| View previous topic :: View next topic |
| Author |
Message |
ryszardzonk
Apprentice
Joined: 18 Dec 2003
Posts: 225
Location: Rzeszów, POLAND
|
 Posted: Wed Mar 11, 2015 4:38 pm Post subject: samba permissions problem after upgrade to 4.1 |
 |
|
Recently the upgrade to the samba 4.1 was possible in the unstable tree. As upgrade involved few blocks easiest way to upgrade was to "emerge -C mit-krb5 samba" after which update was possible which installed following
Tue Mar 10 14:04:36 2015 >>> dev-db/lmdb-0.9.14
Tue Mar 10 14:05:00 2015 >>> dev-util/cppunit-1.13.2-r2
Tue Mar 10 14:05:31 2015 >>> dev-libs/check-0.9.13-r1
Tue Mar 10 14:07:56 2015 >>> net-nds/openldap-2.4.40-r3
Tue Mar 10 14:08:57 2015 >>> sys-libs/tevent-0.9.24
Tue Mar 10 14:15:36 2015 >>> app-crypt/heimdal-1.5.3-r2
Tue Mar 10 14:15:41 2015 >>> dev-python/mimeparse-0.1.4-r1
Tue Mar 10 14:15:47 2015 >>> dev-python/extras-0.0.3
Tue Mar 10 14:15:52 2015 >>> dev-python/unittest2-0.8.0
Tue Mar 10 14:15:58 2015 >>> dev-python/testtools-1.5.0
Tue Mar 10 14:16:16 2015 >>> dev-python/subunit-0.0.21-r1
Tue Mar 10 14:18:27 2015 >>> sys-libs/tdb-1.3.4
Tue Mar 10 14:19:21 2015 >>> sys-libs/ntdb-1.0-r1
Tue Mar 10 14:19:56 2015 >>> sys-libs/ldb-1.1.20
Tue Mar 10 14:26:46 2015 >>> net-fs/samba-4.1.17
Wed Mar 11 12:37:54 2015 >>> net-fs/cifs-utils-6.4
Calculating dependencies... done!
[ebuild R ] net-fs/samba-4.1.17::gentoo USE="aio winbind -acl -addns -ads -avahi -client -cluster -cups -dmapi -fam -gnutls -iprint -ldap -quota (-selinux) -syslog -systemd {-test}" PYTHON_TARGETS="python2_7" 0 KiB
Now as the result I am not able to log in from my boxes to the server as it apparently removed some files while unmerging.
[2015/03/11 04:35:44.472013, 0] auth/user_util.c:357(map_username)
can't open username map /etc/samba/smbusers. Error No file or directory
[2015/03/11 04:35:44.559258, 0] auth/pampass.c:797(smb_pam_accountcheck)
smb_pam_accountcheck: PAM: Account Validation Failed - Rejecting User foobar!
Question is what steps should I take to resolve this situation as I am running out of ideas 
Could it be problem with PAM not the Samba itself?
_________________
Sky is not the limit... |
|
| Back to top |
|
 |
ryszardzonk
Apprentice
Joined: 18 Dec 2003
Posts: 225
Location: Rzeszów, POLAND
|
| Posted: Fri Mar 13, 2015 12:00 pm Post subject: |
|
|
[WORKAROUND]
I found samba4 to have all kinds of bugs open including
- https://bugs.gentoo.org/show_bug.cgi?id=542462 [app-crypt/heimdal and app-crypt/mit-krb5 need to be parallel-installable for gnome + samba]
- https://bugs.gentoo.org/show_bug.cgi?id=489770 [>=net-fs/samba-4.0 automagically depends on sys-libs/pam (libpam.so)]
- https://bugs.gentoo.org/show_bug.cgi?id=490872 [net-fs/samba-4.x: app-crypt/heimdal and app-crypt/mit-krb5 blocking by other package like openssl]
Therefore I have downgraded to the previous version of samba for which I did
masking new samba in the /etc/portage/package.mask
>=net-fs/samba-3.99
emerge -C samba heimdal && emerge mit-krb5 samba cifs-utils
Be warned that prior to emerging samba3 afer samba4 has been installed in the system you must remove /var/lib/samba otherwise your server would not start
https://bugzilla.redhat.com/show_bug.cgi?id=829694#c8
Access to the samba shares got restored...
