Yet more cifs mount issues...

anw · 09-02-2014, 05:23 PM

Like many others, I am overcome with samba/cifs woes, and I can't make a lot of sense out of the symptoms. The net seems to be filled with people who can't make cifs work. In the past with me, though, it's always been Win mounting Linux or vice-versa, and I've not had too many problems; this is my first foray into linux-on-linux.

The environment:

Home network w/ four computers: a Debian Linux server on on high-end hardware (I built it) used as a server & a workstation (macu-the most awesome computer in the universe) ,a Win 7 computer used as a workstation on similar H/W (BigDaddy, powerful but really klunky), a Win 7 laptop in my "lab" (aka, the garage), and a Raspberry Pi running Raspian that I use to build and control circuits (DevPi). The first three I've had for a couple or three years and the RPi for six months or so, and all was well. I think all this centers around the Linux machines, though.

Note in particular that security is not much of an issue here, particularly with respect to the RPi. The other computers are locked down pretty well, and everything is behind my ISP, Brighthouse, and a router/firewall connected to the cable modem. The Pi, in this environment, is pretty open, and that's the way I want it.

The Pi is headless, and it's root filesystem is exported (via the feared samba/cifs, which is my problem). There are four user IDs on the Pi: root, dev (an account I just put there to try to diagnose and fix this), anw (my user account) and the out-of-the-box pi account or something like that (unused). On the Debian machine I also have anw & dev accounts. On the Pi and Debian machines, anw & dev are set up and configured identically, and, of course, root is root.

There is no smbpasswd file, or any sophisticated authentication involved (I hope). I want it simple, within my home LAN (which I'll otherwise protect), and it should be.

I have been mounting the RPi filesystem on both the Win 7 machines since I've had it and built a couple of cards & wrote the software. It is sooo slow, though, in an environment with Eclipse accessing it over its share from my shop laptop that I decided to set up a cross-compiler tool chain on my super-duper high-end Debian machine.

Every Win computer maps the drive just fine, at boot up, without asking for an ID, password, no problem (if the Pi is powered, of course). But the Debian machine will ONLY mount the RPi's file system with MY anw user credentials. I can't make it automount in fstab w/o asking for my credentials w/o a "-o credentials=cred-file" option, and it ONLY accepts my anw credentials, not root or dev, which always give a permissions error 13.

According to the man page, mount.cifs doesn't use the smb.conf at all. Setting smbd debug level to 3+ on the Pi does not give any indication of the Debian box even attempting to connect to it, so I don't think it has anything to do with that side. I'm incluidng the smb.conf files, but, as detailed above, I don't think they have anything to do with it.

I've tried quite a few combinations and permutations of mount commands, of which this is an example, except sometimes with a credentials file, sometimes with a "sec=" in the options, etc. The user anw works with "credentials=cred-file", "user=anw" (prompts for the password), and "user=anw,password=mypass", and no other user works in any of the above. I want it to mount at boot, if the Pi is found (i. e., powered up), with no password, no hassle, and no unencryped text file containing any password.

Code:

mount -t cifs //DevPi-WiFi/root /RPi -o username=anw

So, without further ado, here the the smb.conf files, with comments stripped out (I left in lines starting with ";"; I think that's a comment, isn't it? They're only on the Debian machine, which the man page says isn't used by cifs anyway).

Debian:

Code:

macu:/etc/samba# uname -a
Linux macu 3.14-1-amd64 #1 SMP Debian 3.14.9-1 (2014-06-30) x86_64 GNU/Linux
macu:/etc/samba# smbd -V
Version 4.1.11-Debian

Code:

[global]
   workgroup = CSUNV-EXECUTIVE
;   wins server = w.x.y.z
   dns proxy = no
;   interfaces = 127.0.0.0/8 eth0
;   bind interfaces only = yes
   log file = /var/log/samba/log.%m
   max log size = 1000
   syslog = 0
   panic action = /usr/share/samba/panic-action %d
   server role = standalone server
   security = user
   passwd program = /usr/bin/passwd %u
   passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
   map to guest = bad user
;   logon path = \\%N\profiles\%U
;   logon drive = H:
;   logon script = logon.cmd
; add user script = /usr/sbin/adduser --quiet --disabled-password --gecos "" %u
; add machine script  = /usr/sbin/useradd -g machines -c "%u machine account" -d /var/lib/samba -s /bin/false %u
; add group script = /usr/sbin/addgroup --force-badname %g
;   include = /home/samba/etc/smb.conf.%m
;   idmap uid = 10000-20000
;   idmap gid = 10000-20000
;   template shell = /bin/bash
   usershare max shares = 100
   usershare allow guests = yes
#======================= Share Definitions =======================
[homes]
   comment = Home Directories
   browseable = no
   read only = no
   create mask = 0775
   directory mask = 0775
   valid users = %S

