ephjo
Posts: 5
Joined: Mon Oct 03, 2022 10:38 am

Samba share invalid user not working

Mon Oct 03, 2022 11:14 am

Hi everybody!

I am new to Linux and Samba shares and have one issue left, which I still cannot solve after weeks of searching and testing. Hopefully someone can help.

I run a RasPi NAS with Samba and have smb shares in Windows. There is share1 and the subdirectories share2 and share3. I have user1 and user2 as users in linux and smb.

I want user1 (admin) to have total access to and control over share 1, 2 and 3 and user2 to have (read and write access to share 2 but) no access to share3.

For user1 all works as desired.

To have user 2 limited, I set valid users = user1 and invalid users = user2 for share 3 but when user2 mounts share3 and logs in as user2/pw2 he CAN still access the share and read/write all. I want the access to the share to be denied.

So it seems to me, that the user restriction does not work. What am I missing?

This is my smb.conf:

Code: Select all

[share1]
force user=root
force group=root
path=/path/share1
writeable=Yes
create mask=0777
directory mask=0777
public=no

[share2]
valid users=user1 user2
path=/path/share1/share2
writeable=Yes
create mask=0777
directory mask=0777
public=no

[share3]
path=/path/share1/share3
valid users=user1
invalid users=user2
writeable=Yes
create mask=0777
directory mask=0777
public=no

danjperron
Posts: 4212
Joined: Thu Dec 27, 2012 4:05 am
Location: Québec, Canada

Re: Samba share invalid user not working

Mon Oct 03, 2022 5:21 pm

share3 is a subfolder of share1. Yeap! It won't work.

share3 shoudn't be on share1.



B.T.W. Just a though
I don't like that you are forcing root for share 1. Use nobody or set a group for all users.

ephjo
Posts: 5
Joined: Mon Oct 03, 2022 10:38 am

Re: Samba share invalid user not working

Mon Oct 03, 2022 5:34 pm

Thanks for the quick reply.
danjperron wrote:
Mon Oct 03, 2022 5:21 pm
share3 is a subfolder of share1. Yeap! It won't work.

share3 shoudn't be on share1.
Does that mean, you cannot set valid or invalid users individually for subdirectories?

Since share1 is mandatory for shares in my system I need to set share 2 and 3 in that way. The force of root is by default since installed apps also run in this share1.

Is there no way to exclude user2 from share3?

User avatar
thagrol
Posts: 8194
Joined: Fri Jan 13, 2012 4:41 pm
Location: Darkest Somerset, UK

Re: Samba share invalid user not working

Mon Oct 03, 2022 7:32 pm

ephjo wrote:
Mon Oct 03, 2022 5:34 pm
Since share1 is mandatory for shares in my system I need to set share 2 and 3 in that way. The force of root is by default since installed apps also run in this share1.
This is potentially a client side issue not a samba one.

User names are at the server level not the share level. Windows only lets a single client login to a server as a single user at a time. Even if to different shares.

If you first log in as user1, you'll access all shares as user1 unless you either log out first (including unmapping any mapped drives) or reboot (again after unmapping any drives). And haven't saved the login credentials.

As for forcing the user and group to root, that's a really, really bad idea and likely unnecessary. You say "The force of root is by default since installed apps also run in this share1.". Do you mean apps that run on the server or apps that run on the clients?

Client side apps don't care what the Linux server side user is nor do they even know what it is - they only know what the Samba user name is. This applies even when forcing user and group in the share definition. Further, force user and force group only apply at the Linux level and not to clients.

If you need to force root so that clients can write to a share, you're doing it worng. You need to set user, group, and permissions correctly in the underlying Linux file system. For some file systems (e.g DAT, exFAT, NTFS) you do that in the mount options.

Some probably useful reading:
https://wiki.samba.org/index.php/Main_Page
https://www.samba.org/samba/docs/curren ... onf.5.html
Building A Pi Based NAS
Knowledge, skills, & experience have value. If you expect to profit from someone's you should expect to pay for them.

