/shares shared, without any authentication requests whatsoever. Not very secure, but then again, all users on the LAN are considered trustworthy, and will be in the future. I want all users to have full read/write access on this share, and that's where the problem starts.

I have created a smbpasswd -an nobody user, but I prefer if all files created/modified/added were managed at the filesystem level using the registered user seib, whose shared login password all people know about anyway.

For the record, The box has i5, 4GB ram, eth 1000Gb to the wifi router. Os is Fedora 18 beta x64, using ip 10.42.0.1, and acts as a dhcp server. I am aware that Fedora 18 is beta, but I don't think that's the problem, because samba was installed using sudo yum install samba, and I had similar unsolved problems before fedora 18. I am testing from Win7, and it either asks for a user/pass, doesn't show the contents of /home/shares/, and has never allowed creating a new folder/file from Win7 over the network.

I plainly think it is a smb.conf problem that I am nog capturing. I have read a lot of posts and tried many things from google, removed and restarted many smb.conf files, but after six days, here I am. Please do help. What am I missing?


/etc/samba/smb.conf:
[global]
#...
workgroup = WORKGROUP
server string = Samba Server Version %v
guest account = nobody
# guest account = seib
map to guest = bad user
force user = seib

# log files split per-machine:
log file = /var/log/samba/log.%m
# maximum size of 50KB per log file, then rotate:
max log size = 50


load printers = yes
cups options = raw
netbios name = Seib-PC
hosts allow = 127. 192.168. 192.168. 10.42.
#create mode = 664
security = SHARE
usershare allow guests = yes

[public]
comment = Public Shares
browsable = yes
path = /home/shares/
public = yes
writable = yes
write list = seib
guest ok = yes
#create mask = 0644
#directory mask = 2777




I am posting this in the server forum, because I noticed the new samba 4 server. Is this better? Is this what I need, especially considering the Win8 that we recently bought? I am sorry if someone already posted perhaps the solution in another thread, but then again, I have tried a lot of other posts already...

jschiwal 12-16-2012 10:05 AM

For share level security, all users are mapped to the guest account. Since you want all users mapped to "seib", make seib the guest account in your share definition:
Guest Account = seib
-----
Quote:

Originally Posted by samba reference guide
There have been recent reports that Microsoft Windows clients have compatibility issues with share-level security servers. Samba developers strongly discourage use of share-level security.

You could use user level security instead.

----
Samba 4 is better if you want to run a network with Active Directory.

florian_mrt 12-16-2012 12:36 PM

I have already tried 'Guest Account = seib' before, with no luck or difference... I am now using security = user, which, on the Win7, at least gives me a list of all the available shares. But when I view one of the shares, it doesnt let me view the folder contents, nor does it let me edit or create something in them (error pops up), nor does it ask for my user/pass though. In dos, it does give me a list of the available shares too with 'net view //seib-pc'
Actually, per coincidence, I didn't realize, but trying out smbstatus reveals that I have Samba version 4.0.0 running. It does give me the error:
Failed to initialize session_global: NT_STATUS_ACCESS_DENIED

I am using the following conf for all this so far:

Code:

[global]
        workgroup = WORKGROUP
        guest account = smbguest
#        guest account = nobody
        map to guest = Bad User
        netbios name = SEIB-PC
        security = user
        socket options = TCP_NODELAY IPTOS_LOWDELAY
        hosts allow = 127., 192.168., 192.168., 10.42.
        usershare allow guests = Yes

[public]
        path = /home/shares
        read only = No
        guest only = yes
        guest ok = yes

[cdrom]
        fake oplocks = yes
        guest ok = yes
        guest only = yes
        path = /mnt/cdrom
        read only = yes

I would be so glad if I got this to work..!

florian_mrt 12-16-2012 08:48 PM

An update, current shares folder is:
Code:

drwxrwxrwx.  2 root    root    4096 Dec 14 21:28 shares
Current smb.conf:
Code:

[global]
        workgroup = WORKGROUP
        netbios name = SEIB
        map to guest = Bad User
        socket options = TCP_NODELAY IPTOS_LOWDELAY SO_RCVBUF=65535 SO_SNDBUF=65535 SO_KEEPALIVE
        load printers = No
        printcap name = /etc/printcap
        dns proxy = No
        log file = /var/log/samba/log.%m
        max log size = 50
        os level = 99
        idmap config * : backend = tdb

[Shares]
        path = /home/shares
        force user = root
        read only = No
        guest ok = Yes

I can see the shares, but I can't see the files in Shares, nor can I edit anything. I am still at where I started. I also found from SWAT Server Status, that under section Open Files, my Win7 reports as 'DENY_DOS'. And I found that all user permissions inside Win7, when looking at the security tab of the properties window of the Shares folder, have no permissions at all.

