Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
samba permissions problem after upgrade to 4.1
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
ryszardzonk
Apprentice
Apprentice


Joined: 18 Dec 2003
Posts: 225
Location: Rzeszów, POLAND

PostPosted: Wed Mar 11, 2015 4:38 pm    Post subject: samba permissions problem after upgrade to 4.1 Reply with quote

Recently the upgrade to the samba 4.1 was possible in the unstable tree. As upgrade involved few blocks easiest way to upgrade was to "emerge -C mit-krb5 samba" after which update was possible which installed following

Tue Mar 10 14:04:36 2015 >>> dev-db/lmdb-0.9.14
Tue Mar 10 14:05:00 2015 >>> dev-util/cppunit-1.13.2-r2
Tue Mar 10 14:05:31 2015 >>> dev-libs/check-0.9.13-r1
Tue Mar 10 14:07:56 2015 >>> net-nds/openldap-2.4.40-r3
Tue Mar 10 14:08:57 2015 >>> sys-libs/tevent-0.9.24
Tue Mar 10 14:15:36 2015 >>> app-crypt/heimdal-1.5.3-r2
Tue Mar 10 14:15:41 2015 >>> dev-python/mimeparse-0.1.4-r1
Tue Mar 10 14:15:47 2015 >>> dev-python/extras-0.0.3
Tue Mar 10 14:15:52 2015 >>> dev-python/unittest2-0.8.0
Tue Mar 10 14:15:58 2015 >>> dev-python/testtools-1.5.0
Tue Mar 10 14:16:16 2015 >>> dev-python/subunit-0.0.21-r1
Tue Mar 10 14:18:27 2015 >>> sys-libs/tdb-1.3.4
Tue Mar 10 14:19:21 2015 >>> sys-libs/ntdb-1.0-r1
Tue Mar 10 14:19:56 2015 >>> sys-libs/ldb-1.1.20
Tue Mar 10 14:26:46 2015 >>> net-fs/samba-4.1.17
Wed Mar 11 12:37:54 2015 >>> net-fs/cifs-utils-6.4

Calculating dependencies... done!
[ebuild R ] net-fs/samba-4.1.17::gentoo USE="aio winbind -acl -addns -ads -avahi -client -cluster -cups -dmapi -fam -gnutls -iprint -ldap -quota (-selinux) -syslog -systemd {-test}" PYTHON_TARGETS="python2_7" 0 KiB

Now as the result I am not able to log in from my boxes to the server as it apparently removed some files while unmerging.

[2015/03/11 04:35:44.472013, 0] auth/user_util.c:357(map_username)
can't open username map /etc/samba/smbusers. Error No file or directory
[2015/03/11 04:35:44.559258, 0] auth/pampass.c:797(smb_pam_accountcheck)
smb_pam_accountcheck: PAM: Account Validation Failed - Rejecting User foobar!

Question is what steps should I take to resolve this situation as I am running out of ideas :(

Could it be problem with PAM not the Samba itself?
_________________
Sky is not the limit...
Back to top
View user's profile Send private message
ryszardzonk
Apprentice
Apprentice


Joined: 18 Dec 2003
Posts: 225
Location: Rzeszów, POLAND

PostPosted: Fri Mar 13, 2015 12:00 pm    Post subject: Reply with quote

[WORKAROUND]

I found samba4 to have all kinds of bugs open including
- https://bugs.gentoo.org/show_bug.cgi?id=542462 [app-crypt/heimdal and app-crypt/mit-krb5 need to be parallel-installable for gnome + samba]
- https://bugs.gentoo.org/show_bug.cgi?id=489770 [>=net-fs/samba-4.0 automagically depends on sys-libs/pam (libpam.so)]
- https://bugs.gentoo.org/show_bug.cgi?id=490872 [net-fs/samba-4.x: app-crypt/heimdal and app-crypt/mit-krb5 blocking by other package like openssl]