All advice given is based on my experience. it worked for me, it may not work for you.
Need help? https://github.com/thagrol/Guides

hortimech
Posts: 689
Joined: Wed Apr 08, 2015 5:52 pm

Re: Samba share invalid user not working

Mon Oct 03, 2022 8:16 pm

Do you actually have a directory off root '/' called 'path' ? or is it really your home directory ?
If '/path' exists, then I suggest you create '/path/share1', '/path/share2' and '/path/share3', to get your setup to stand any chance of working would need much more complicated settings involving 'vfs_acl_xattr' and setting the permissions from Windows.

Whilst a user can only connect as one user to a share, multiple users should be able to connect to a share, but it would also have to be from multiple machines.

ephjo
Posts: 5
Joined: Mon Oct 03, 2022 10:38 am

Re: Samba share invalid user not working

Wed Oct 05, 2022 4:34 am

Hi,
Thanks for your efforts and answers. So far I used your input and kept on learning and trying. In general it should be possible to set permissions on sub-shares and to access / mount them in Win and/or MacOS by different users from different devices at the same time?

The setup is, by default (the device-producer of my setup) adjusted so that share1 is stored on the attachable ssd instead of the local eMMC of the pi. So to have my other stuff stored on that SSD too, I was told to create subfolders and -shares. The main path is situated in root

To circumvent the force of root in the shares, I now altered the ownership of the shares by:

Code: Select all

sudo chown user1:users -R /path/share1 
sudo chown user1:users -R /path/share1/share2
sudo chown user1:users -R /path/share1/share3
In the group 'users' we only have user1 and user2

As a following step, I then adjusted the smb.conf like that:

Code: Select all

[share1]
path=/path/share1
group=users
valid users=user1 user2
writeable=Yes
create mask=0777
directory mask=0777
public=no

[share2]
path=/path/share1/share2
group=users
valid users=user1 user2
writeable=Yes
create mask=0777
directory mask=0777
public=no

[share3]
path=/path/share1/share3
group=users
valid users=user1
invalid user=user2
writeable=Yes
create mask=0777
directory mask=0777
public=no
Now, for user1 still everything works fine but user2 has no access to any share. Actually, only share3 should not be accessible by user2. When trying to login as user2 to share3 (and others)

"STATUS_ACCESS_DENIED (0xc0000022): Create failed for \"

appears.

I also tried:

Code: Select all

sudo chown user2:users -R /path/share1/share2
but no difference. user1 may access all and user2 nothing.

Any ideas?

hortimech
Posts: 689
Joined: Wed Apr 08, 2015 5:52 pm

Re: Samba share invalid user not working

Wed Oct 05, 2022 10:03 am

By default a normal user cannot create a directory off root '/', you usually have to use 'sudo'
e.g. sudo mkdir /path

this will lead to these permissions:

Code: Select all

drwxr-xr-x 2 root root 4096 Oct  5 09:13 /path
You then (presumably) created the directories of /path with something like these:

Code: Select all

sudo mkdir -p /path/share1/share2
sudo mkdir -p /path/share1/share3
Then changed the ownership with:

Code: Select all

sudo chown user1:users -R /path/share1
Note that the other two chown commands are not needed, the '-R' does them for you.

This will lead to these permissions:

Code: Select all

drwxr-xr-x 4 user1 users 4096 Oct  5 09:14 /path/share1

drwxr-xr-x 2 user1 users 4096 Oct  5 09:14 /path/share1/share2

drwxr-xr-x 2 user1 users 4096 Oct  5 09:14 /path/share1/share3
You then changed the ownership of /path/share1/share2 to user2:users which should then give you these permissions on /path/share1/share2:

Code: Select all

drwxr-xr-x 2 user2 users 4096 Oct  5 09:14 /path/share1/share2
Linux uses 'ugo' permissions:

u: user
g: group
o: others

So from your permissions:

user1 can read,write and enter all directories except 'share2' where the user will only have read and enter (this could be via the group 'users', provided it is a member, or 'others')
user2 can read and enter all directories except 'share2' where the user will also have write permissions
user3 can read and enter all directories via the 'g' permissions or the 'o' permissions. this user does not have 'write' permissions anywhere.