[public]
   comment = Guest access Share
   path = /home/public
   writeable = yes
   valid users = @sambashare
   guest ok = no
   browseable = yes

[dev]
   comment = Development Shares
   path = /usr/local
   writeable = yes
   valid users = @dev
   guest ok = no
   browseable = yes
;[netlogon]
;   comment = Network Logon Service
;   path = /home/samba/netlogon
;   guest ok = yes
;   read only = yes
;[profiles]
;   comment = Users profiles
;   path = /home/samba/profiles
;   guest ok = no
;   browseable = no
;   create mask = 0600
;   directory mask = 0700
[printers]
   comment = All Printers
   browseable = no
   path = /var/spool/samba
   printable = yes
   guest ok = no
   read only = yes
   create mask = 0700
[print$]
   comment = Printer Drivers
   path = /var/lib/samba/printers
   browseable = yes
   read only = yes
   guest ok = no
;   write list = root, @lpadmin

RPi:

Code:

root@DevPi:/etc/samba# uname -a
Linux DevPi 3.10.25+ #622 PREEMPT Fri Jan 3 18:41:00 GMT 2014 armv6l GNU/Linux
root@DevPi:/etc/samba# smbd -V
Version 3.6.6

Code:

[global]
        workgroup = CSUNV_EXECUTIVE
        server string = %h server
        map to guest = Bad User
        obey pam restrictions = Yes
        pam password change = Yes
        passwd program = /usr/bin/passwd %u
        passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
        unix password sync = Yes
        syslog = 0
        log file = /var/log/samba/log.%m
        log level= 3 passdb:5 auth:5
        max log size = 1000
        dns proxy = No
        usershare allow guests = Yes
        panic action = /usr/share/samba/panic-action %d
        idmap config * : backend = tdb

[root]
        comment= root file system access
        path=/
        browseable=yes
        writeable=yes
        only guest=no
        create mask=0777
        directory mask=0777
        public=no
[piHome]
        comment= pi Home
        path=/home/pi
        browseable=yes
        writeable=yes
        only guest=no
        create mask=0777
        directory mask=0777
        public=no
[homes]
        comment = Home Directories
        valid users = %S
        create mask = 0700
        directory mask = 0700
        browseable = No

;[printers]
;       comment = All Printers
;       path = /var/spool/samba
;       create mask = 0700
;       printable = Yes
;       print ok = Yes
;       browseable = No

;[print$]
;       comment = Printer Drivers
;       path = /var/lib/samba/printers

Any ideas? I just notice the difference in the smbd versions. Surely not that...

dolphin_oracle · 09-02-2014, 06:26 PM

Out of curiousity, is the user name you use on the windows machines also "anw".

my first thought is that anw is the only user with both a samba account and an linux account on the pi system. my second thought is that if you don't care about the user name, you could enable guest access, which I don't think you have here.

guest ok = yes

anw · 09-02-2014, 07:37 PM

Yes, anw on all machines, which is the pw I don't want floating around. Maybe use the dev account, just for the pi (I only just set that up) and enable guest access, just for the pi. I just figured that if Win could do it, SURELY Linux could. Not too many things I find Win can do that Linux can't.

Just to solve my problem and move on, though, I'm thinkin' that's a good idea.

Thanks!

dannybpng · 09-03-2014, 06:39 AM

I have not messed with Samba in a very long time, but I noticed that the RPi does not have any "security" setting which means it defaults to auto. It them looks at the "server role" which is also not set which defaults the "security" to "user".

My Samba man page states:
"You should use server role = standalone and map to guest if you want to mainly setup shares without a password (guest shares). This is commonly used for a shared printer server."

At times I've found that being in the same WORKGROUP is also a good thing. May not matter as much though.

Just some thoughts.
Dan

anw · 09-03-2014, 07:23 AM

Hey, thanks Dan. I wondered about your comment about the workgroup, checked everything, and I must have cut it out when I was stripping out the comments. There is a workgroup line in macu's .conf identical to the one in DevPi's. I'll edit the OP as soon as I write this.

Also, I've got to run off to work right now, but I'll check and make sure I didn't cut out anything else; in fact, since I'm starting this again, I'll start with a cleaner macu .conf.

So, what you're laying out is a guest share setup, right? Which, after reading dolphin_oracle's post is what I think I'm going to do. I wanted it to follow the Win 7 paradigm: you map the drive, Win prompts you for the credentials, but there is a box you can check that says "Reconnect at logon", that, if you check it, you never have to do the user/password thing again. I suppose it's only marginally more secure, if at all, and doesn't matter at all in my environment, since the Pi is essentially wide open anyway.