Therefore I have downgraded to the previous version of samba for which I did

masking new samba in the /etc/portage/package.mask
>=net-fs/samba-3.99

emerge -C samba heimdal && emerge mit-krb5 samba cifs-utils

Be warned that prior to emerging samba3 afer samba4 has been installed in the system you must remove /var/lib/samba otherwise your server would not start
https://bugzilla.redhat.com/show_bug.cgi?id=829694#c8

Access to the samba shares got restored...
_________________
Sky is not the limit...
Back to top
View user's profile Send private message
Fitzcarraldo
Veteran
Veteran


Joined: 30 Aug 2008
Posts: 1631
Location: United Kingdom

PostPosted: Fri Mar 13, 2015 3:35 pm    Post subject: Reply with quote

I have had better luck. I have a tower PC running Windows 8.1 for family use (multiple user accounts), and several laptops running Linux (main laptop runs Gentoo; the others Sabayon), and other family members have laptops running Windows 7. I performed the various package upgrades on my main laptop after uninstalling samba-3.* and mit-krb5 (and following some of the advice in the Gentoo Wiki Samba4 Migration HowTo, such as 'equery d mit-krb5' and remerging those packages with USE="-kerberos", 'revdep-rebuild -i', and 'emerge @preserved-rebuild').

My laptop running Gentoo and Samba4 can browse (R/W) the tower PC's folders and files in C:\Users\, and the tower PC can browse (R/W) the laptop's folders and files in /home/fitzcarraldo/ (both ends prompt for the username and password of the user account on the respective remote computer being accessed). It looks like the configuration for Samba3 on my laptop -- I used a good Samba HowTo PDF guide on the Web -- withstood the migration to Samba4.

After installing samba-4.1.17 I ran the testparm command:

Code:
# testparm /etc/samba/smb.conf
Load smb config files from /etc/samba/smb.conf
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
Processing section "[homes]"
Processing section "[netlogon]"
Processing section "[printers]"
Processing section "[print$]"
Processing section "[fitzcarraldo-share]"
Processing section "[PUBLIC]"
Loaded services file OK.
Server role: ROLE_STANDALONE
Press enter to see a dump of your service definitions

[global]
        interfaces = eth0, wlan0
        map to guest = Bad User
        smb passwd file = /etc/samba/private/smbpasswd
        log file = /var/log/samba3/log.%m
        max log size = 50
        smb ports = 139, 445
        name resolve order = bcast
        printcap name = cups
        os level = 110
        preferred master = Yes
        domain master = No
        dns proxy = No
        wins support = Yes
        idmap config * : backend = tdb

[homes]
        comment = Home Directories
        read only = No

[netlogon]
        comment = Network Logon Service
        path = /var/lib/samba/netlogon
        guest ok = Yes

[printers]
        comment = All Printers
        path = /var/spool/samba
        create mask = 0700
        guest ok = Yes
        printable = Yes
        print ok = Yes
        browseable = No

[print$]
        path = /var/lib/samba/printers
        write list = @adm, root
        guest ok = Yes

[fitzcarraldo-share]
        path = /home/fitzcarraldo/fitzcarraldo-share/
        valid users = fitzcarraldo
        read only = No
        guest ok = Yes

[PUBLIC]
        path = /home/fitzcarraldo/Public/
        valid users = fitzcarraldo
        read only = No
        guest ok = Yes

To get rid of the above-mentioned message "rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)" I followed the advice on the Web site http://linuxadmin.melberi.com/2013/06/rlimitmax-increasing-rlimitmax-1024-to.html and edited the file /etc/security/limits.conf to add the following line:

Code:
*                -       nofile          16384

I also edited the file /etc/samba/smb.conf and changed the line:

Code:
log file = /var/log/samba3/log.%m

to:

Code:
log file = /var/log/samba4/log.%m

I created the directory /var/log/samba4/ as it had not been created automatically when I installed the package net-fs/samba-4.1.17 or when the Samba4 samba service started.