'create mask' only has effect when files are created.
'directory mask' only has effect when creating directories.

I hope this helps you understand your problem.

User avatar
thagrol
Posts: 8194
Joined: Fri Jan 13, 2012 4:41 pm
Location: Darkest Somerset, UK

Re: Samba share invalid user not working

Wed Oct 05, 2022 12:58 pm

hortimech's Samba knowledge is deeper than mine though it appears mine, and my Linux knowledge, is deeper than "the device-producer of my setup".

  • "/path" is a non-standard place to mount anything.
  • Including "create mask=0777" and "directory mask=0777" in your share definition breaks all security at the file system level as it grants all permissions to everyone at the file system level on newly created files and directories.

I'd set up the server something ike this:
  1. As it seems the SSD is only being used for shared storage it's better to follow the Filesystem Hierarchy Standard and mount it under /srv e.g. as /srv/shared
  2. Create 3 subdirectories of /srv/shared, one for each share: /srv/shared/share1, /srv/shared/share2, /srv/shared/share3
  3. Setup the linux users and group(s), and the Samba users. It is not enough to set up just one of those.
  4. Using chmod and/or chown set linux file system permissions on those three directories as needed.
  5. For share definitions:

    Code: Select all

    [share1]
    path=/srv/shared/share1
    group=users
    valid users=user1 user2
    writeable=Yes
    create mask=0660
    directory mask=0771
    public=no
    
    [share2]
    path=/srv/shared/share2
    group=users
    valid users=user1 user2
    writeable=Yes
    create mask=0660
    directory mask=0771
    public=no
    
    [share3]
    path=/srv/shared/share3
    group=users
    valid users=user1
    invalid user=user2
    writeable=Yes
    create mask=0660
    directory mask=0771
    public=no
    
    Those masks are more restrictive that the default in one way (no execute permission) and less in another (group members have write permissions).
  6. If you really need share2 and share 3 to appear under share1 (I'm guessing that your probably don't) add the follwoing to the share definition for share1 and symlink the directories for share 2 and share3 into the directory for share1.

    Code: Select all

    wide links = yes
    To create the symlinks:

    Code: Select all

    sudo ln -s /srv/shared/share2 /srv/shared/share1/share2
    sudo ln -s /srv/shared/share3 /srv/shared/share1/share3
    There is a security issues here in that "wide links" will remote access to any part of your file system not just those inside the share's path should a link to them exist.

@hortimech:
If I've missed anything os you know of a better way please feel free to let me know.

[edit]
Corrected suggested directory masks above. Original ones didn't have execute which would be a serious problem.
[/edit]
Knowledge, skills, & experience have value. If you expect to profit from someone's you should expect to pay for them.

All advice given is based on my experience. it worked for me, it may not work for you.
Need help? https://github.com/thagrol/Guides

hortimech
Posts: 689
Joined: Wed Apr 08, 2015 5:52 pm

Re: Samba share invalid user not working

Wed Oct 05, 2022 6:08 pm

thagrol wrote:
Wed Oct 05, 2022 12:58 pm

@hortimech:
If I've missed anything os you know of a better way please feel free to let me know.
@thagrol
You seem to have got everything, I did ask if '/path' was a correct directory and I also suggested he would be better off using three totally separate share paths rather than ones directly under each other. If he must use Samba in the way he is doing, he might be better off using vfs_acl_xattr instead of 'valid/invalid users' and setting the permissions with 'setfacl'

as for 'wide links', I wouldn't get used to using them, Jeremy hates them and will remove them at some point, probably when the SMB3 Unix extensions are finished and SMBv1 is totally removed.

ephjo
Posts: 5
Joined: Mon Oct 03, 2022 10:38 am

Re: Samba share invalid user not working

Fri Oct 07, 2022 4:35 pm

Hello again,
thanks to everybody for the profound knowledge and comprehensable tipps.