_________________
Sky is not the limit... |
|
| Back to top |
|
|
Fitzcarraldo
Veteran
Joined: 30 Aug 2008
Posts: 1885
Location: United Kingdom
|
| Posted: Fri Mar 13, 2015 3:35 pm Post subject: |
|
|
I have had better luck. I have a tower PC running Windows 8.1 for family use (multiple user accounts), and several laptops running Linux (main laptop runs Gentoo; the others Sabayon), and other family members have laptops running Windows 7. I performed the various package upgrades on my main laptop after uninstalling samba-3.* and mit-krb5 (and following some of the advice in the Gentoo Wiki Samba4 Migration HowTo, such as 'equery d mit-krb5' and remerging those packages with USE="-kerberos", 'revdep-rebuild -i', and 'emerge @preserved-rebuild').
My laptop running Gentoo and Samba4 can browse (R/W) the tower PC's folders and files in C:\Users\, and the tower PC can browse (R/W) the laptop's folders and files in /home/fitzcarraldo/ (both ends prompt for the username and password of the user account on the respective remote computer being accessed). It looks like the configuration for Samba3 on my laptop -- I used a good Samba HowTo PDF guide on the Web -- withstood the migration to Samba4.
After installing samba-4.1.17 I ran the testparm command:
| Code: | # testparm /etc/samba/smb.conf
Load smb config files from /etc/samba/smb.conf
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
Processing section "[homes]"
Processing section "[netlogon]"
Processing section "[printers]"
Processing section "[print$]"
Processing section "[fitzcarraldo-share]"
Processing section "[PUBLIC]"
Loaded services file OK.
Server role: ROLE_STANDALONE
Press enter to see a dump of your service definitions
[global]
interfaces = eth0, wlan0
map to guest = Bad User
smb passwd file = /etc/samba/private/smbpasswd
log file = /var/log/samba3/log.%m
max log size = 50
smb ports = 139, 445
name resolve order = bcast
printcap name = cups
os level = 110
preferred master = Yes
domain master = No
dns proxy = No
wins support = Yes
idmap config * : backend = tdb
[homes]
comment = Home Directories
read only = No
[netlogon]
comment = Network Logon Service
path = /var/lib/samba/netlogon
guest ok = Yes
[printers]
comment = All Printers
path = /var/spool/samba
create mask = 0700
guest ok = Yes
printable = Yes
print ok = Yes
browseable = No
[print$]
path = /var/lib/samba/printers
write list = @adm, root
guest ok = Yes
[fitzcarraldo-share]
path = /home/fitzcarraldo/fitzcarraldo-share/
valid users = fitzcarraldo
read only = No
guest ok = Yes
[PUBLIC]
path = /home/fitzcarraldo/Public/
valid users = fitzcarraldo
read only = No
guest ok = Yes |
To get rid of the above-mentioned message "rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)" I followed the advice on the Web site http://linuxadmin.melberi.com/2013/06/rlimitmax-increasing-rlimitmax-1024-to.html and edited the file /etc/security/limits.conf to add the following line:
I also edited the file /etc/samba/smb.conf and changed the line:
| Code: | | log file = /var/log/samba3/log.%m |
to:
| Code: | | log file = /var/log/samba4/log.%m |
I created the directory /var/log/samba4/ as it had not been created automatically when I installed the package net-fs/samba-4.1.17 or when the Samba4 samba service started.