I guess I just got pretty frustrated. I've been using Samba for years, probably since the mid-90s. Open source is a beautiful thing and, IMHO, with few exceptions equal to or better than its "competitors". Samba has always seemed one of the exceptions. Seems like (memory being what it is) that when I very first set it up for the very first time, it was really, really hard (most things were back then) and, since my systems have only "evolved" since then, I've only tweaked it here and there. When you run into something like this, that Windows makes so easy and it's so hard on Linux, then you start poking around the internet and find so many others having so much trouble with it, and referencing undocumented things like a post that said you can give the mount.cifs command a --verbose option, upon which MY mount.cifs command barfed, I mean, it just goes on and on.

Samba has gone on to do an effective job of addressing security at the enterprise level (I suppose, and, given its intimacy with Windows, that's probably pretty hard), but done so at the expense of the simple, isolated-lab or home environment that are externally protected and should be brick simple. I would consider NFS, but I hear mixed things about it and don't have a lot of personal experience with it (actually, "...don't have a lot of..." really means "none").

Anyway, enough pontificating. I'll post at least one more time when I get something set up, probably this afternoon.

I think it boils down to:

Quote:

There is no greater impediment to personal productivity than computer security.

anw · 09-03-2014, 07:27 AM

Quote:

There is no greater impediment to personal productivity than computer security.

Just became my sig.

anw · 09-03-2014, 04:19 PM

Ha! Found it, and I was wrong on many counts. I couldn't let it go, because nothing explained why I could do the mount with one user and not with another set up (I thought) identically.

First, I DID find a verbose option to mount, -v (and the link said it must come before options, and you can use -vvvv, etc. for more output, which works), and got all kinds of stuff about the macu end trying to connect and failing.

So, the client is trying to connect...

Over on the pi end, turned debugging up to level 3 (I had done that before, so I don't know why I didn't see something like this), and found all sorts of authentication stuff failing TDB something or other (I HATE computer security).

Back to Google...

unix password sync is on, but when you first add the user in the Linux system, you have to also add it with smbpasswd. From there on (supposedly), the Linux user and samba user will be sync'd. I've not tested that part, and, since it's working, don't intend to!

I don't remember doing that for anw when I first got the pi, but oh, well...now, even though I still have to have a credentials file, I can set up a dummy user for that and put the mount in fstab (though I've about decided not to so boot won't hang when the pi is power off).

If I get around to it, I may see if I can set a password to null and get rid of the creds file altogether, but I'm close to satisfied now.

Can I tag this in some way for search engines in case someone else is spending their days fretting over this?

anw · 09-03-2014, 07:44 PM

Well, I sounded the victory trumpet too soon. Got it mounted but more really odd problems.

To test, I cd'd to /RPi/usr/local/src (which is empty) and it won't let me create a file, sortof. If I touch a file, it says permission denied; if I nano a new file and try to save it, it says permission denied. But,

When I do a listing both files are there, zero length. However, they have permissions 744, and the owner is "1002", (it doesn't list the name) and the group is "staff":

Code:

-rw-r--r-- 1 1002 staff 0 Sep  3 20:13 test

The 1002 is my dummy dev user, which is in the passwd file, but is not being listed. Further, in smb.conf, I have the create mask set to 0777; so why isn't it dev for the user, and how'd the group get set to staff??

Now, further, if I change the permissions via ssh, I can edit the files and save them with no problem!

I did get rid of all valid users in the .conf file, which means it should default to all of them.

Any MORE ideas?? This just makes no sense.

anw · 09-03-2014, 08:01 PM

S**t!!! look what I did to make it work:

Code:

[root]
	comment= root file system access
	path=/
#	valid users = anw
#	valid users = anw,dev
#	valid users = %S
	force user = anw
	force group = dev
	force create mode = 0777
	force directory mode= 0777
	browseable=yes
	writeable=yes
	create mask=0777
	directory mask=0777
	public=yes

And it still lists the group as staff.

What.A.F'ing.Kludge!

dannybpng · 09-05-2014, 08:41 PM

I totally understand your frustration. Been there. Fought with that. We have a NAS running Samba and the whole user name/ID mapping keeps messing up and I have to tell the NAS to reset permissions.

Just a comment, which you may already understand. The user/groug names always get mapped back to ID numbers on the Samba server. So there needs to be a "synchronized mapping" back and forth so that the files created on the server have the "proper" user/group IDs and then the names should show properly and permissions should work from the client side. I would think that making the "anw" user ID numbers on both machines the same should help. I wish there was a better way to make this just work.

PS I also like the security/productivity quote.

anw · 09-06-2014, 06:47 PM

Heh, heh! Yeah, love that quote, particularly in a corporate environment. At my job our information is so secure that no one can read it, not even the author.

I figured out the uid/gid number thing, and may do that, make 'em the same, but if it continues to work, I'll follow another fundamental rule of engineering: if it works, don't fix it.

Thanks!