Cannot access Samba shares

carter · January 30, 2017, 1:49pm

NethServer Version: NS7rc
Module: Samba

Hi this is starting to drive me a little nuts, clean fresh install of NS, added samba and file sharing. Setup everything and it appears to be working. I have connected to the same workgroup with a client PC.

I can access shares which allow guest access (for testing) but anything using permissions does not allow me access with any username. I can connect to the AD and my credentials work ok, what am I missing?

davidep · January 30, 2017, 2:06pm

Did it join the domain?

What do you mean exactly? Could you provide some example?

I’d expect the user name has the form

DOMAIN\username

carter · January 30, 2017, 2:16pm

This is one area that is not working as I would have expected. If I try to connect to the domain lacloue.local I cannot access the shares. if I connect to workgroup lacloue, I can see the shares. But only access those I’ve set to guest access.

If I try connecting as user@lacloue.local still no joy

Here’s the domain accounts page grab, which to me reads as everything should be running ok

NetBIOS domain name: LACLOUE
LDAP server: 192.168.2.3
LDAP server name: nsdc-server.lacloue.local
Realm: LACLOUE.LOCAL
Bind Path: dc=LACLOUE,dc=LOCAL
LDAP port: 389
Server time: Mon, 30 Jan 2017 15:08:58 CET
KDC server: 192.168.2.3
Server time offset: 0
Last machine account password change: Fri, 27 Jan 2017 18:41:57 CET

Join is OK
name: SERVER
objectSid: S-1-5-21-853824779-2190824322-2453242918-1103
accountExpires: 9223372036854775807
sAMAccountName: SERVER$
pwdLastSet: 131300125160000000
dNSHostName: server.lacloue.local
servicePrincipalName: HOST/SERVER
servicePrincipalName: HOST/server.lacloue.local
whenChanged: 20170127174158.0Z
lastLogon: 131302589482527770
distinguishedName: CN=SERVER,CN=Computers,DC=lacloue,DC=local

davidep · January 30, 2017, 2:38pm

I’d expect the following is working (substitute user/SHARENAME):

smbclient -U 'LACLOUE\user' -W LACLOUE //server.lacloue.local/SHARENAME

If smbclient command is missing:

yum install samba-clients

carter · January 30, 2017, 2:42pm

Error NT_STATUS_CONNECTION_REFUSED

was the result

carter · January 30, 2017, 2:48pm

if I do:

smbclient //lacloue.local/netlogon -Uuser -c 'ls’
Enter user’s password:
Domain=[LACLOUE] OS=[Windows 6.1] Server=[Samba 4.4.5]
. D 0 Fri Jan 27 18:41:33 2017
… D 0 Fri Jan 27 18:41:37 2017

            52403200 blocks of size 1024. 47397872 blocks available

so I know the password is correct, but cannot access the shares it seems.

davidep · January 30, 2017, 3:18pm

Let’s see filesystem permissions:

getfacl  /var/lib/nethserver/ibay/*

carter · January 30, 2017, 3:22pm

This help is much appreciated!

as request:

getfacl: Removing leading '/' from absolute path names
# file: var/lib/nethserver/ibay/documents
# owner: administrator@lacloue.local
# group: domain\040users@lacloue.local
# flags: -s-
user::rwx
user:ryan@lacloue.local:rwx
group::rwx
mask::rwx
other::---
default:user::rwx
default:user:ryan@lacloue.local:rwx
default:group::rwx
default:mask::rwx
default:other::---

# file: var/lib/nethserver/ibay/downloads
# owner: administrator@lacloue.local
# group: domain\040admins@lacloue.local
# flags: -s-
user::rwx
group::rwx
other::r-x

# file: var/lib/nethserver/ibay/movies
# owner: administrator@lacloue.local
# group: domain\040users@lacloue.local
# flags: -s-
user::rwx
group::rwx
other::---

# file: var/lib/nethserver/ibay/pics
# owner: administrator@lacloue.local
# group: family@lacloue.local
# flags: -s-
user::rwx
user:ryan@lacloue.local:rwx
group::rwx
mask::rwx
other::---
default:user::rwx
default:user:ryan@lacloue.local:rwx
default:group::rwx
default:mask::rwx
default:other::---

# file: var/lib/nethserver/ibay/spare
# owner: root
# group: root
user::rwx
group::r-x
other::r-x

# file: var/lib/nethserver/ibay/Spare
# owner: root
# group: root
user::rwx
group::r-x
other::r-x

# file: var/lib/nethserver/ibay/test
# owner: administrator@lacloue.local
# group: family@lacloue.local
# flags: -s-
user::rwx
user:ryan@lacloue.local:rwx
group::rwx
mask::rwx
other::r-x
default:user::rwx
default:user:ryan@lacloue.local:rwx
default:group::rwx
default:mask::rwx
default:other::r-x

# file: var/lib/nethserver/ibay/test2
# owner: root
# group: 46
user::rwx
group::rwx
other::rwx

davidep · January 30, 2017, 3:51pm

Please note that lacloue.local is not the same of server.lacloue.local.

getent hosts lacloue.local
getent hosts server.lacloue.local

…should return the IP addresses you’ve choosen for NSDC and NethServer itself.