The currently-installed packages and their USE flags are as follows:

Code:
# eix -I samba
[I] net-fs/samba
     Available versions:  [M]3.5.21^t [M]3.5.22^t 3.6.24^t 3.6.25^t (~)4.0.25^m (~)4.1.17^m [M](~)4.2.0^m {acl addns ads (+)aio avahi caps (+)client cluster cups debug dmapi doc examples fam gnutls iprint ldap ldb +netapi pam quota +readline selinux +server +smbclient smbsharemodes smbtav2 swat syslog systemd test (+)winbind ABI_MIPS="n32 n64 o32" ABI_PPC="32 64" ABI_S390="32 64" ABI_X86="32 64 x32" PYTHON_TARGETS="python2_7"}
     Installed versions:  4.1.17^m(01:21:59 13/03/15)(acl avahi client cups fam gnutls ldap winbind -addns -ads -aio -cluster -dmapi -iprint -quota -selinux -syslog -systemd -test PYTHON_TARGETS="python2_7")
     Homepage:            http://www.samba.org/
     Description:         Samba Suite Version 4

# eix -I cifs
[I] net-fs/cifs-utils
     Available versions:  5.9-r1 6.1-r1 (~)6.3 (~)6.4 {+acl (+)ads +caps (+)caps-ng creds}
     Installed versions:  6.4(03:00:34 13/03/15)(acl ads caps caps-ng -creds)
     Homepage:            http://wiki.samba.org/index.php/LinuxCIFS_utils
     Description:         Tools for Managing Linux CIFS Client Filesystems

# eix -I heimdal
[I] app-crypt/heimdal
     Available versions:  1.5.3-r2 {X afs +berkdb caps hdb-ldap ipv6 otp +pkinit selinux ssl static-libs test threads ABI_MIPS="n32 n64 o32" ABI_PPC="32 64" ABI_S390="32 64" ABI_X86="32 64 x32"}
     Installed versions:  1.5.3-r2(02:30:26 13/03/15)(X berkdb ipv6 pkinit -afs -caps -hdb-ldap -otp -selinux -ssl -static-libs -test -threads ABI_MIPS="-n32 -n64 -o32" ABI_PPC="-32 -64" ABI_S390="-32 -64" ABI_X86="64 -32 -x32")
     Homepage:            http://www.h5l.org/
     Description:         Kerberos 5 implementation from KTH

# eix -I mit-krb5
No matches found.

The Uncomplicated Firewall configuration remains the same as it was for Samba3 (the CIFS entry is for Samba; the other entries are for KDE Connect):

Code:
# ufw status
Status: active

To                         Action      From
--                         ------      ----
CIFS                       ALLOW       192.168.1.0/24
1714:1764/tcp              ALLOW       Anywhere
1714:1764/udp              ALLOW       Anywhere
1714:1764/tcp              ALLOW       Anywhere (v6)
1714:1764/udp              ALLOW       Anywhere (v6)

And the file /etc/samba/smb.conf currently contains the following (the only thing I changed when migrating to Samba4 was the directory path for the log file):

Code:
# This is the main Samba configuration file. You should read the
# smb.conf(5) manual page in order to understand the options listed
# here. Samba has a huge number of configurable options (perhaps too
# many!) most of which are not shown in this example
#
# Any line which starts with a ; (semi-colon) or a # (hash)
# is a comment and is ignored. In this example we will use a #
# for commentry and a ; for parts of the config file that you
# may wish to enable
#
# NOTE: Whenever you modify this file you should run the command "testparm"
# to check that you have not made any basic syntactic errors.
#
#======================= Global Settings =====================================
[global]

workgroup = WORKGROUP
netbios name = meshedgedx

printcap name = cups
printing = cups

log file = /var/log/samba4/log.%m
max log size = 50
; log level = 3


security = user
map to guest = bad user

encrypt passwords = yes
smb passwd file = /etc/samba/private/smbpasswd

local master = yes
os level = 110
domain master = no
preferred master = yes
name resolve order = bcast
wins support = yes
dns proxy = no
smb ports = 139 445
interfaces = eth0 wlan0