The producer of the device I use, based on a Raspberry Pi, confirmed, that the shared directory is to the mounted ssd / NTFS to have Data of the installed apps is also stored here (see below - directories, nexcloud-files). Therefore, I would rather not adjust the background programming and work with what was supplied.

What I understood is, to have stuff i want to share beeing stored on the SSD as well, I need to have subdirectories in the main share. Both subdirectories shall be accessible and readable/writeable by the admin=User1 and only subdirectory2 shall be in addition accessible and readable/writeable by user2. Both Users are in the group users.

To visualize the idea a little bit: I would like to have a structure like

.../share/share1 and
.../share/share2

As correctly assumed before, I created directories share1 and share2 using mkdir with full rights. The idea was to then limit the access in the smb.conf.

Latest updates:

I first checked on the directory permissions of .../share:

Code: Select all

drwxrwxrwx 10 User1 users 4096 Oct  3 21:07 Share2
drwxrwxrwx  8 User1 users 4096 Oct  2 22:50 Share1
drwxrwxrwx  2 User1 users 4096 Sep 23 00:15 pvc-137db242-912b-4cd4-950d-7237c7c03f43_default_photos
drwxrwxrwx 15 User1 users 4096 Sep 22 23:58 pvc-2a7a25ce-ae85-4bf7-9351-eeb041b9e69b_default_nextcloud-files
It seems everybody has full access by default.

Then, I adjusted the config as proposed by thagrol to:
(here you can also see the actual full path without encryption in root, k3s is a directory of the kubernetes system, that is utilized)
[Share]
path=/var/lib/rancher/k3s/Share
group=users
valid users=User1 User2
writeable=Yes
create mask=0660
directory mask=0771
public=no

[Share1]
path=/var/lib/rancher/k3s/storage/Share1
group=users
valid users=User1
invalid users=User2
writeable=Yes
create mask=0660
directory mask=0771
public=no

[Share2]
path=/var/lib/rancher/k3s/storage/Share2
group=users
valid users=User1 User2
writeable=Yes
create mask=0660
directory mask=0771
public=no
Though, using the upper setup, User2 still has NO access to any Share at all, User1 has full access and rights.

"Connection error! Reported error:
STATUS_ACCESS_DENIED (0xc0000022):
Create failed for \\192.168.178.47\Share"

From what I understood, the create mask and directory mask now limit the full access by everybody from the directory creation? Is this limitation by the config becoming active while mounting?

That completely puzzles me, since even if the restrictions from smb.conf would not apply, everybody should have full access, as well as User2, since User2 is in the users group, as extracted from the directory permissions? Where is my mistake?

I first refrained from using wide links since hortimech seemed to reject wide links.

I now try want to find tutorials - how to use "vfs_acl_xattr" and apply "setfacl" as suggested from hortimech since I have no experience and don't want to mess something up.

I will send updates once I achieve anything. If you have further input or corrections, I would be very grateful.

hortimech
Posts: 689
Joined: Wed Apr 08, 2015 5:52 pm

Re: Samba share invalid user not working

Fri Oct 07, 2022 5:32 pm

ephjo wrote:
Fri Oct 07, 2022 4:35 pm
Hello again,
thanks to everybody for the profound knowledge and comprehensable tipps.

The producer of the device I use, based on a Raspberry Pi, confirmed, that the shared directory is to the mounted ssd / NTFS to have Data of the installed apps is also stored here (see below - directories, nexcloud-files). Therefore, I would rather not adjust the background programming and work with what was supplied.
I would go back to your devices producer and ask them why they took the decision to use a Windows filesystem on a Linux device. That decision, in my opinion, wasn't a good idea and is bound to lead to problems, oh wait, it already has.