There are many shares with different permissions. Those owned by “root” seems to require a “Reset permissions” from the “Shared folders” page: did you create them before installing nethserver-dc (Samba Active Directory local account provider)?

BTW “pics” and “test” seem good.

carter · January 30, 2017, 4:00pm

yes I was looking at some samba debugging pages the hosts respectively return 192.168.2.3 and 192.168.2.4 as I would expect.

The shares were setup after installing all features, the messy permissions is due to experimentation.

Sadly neither pics nor test work as per example:

smbclient -U 'LACLOUE\ryan' -W LACLOUE //server.lacloue.local/test

returns: Connection to server.lacloue.local failed (Error NT_STATUS_CONNECTION_REFUSED)

Does there need to be specific permission on the ibay folder itself that I have perhaps messed up with my “experimenting”?

Currently:

getfacl: Removing leading '/' from absolute path names
# file: var/lib/nethserver/ibay
# owner: root
# group: root
user::rwx
group::rwx
other::r-x

alefattorini · January 30, 2017, 4:48pm

Are you sure that this name is correctly resolved?

Please execute this on your windows machine
nslookup server.lacloue.local

carter · January 30, 2017, 5:04pm

[root@server ~]# nslookup server.lacloue.local
Server:         127.0.0.1
Address:        127.0.0.1#53

Name:   server.lacloue.local
Address: 192.168.2.4

Seems fine in that respect

Edit* think I misread earlier, run from a windows client and it resolved fine too.

carter · January 30, 2017, 5:49pm

It wouldn’t be anything on the smb.conf side of things would it?

I know this is templated and updates automatically so I have not altered anything. But it gives the impression to me that it’s not resolving security properly so falling back to acl permissions.

I may try a wipe and re-install tomorrow in case it’s a random glitch. Any thoughts in the meantime are welcome

Thanks for the assistance!

robb · January 30, 2017, 9:25pm

Is this a regression of the samba share problems we saw earlier?

davidep · January 30, 2017, 9:53pm

Could you add optional -d 3 to increase debug messages?

 smbclient -d 3 ...

Both with “test” (auth) and “spare” (guest)… Thanks!

carter · January 31, 2017, 9:21am

Result of tests:

lp_load_ex: refreshing parameters
Initialising global parameters
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
Processing section "[global]"
Processing section "[global]"
added interface lo ip=127.0.0.1 bcast=127.255.255.255 netmask=255.0.0.0
interpret_interface: using netmask value 16 from config file on interface enp4s0
added interface enp4s0 ip=192.168.1.18 bcast=192.168.1.255 netmask=255.255.0.0
Client started (version 4.4.4).
Enter LACLOUE\ryan's password:
resolve_hosts: Attempting host lookup for name server.lacloue.local<0x20>
Connecting to 192.168.2.4 at port 445
E2BIG: convert_string(UTF-8,CP850): srclen=21 destlen=16 - 'SERVER.LACLOUE.LOCAL'
Connecting to 192.168.2.4 at port 139
Connection to server.lacloue.local failed (Error NT_STATUS_CONNECTION_REFUSED)

I’m not 100% on syntax to use with smbclient as guest so correct if wrong:

[root@server ~]# smbclient -d 3 -U 'LACLOUE\guest%' -W LACLOUE //server.lacloue.local/spare
lp_load_ex: refreshing parameters
Initialising global parameters
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
Processing section "[global]"
Processing section "[global]"
added interface lo ip=127.0.0.1 bcast=127.255.255.255 netmask=255.0.0.0
interpret_interface: using netmask value 16 from config file on interface enp4s0
added interface enp4s0 ip=192.168.1.18 bcast=192.168.1.255 netmask=255.255.0.0
Client started (version 4.4.4).
Connecting to 192.168.2.4 at port 445
E2BIG: convert_string(UTF-8,CP850): srclen=21 destlen=16 - 'SERVER.LACLOUE.LOCAL'
Connecting to 192.168.2.4 at port 139
Connection to server.lacloue.local failed (Error NT_STATUS_CONNECTION_REFUSED)

davidep · January 31, 2017, 2:32pm

3 posts were split to a new topic: SFTP access to everything

davidep · January 31, 2017, 11:43am

Looks like you’re connecting from a different network and find the port 139 closed.

By default, smb is accessible from green network only. Could you paste the output of

 db networks show

carter · January 31, 2017, 12:17pm

I decided to do a wipe and re-install. will let you know how it goes, especially if certain aspects are ongoing, i.e. the security issue over sftp, I will let you know.

carter · February 2, 2017, 12:54pm

I’m sorry to report that I gave-up on Nethserver and installed a different linux server. Which after a slight hiccup worked out of the box for samba shares and does not have the sftp security vulnerability (as I see it).

I liked the CentOS distro but I don’t mean any of the following in a harsh way, as your product is aimed at people who want a gui to allow simple management and setup. Of the two based on CentOS I tested yours was better. But both failed at samba, maybe it’s something you should look into closer and re-evaluate the security aspects.