- What does 'DENY_DOS' in samba mean?

- How does Samba give permissions to Win users?

jschiwal 12-19-2012 02:26 AM

Don't use force user root. Go back to seib or nobody.

Do the files show up in Win XP? I had a problems at work with Win7 shares not showing up on a Win 2008 server. (I had to turn off the "home group" stuff and change the number of bits used for encryption to fix it) Test on the XP, Win7 will present too many variables. Then you will know if it's Samba or Windows.

What do the samba logs say when you try to open a samba share? Try to access one, then check the log. I once discovered an apparmor access problem from the smbd log.

Make sure seib is a samba user. Use the smbpasswd program to add the user.
The seib user needs access to the directories. Check the directory permissions, the firewall ports (including UDP).

If a user might be authenticated as themselves, then they need permissions as well, either via global permissions (o=rwx), or using Linux file acls.

Look at the "Samba 3 by Example" book. You can download it from the samba.org site. Many Linux distros have a samba-docs package that supplies it as well. If you start with a close model, such as the library example, and get that to work, you may discover if there is a Windows problem.

I looked up DENY_DOS. It is a file locking mode.
http://oreilly.com/openbook/samba/bo...tml#ch05-55885

florian_mrt 12-19-2012 10:21 AM

Hello all, I solved it!

And guess what the error was? I couldn't think of it for all these days. SELinux.
Stupidly, it was just right there in my face, the description for SELinux in fedora was all over the original config, which I too quickly moved for a trial config, without checking/reading the contents. Why would one..

Now everything works, no passwords, logins, very basic. I'll leave the info so hopefully someone in the future will find this very useful!

My current smb.conf:
Code:

[global]
        workgroup = SEIBGROUP
        netbios name = SEIB-PC
        security = user
        null passwords = yes
        map to guest = Bad User
        dns proxy = No
        guest account = seib
        socket options = TCP_NODELAY IPTOS_LOWDELAY SO_RCVBUF=65535 SO_SNDBUF=65535 SO_KEEPALIVE
        log file = /var/log/samba/log.%m
        max log size = 50
        os level = 99
        idmap config * : backend = tdb

[Shares]
        path = /home/shares/
        read only = No
        public = yes
        force user = seib
        guest ok = Yes
        writeable = yes

Make sure you enable start/restart Samba
Code:

sudo systemctl restart nmb.service
sudo systemctl restart smb.service
sudo systemctl enable nmb.service
sudo systemctl enable smb.service

Enable b****y f******g SELinux, without disabling it out of hatred or wrath. Bit of security doesn't harm, apart from catastrophically and world-desastrously traumatising my time.
Code:

su
setsebool -P allow_smbd_anon_write=1
semanage fcontext -d -t public_content_t "/home/shares(/.*)?"
semanage fcontext -a -t public_content_rw_t "/home/shares(/.*)?"
setsebool -P samba_enable_home_dirs on
setsebool -P samba_export_all_rw on
restorecon -R /home/shares

Restarting at this point could be a good idea.


A few further tips that have helped me a tremendous lot. It is worth reading about these basic SELinux tools, 'man semanage', 'man setsebool'. Also, for non-SELinux OS, you learn a lot about low-level tools using the following PDF, to troubleshoot Samba if it goes wrong. It was VERY informative (In my case, I read all the way to level 5, where looking up the logs, which were flabbergastingly empty, and then it just daunted on me smbd never was accessed because of something low-level security. Boom. SELinux.):
http://www.samba.org/samba/docs/Samba24Hc13.pdf
Also, for SELinux specifically, 'sudo yum install policycoreutils-gui' will install the tool system-config-selinux, which gives a very nice oversight of what SELinux is doing.

May time be on your side.

rccharles 02-16-2014 01:16 PM

Thanks for your post.

I needed to define a Samba user. pdbedit lists out the Samba users. If you do not get any users listed, you have not defined any Samba users.
  1. sudo smbpasswd -D 3 -a me
    Option -D 3 is debug level 3, -a is add user named 'me'.
  2. sudo pdbedit -L -v

I made up this convenient alias.
alias rs='sudo systemctl restart nmb.service;sudo systemctl restart smb.service;sleep 8;sudo systemctl enable nmb.service;sudo systemctl enable smb.service;'


All times are GMT -5. The time now is 12:53 AM.