#============================ Share Definitions ==============================
[homes]
comment = Home Directories
read only = no

# Un-comment the following and create the netlogon directory for Domain Logons
[netlogon]
comment = Network Logon Service
path = /var/lib/samba/netlogon
guest ok = yes

[printers]
comment = All Printers
path = /var/spool/samba
# to allow user 'guest account' to print.
guest ok = yes
printable = yes
create mask = 0700

[print$]
path = /var/lib/samba/printers
write list = @adm root
guest ok = yes

[fitzcarraldo-share]
path = /home/fitzcarraldo/fitzcarraldo-share/
guest ok = yes
read only = no
browseable = yes
valid users = fitzcarraldo

[PUBLIC]
path = /home/fitzcarraldo/Public/
guest ok = yes
read only = no
browseable = yes
valid users = fitzcarraldo

I left the file /etc/conf.d/samba as it was for Samba3.

So it's not looking bad at the moment and I don't need to consider downgrading from Samba4 to Samba3.

Recommended reading: http://wiki.gentoo.org/wiki/Samba4_Migrating/HOWTO (thanks to the hard work of user Dcmwai). I didn't do everything in it, as a lot of it is way above my head and probably not applicable in my case anyway.
_________________
Clevo W230SS: amd64 OpenRC elogind nvidia-drivers & xf86-video-intel.
Compal NBLB2: ~amd64 OpenRC elogind xf86-video-ati. Dual boot Win 7 Pro 64-bit.
KDE on both.

Fitzcarraldo's blog
Back to top
View user's profile Send private message
ryszardzonk
Apprentice
Apprentice


Joined: 18 Dec 2003
Posts: 225
Location: Rzeszów, POLAND

PostPosted: Sat Mar 14, 2015 7:51 am    Post subject: Reply with quote

Thanks for all the tips. I shall give it another try in some time, but I would say some stuff like requiring packages to be mit-krb5 free "-kerberos" and need for creation of the directory /var/log/samba4 should be taken care of by an ebuild. That would certainly make the migration less painful ;)
_________________
Sky is not the limit...
Back to top
View user's profile Send private message
Fitzcarraldo
Veteran
Veteran


Joined: 30 Aug 2008
Posts: 1631
Location: United Kingdom

PostPosted: Sun Mar 15, 2015 11:24 am    Post subject: Reply with quote

One of my printers is connected via USB to the aforementioned tower PC running Windows 8.1 on my home network. When I was using Samba3 I could print from my main laptop running Gentoo Linux to that remote printer using SMB. However, after installing Samba4 on the laptop the printer's status displayed on the CUPS Printer Manager browser page was as follows:

Code:
Paused - "Backend /usr/libexec/cups/backend/smb does not exist!"


I deleted that printer in CUPS Printer Manager and tried to re-add it but the option 'Windows Printer via SAMBA' was missing on the Add Printer page of CUPS Printer Manager.

I looked at the CUPS backends in /usr/libexec/cups/backend/ and there was indeed no longer a /usr/libexec/cups/backend/smb entry (as pointed out by the CUPS Printer Manager!). So I created a symlink to /usr/bin/smbspool and restarted the CUPS daemon. The 'Windows Printer via SAMBA' entry is now back in the list of selectable items on the Add Printer page, and I was able to re-add the printer and then print again via SMB.