The currently-installed packages and their USE flags are as follows:
| Code: | # eix -I samba
[I] net-fs/samba
Available versions: [M]3.5.21^t [M]3.5.22^t 3.6.24^t 3.6.25^t (~)4.0.25^m (~)4.1.17^m [M](~)4.2.0^m {acl addns ads (+)aio avahi caps (+)client cluster cups debug dmapi doc examples fam gnutls iprint ldap ldb +netapi pam quota +readline selinux +server +smbclient smbsharemodes smbtav2 swat syslog systemd test (+)winbind ABI_MIPS="n32 n64 o32" ABI_PPC="32 64" ABI_S390="32 64" ABI_X86="32 64 x32" PYTHON_TARGETS="python2_7"}
Installed versions: 4.1.17^m(01:21:59 13/03/15)(acl avahi client cups fam gnutls ldap winbind -addns -ads -aio -cluster -dmapi -iprint -quota -selinux -syslog -systemd -test PYTHON_TARGETS="python2_7")
Homepage: http://www.samba.org/
Description: Samba Suite Version 4
# eix -I cifs
[I] net-fs/cifs-utils
Available versions: 5.9-r1 6.1-r1 (~)6.3 (~)6.4 {+acl (+)ads +caps (+)caps-ng creds}
Installed versions: 6.4(03:00:34 13/03/15)(acl ads caps caps-ng -creds)
Homepage: http://wiki.samba.org/index.php/LinuxCIFS_utils
Description: Tools for Managing Linux CIFS Client Filesystems
# eix -I heimdal
[I] app-crypt/heimdal
Available versions: 1.5.3-r2 {X afs +berkdb caps hdb-ldap ipv6 otp +pkinit selinux ssl static-libs test threads ABI_MIPS="n32 n64 o32" ABI_PPC="32 64" ABI_S390="32 64" ABI_X86="32 64 x32"}
Installed versions: 1.5.3-r2(02:30:26 13/03/15)(X berkdb ipv6 pkinit -afs -caps -hdb-ldap -otp -selinux -ssl -static-libs -test -threads ABI_MIPS="-n32 -n64 -o32" ABI_PPC="-32 -64" ABI_S390="-32 -64" ABI_X86="64 -32 -x32")
Homepage: http://www.h5l.org/
Description: Kerberos 5 implementation from KTH
# eix -I mit-krb5
No matches found. |
The Uncomplicated Firewall configuration remains the same as it was for Samba3 (the CIFS entry is for Samba; the other entries are for KDE Connect):
| Code: | # ufw status
Status: active
To Action From
-- ------ ----
CIFS ALLOW 192.168.1.0/24
1714:1764/tcp ALLOW Anywhere
1714:1764/udp ALLOW Anywhere
1714:1764/tcp ALLOW Anywhere (v6)
1714:1764/udp ALLOW Anywhere (v6) |
And the file /etc/samba/smb.conf currently contains the following (the only thing I changed when migrating to Samba4 was the directory path for the log file):
| Code: | # This is the main Samba configuration file. You should read the
# smb.conf(5) manual page in order to understand the options listed
# here. Samba has a huge number of configurable options (perhaps too
# many!) most of which are not shown in this example
#
# Any line which starts with a ; (semi-colon) or a # (hash)
# is a comment and is ignored. In this example we will use a #
# for commentry and a ; for parts of the config file that you
# may wish to enable
#
# NOTE: Whenever you modify this file you should run the command "testparm"
# to check that you have not made any basic syntactic errors.
#
#======================= Global Settings =====================================
[global]
workgroup = WORKGROUP
netbios name = meshedgedx
printcap name = cups
printing = cups
log file = /var/log/samba4/log.%m
max log size = 50
; log level = 3
security = user
map to guest = bad user
encrypt passwords = yes
smb passwd file = /etc/samba/private/smbpasswd
local master = yes
os level = 110
domain master = no
preferred master = yes
name resolve order = bcast
wins support = yes
dns proxy = no
smb ports = 139 445
interfaces = eth0 wlan0
#============================ Share Definitions ==============================
[homes]
comment = Home Directories
read only = no
# Un-comment the following and create the netlogon directory for Domain Logons
[netlogon]
comment = Network Logon Service
path = /var/lib/samba/netlogon
guest ok = yes
[printers]
comment = All Printers
path = /var/spool/samba
# to allow user 'guest account' to print.
guest ok = yes
printable = yes
create mask = 0700
[print$]
path = /var/lib/samba/printers
write list = @adm root
guest ok = yes
[fitzcarraldo-share]
path = /home/fitzcarraldo/fitzcarraldo-share/
guest ok = yes
read only = no
browseable = yes
valid users = fitzcarraldo
[PUBLIC]
path = /home/fitzcarraldo/Public/
guest ok = yes
read only = no
browseable = yes
valid users = fitzcarraldo |
I left the file /etc/conf.d/samba as it was for Samba3.
So it's not looking bad at the moment and I don't need to consider downgrading from Samba4 to Samba3.
Recommended reading: http://wiki.gentoo.org/wiki/Samba4_Migrating/HOWTO (thanks to the hard work of user Dcmwai). I didn't do everything in it, as a lot of it is way above my head and probably not applicable in my case anyway.
_________________
Clevo W230SS: amd64 nvidia-drivers & xf86-video-intel.
Compal NBLB2: ~amd64 xf86-video-ati. Dual boot Win 7 Pro 64-bit.
OpenRC eudev elogind & KDE on both.
Fitzcarraldo's blog |
|
| Back to top |
|
|
ryszardzonk
Apprentice
Joined: 18 Dec 2003
Posts: 225
Location: Rzeszów, POLAND
|
| Posted: Sat Mar 14, 2015 7:51 am Post subject: |
|
|
Thanks for all the tips. I shall give it another try in some time, but I would say some stuff like requiring packages to be mit-krb5 free "-kerberos" and need for creation of the directory /var/log/samba4 should be taken care of by an ebuild. That would certainly make the migration less painful 
_________________
Sky is not the limit... |
|
| Back to top |
|
|
Fitzcarraldo
Veteran
Joined: 30 Aug 2008
Posts: 1885
Location: United Kingdom
|
| Posted: Sun Mar 15, 2015 11:24 am Post subject: |
|
|
One of my printers is connected via USB to the aforementioned tower PC running Windows 8.1 on my home network. When I was using Samba3 I could print from my main laptop running Gentoo Linux to that remote printer using SMB. However, after installing Samba4 on the laptop the printer's status displayed on the CUPS Printer Manager browser page was as follows:
| Code: | | Paused - "Backend /usr/libexec/cups/backend/smb does not exist!" |
I deleted that printer in CUPS Printer Manager and tried to re-add it but the option 'Windows Printer via SAMBA' was missing on the Add Printer page of CUPS Printer Manager.
I looked at the CUPS backends in /usr/libexec/cups/backend/ and there was indeed no longer a /usr/libexec/cups/backend/smb entry (as pointed out by the CUPS Printer Manager!). So I created a symlink to /usr/bin/smbspool and restarted the CUPS daemon. The 'Windows Printer via SAMBA' entry is now back in the list of selectable items on the Add Printer page, and I was able to re-add the printer and then print again via SMB.
| Code: | # ls -la /usr/libexec/cups/backend
total 728
drwxr-xr-x 2 root root 4096 Mar 15 01:12 .
drwxr-xr-x 9 root root 4096 Aug 2 2006 ..
-rwxr-xr-x 1 root root 43728 Sep 18 00:52 bjnp
-rwxr-xr-x 1 root root 141760 Feb 13 19:01 bluetooth
-rwxr-xr-x 1 root root 13860 Apr 22 2014 cnijusb
-rwx------ 1 root root 133952 Feb 1 2014 cups-pdf
-rwx------ 1 root root 18784 Mar 13 03:20 dnssd
-rwx------ 1 root root 79896 Jun 7 2014 gutenprint52+usb
-rwxr-xr-x 1 root root 18776 Mar 4 09:20 hp
-rwx------ 1 root root 9162 Mar 4 09:20 hpfax
lrwxrwxrwx 1 root root 3 Mar 13 03:21 http -> ipp
lrwxrwxrwx 1 root root 3 Mar 13 03:21 https -> ipp
-rwx------ 1 root root 77080 Mar 13 03:20 ipp
lrwxrwxrwx 1 root root 3 Mar 13 03:21 ipps -> ipp
-rwx------ 1 root root 43680 Mar 13 03:20 lpd
-rwxr-xr-x 1 root root 18688 Mar 15 01:12 parallel
-rwxr-xr-x 1 root root 14528 Mar 15 01:12 serial
-rwxr-xr-x 1 root root 27144 Mar 13 03:20 snmp
-rwxr-xr-x 1 root root 35344 Mar 13 03:20 socket
-rwxr-xr-x 1 root root 35448 Mar 13 03:20 usb
# ln -v -s /usr/bin/smbspool /usr/libexec/cups/backend/smb
‘/usr/libexec/cups/backend/smb’ -> ‘/usr/bin/smbspool’
# ls -la /usr/libexec/cups/backend
total 728
drwxr-xr-x 2 root root 4096 Mar 15 01:34 .
drwxr-xr-x 9 root root 4096 Aug 2 2006 ..
-rwxr-xr-x 1 root root 43728 Sep 18 00:52 bjnp
-rwxr-xr-x 1 root root 141760 Feb 13 19:01 bluetooth
-rwxr-xr-x 1 root root 13860 Apr 22 2014 cnijusb
-rwx------ 1 root root 133952 Feb 1 2014 cups-pdf
-rwx------ 1 root root 18784 Mar 13 03:20 dnssd
-rwx------ 1 root root 79896 Jun 7 2014 gutenprint52+usb
-rwxr-xr-x 1 root root 18776 Mar 4 09:20 hp
-rwx------ 1 root root 9162 Mar 4 09:20 hpfax
lrwxrwxrwx 1 root root 3 Mar 13 03:21 http -> ipp
lrwxrwxrwx 1 root root 3 Mar 13 03:21 https -> ipp
-rwx------ 1 root root 77080 Mar 13 03:20 ipp
lrwxrwxrwx 1 root root 3 Mar 13 03:21 ipps -> ipp
-rwx------ 1 root root 43680 Mar 13 03:20 lpd
-rwxr-xr-x 1 root root 18688 Mar 15 01:12 parallel
-rwxr-xr-x 1 root root 14528 Mar 15 01:12 serial
lrwxrwxrwx 1 root root 17 Mar 15 01:34 smb -> /usr/bin/smbspool
-rwxr-xr-x 1 root root 27144 Mar 13 03:20 snmp
-rwxr-xr-x 1 root root 35344 Mar 13 03:20 socket
-rwxr-xr-x 1 root root 35448 Mar 13 03:20 usb
# /etc/init.d/cupsd restart
* Stopping cups-browsed ... [ ok ]
* Stopping cupsd ... [ ok ]
* Starting cupsd ... [ ok ]
* Starting cups-browsed ... [ ok ]
# |
I wonder why that specific backend was removed when I migrated from Samba3 to Samba4? Bug, perhaps? Anyway, printing via SMB now works fine again after adding the symlink.
_________________
Clevo W230SS: amd64 nvidia-drivers & xf86-video-intel.
Compal NBLB2: ~amd64 xf86-video-ati. Dual boot Win 7 Pro 64-bit.
OpenRC eudev elogind & KDE on both.
Fitzcarraldo's blog |
|
| Back to top |
|
|
|
Networking & Security