User avatar
thagrol
Posts: 8194
Joined: Fri Jan 13, 2012 4:41 pm
Location: Darkest Somerset, UK

Re: Samba share invalid user not working

Fri Oct 07, 2022 7:37 pm

hortimech wrote:
Fri Oct 07, 2022 5:32 pm
ephjo wrote:
Fri Oct 07, 2022 4:35 pm
Hello again,
thanks to everybody for the profound knowledge and comprehensable tipps.

The producer of the device I use, based on a Raspberry Pi, confirmed, that the shared directory is to the mounted ssd / NTFS to have Data of the installed apps is also stored here (see below - directories, nexcloud-files). Therefore, I would rather not adjust the background programming and work with what was supplied.
I would go back to your devices producer and ask them why they took the decision to use a Windows filesystem on a Linux device. That decision, in my opinion, wasn't a good idea and is bound to lead to problems, oh wait, it already has.
Seconded. You're not going to be abel to fix this just by changing samba settings and given the choice of NTFS you cannot change owner, group, and permissions on anything as NTFS doesn't support them. For NTFS (and other windows file systems) they're a fiction created by the driver at mount time, they're the same for every file and directory and cannot be changed without unmounting and remounting the partition.

If you paid them to build it ask for a refund as they clearly don't know what they're doing. Or rather they know just enough to be dangerous and nowhere near enough to understand why and how to fix things.
Knowledge, skills, & experience have value. If you expect to profit from someone's you should expect to pay for them.

All advice given is based on my experience. it worked for me, it may not work for you.
Need help? https://github.com/thagrol/Guides

ephjo
Posts: 5
Joined: Mon Oct 03, 2022 10:38 am

Re: Samba share invalid user not working

Sun Oct 09, 2022 8:03 pm

Thanks to everyone. I will try what you suggested and post any news in case I found a proper solution, though.

hortimech
Posts: 689
Joined: Wed Apr 08, 2015 5:52 pm

Re: Samba share invalid user not working

Mon Oct 10, 2022 7:30 am

If you must stick with the NTFS filesystem, then you need to use vfs_acl_xattr. Open your smb.conf file in your favourite editor and add these lines to the 'global' portion

Code: Select all

  username map = /etc/samba/user.map
  vfs objects = acl_xattr
  map acl inherit = Yes
  inherit acls = yes
Create /etc/samba/user.map to contain this line:

Code: Select all

!root = YOUR_WORKGROUP_NAME\Administrator
Then change your shares to be just this:

Code: Select all

[SHARENAME]
  path = /path/to/share
  read only = no
Now reload the config with:

Code: Select all

smbcontrol all reload-config
Now go to a Windows computer and set your required permissions from there.

This is the only way to change the permission on NTFS.

ejolson
Posts: 10225
Joined: Tue Mar 18, 2014 11:47 am

Re: Samba share invalid user not working

Mon Oct 10, 2022 10:39 am

hortimech wrote:
Wed Oct 05, 2022 6:08 pm
as for 'wide links', I wouldn't get used to using them, Jeremy hates them and will remove them at some point, probably when the SMB3 Unix extensions are finished and SMBv1 is totally removed.
Though I don't want to take this thread too far off topic, is there any estimate or timeline for when SMB3 Unix extensions might be finished or at least usable?

hortimech
Posts: 689
Joined: Wed Apr 08, 2015 5:52 pm

Re: Samba share invalid user not working

Mon Oct 10, 2022 11:08 am

ejolson wrote:
Mon Oct 10, 2022 10:39 am
hortimech wrote:
Wed Oct 05, 2022 6:08 pm
as for 'wide links', I wouldn't get used to using them, Jeremy hates them and will remove them at some point, probably when the SMB3 Unix extensions are finished and SMBv1 is totally removed.
Though I don't want to take this thread too far off topic, is there any estimate or timeline for when SMB3 Unix extensions might be finished or at least usable?
No, I know that they are being worked on extensively, but no timeline has been set yet, I doubt it will make it into Samba 4.18.0, possibly 4.19.0, but who knows, not even the people writing the code are sure. :(

Return to “Networking and servers”