Code:
# ls -la /usr/libexec/cups/backend
total 728
drwxr-xr-x 2 root root   4096 Mar 15 01:12 .
drwxr-xr-x 9 root root   4096 Aug  2  2006 ..
-rwxr-xr-x 1 root root  43728 Sep 18 00:52 bjnp
-rwxr-xr-x 1 root root 141760 Feb 13 19:01 bluetooth
-rwxr-xr-x 1 root root  13860 Apr 22  2014 cnijusb
-rwx------ 1 root root 133952 Feb  1  2014 cups-pdf
-rwx------ 1 root root  18784 Mar 13 03:20 dnssd
-rwx------ 1 root root  79896 Jun  7  2014 gutenprint52+usb
-rwxr-xr-x 1 root root  18776 Mar  4 09:20 hp
-rwx------ 1 root root   9162 Mar  4 09:20 hpfax
lrwxrwxrwx 1 root root      3 Mar 13 03:21 http -> ipp
lrwxrwxrwx 1 root root      3 Mar 13 03:21 https -> ipp
-rwx------ 1 root root  77080 Mar 13 03:20 ipp
lrwxrwxrwx 1 root root      3 Mar 13 03:21 ipps -> ipp
-rwx------ 1 root root  43680 Mar 13 03:20 lpd
-rwxr-xr-x 1 root root  18688 Mar 15 01:12 parallel
-rwxr-xr-x 1 root root  14528 Mar 15 01:12 serial
-rwxr-xr-x 1 root root  27144 Mar 13 03:20 snmp
-rwxr-xr-x 1 root root  35344 Mar 13 03:20 socket
-rwxr-xr-x 1 root root  35448 Mar 13 03:20 usb
# ln -v -s /usr/bin/smbspool /usr/libexec/cups/backend/smb
‘/usr/libexec/cups/backend/smb’ -> ‘/usr/bin/smbspool’
# ls -la /usr/libexec/cups/backend
total 728
drwxr-xr-x 2 root root   4096 Mar 15 01:34 .
drwxr-xr-x 9 root root   4096 Aug  2  2006 ..
-rwxr-xr-x 1 root root  43728 Sep 18 00:52 bjnp
-rwxr-xr-x 1 root root 141760 Feb 13 19:01 bluetooth
-rwxr-xr-x 1 root root  13860 Apr 22  2014 cnijusb
-rwx------ 1 root root 133952 Feb  1  2014 cups-pdf
-rwx------ 1 root root  18784 Mar 13 03:20 dnssd
-rwx------ 1 root root  79896 Jun  7  2014 gutenprint52+usb
-rwxr-xr-x 1 root root  18776 Mar  4 09:20 hp
-rwx------ 1 root root   9162 Mar  4 09:20 hpfax
lrwxrwxrwx 1 root root      3 Mar 13 03:21 http -> ipp
lrwxrwxrwx 1 root root      3 Mar 13 03:21 https -> ipp
-rwx------ 1 root root  77080 Mar 13 03:20 ipp
lrwxrwxrwx 1 root root      3 Mar 13 03:21 ipps -> ipp
-rwx------ 1 root root  43680 Mar 13 03:20 lpd
-rwxr-xr-x 1 root root  18688 Mar 15 01:12 parallel
-rwxr-xr-x 1 root root  14528 Mar 15 01:12 serial
lrwxrwxrwx 1 root root     17 Mar 15 01:34 smb -> /usr/bin/smbspool
-rwxr-xr-x 1 root root  27144 Mar 13 03:20 snmp
-rwxr-xr-x 1 root root  35344 Mar 13 03:20 socket
-rwxr-xr-x 1 root root  35448 Mar 13 03:20 usb
# /etc/init.d/cupsd restart
 * Stopping cups-browsed ...     [ ok ]
 * Stopping cupsd ...            [ ok ]
 * Starting cupsd ...            [ ok ]
 * Starting cups-browsed ...     [ ok ]
#

I wonder why that specific backend was removed when I migrated from Samba3 to Samba4? Bug, perhaps? Anyway, printing via SMB now works fine again after adding the symlink.
_________________
Clevo W230SS: amd64 OpenRC elogind nvidia-drivers & xf86-video-intel.
Compal NBLB2: ~amd64 OpenRC elogind xf86-video-ati. Dual boot Win 7 Pro 64-bit.
KDE on both.

Fitzcarraldo's blog
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum