I have Samba 4.14.5 installed on RHEL8.
If I create a few subfolders and then create say 500 files/folders there , about 350 show up. But all can be accessed if I give the complete adress in the windows
explorer.
If I create 350, then all show up. If I create the 351st
folder, then one gets ramdomly invisible but it can be accessed if I
give the complete address in the windows explorer.
If I delete the 351st dir, then the other 350 show up correctly.
If I create another subfolder, maybe 200 will show up, so this is ramdom.
The servers is an EC2 instance and the mount is an EFS.
Config in samba.conf
[global]
realm = SAMPLE.ORG
workgroup = EXAM
security = ads
kerberos method = secrets and keytab
template homedir = /home/%U
idmap config * : backend = tdb
idmap config * : range = 10000-199999
idmap config EXAM : backend = sss
idmap config EXAM : range = 200000-2147483647
load printers = no
machine password timeout = 0
log level = 4
[data-robo]
comment = AWS EFS share drive
browseable = Yes
read only = No
write list = #group1,#group2
public = No
path = /data/robo2
valid users = #group1,#group2
force directory mode = 777
Thanks,
Just adding I see this same behavior with a CentOS 8 Stream samba 4.16.4 server sharing NFS mounts from a VAST appliance. I do not see it when sharing an NFS mount from another CentOS 8 Stream box. I also do not see it when sharing the VAST NFS mounts on a CentOS7 samba server running 4.10.16.
So the solution for us for now is to share the VAST NFS mounts only from a CentOS7 samba server. I assume the same would be true for EFS
Related
I have a linux workstation in which I want to offer an access to a share folder using a user login and password.
All files remotely created will belong to the local workstation user named operator
in my linux workstation, I created this special account PenguinUser as user login for this share :
sudo useradd --no-create-home PenguinUser
sudo smbpasswd -a PenguinUser
I setted up the samba server as follow :
[global]
workgroup = OUTOFWORLD
server string = SHARED MACHINE
security = user
map to guest = Bad Password
passdb backend = tdbsam
obey pam restrictions = Yes
guest account = operator
passwd program = /usr/bin/passwd %u
passwd chat = *Enter\snew\sUNIX\spassword:* %n\n *Retype\snew\sUNIX\spassword:* %n\n .
logging = syslog#0
log file = /var/log/samba/log.%m
max log size = 50
load printers = No
show add printer wizard = No
dns proxy = No
ldap ssl = no
panic action = /usr/share/samba/panic-action %d
invalid users = root
usershare allow guests = No
[files]
comment = operator files
path = /home/operator/files_folder
valid users = operator,PenguinUser
read list = operator
create mask = 0777
directory mask = 0777
force user = operator
force group = automat
guest ok = No
browseable = Yes
writable = Yes
2 questions :
1/ why do we need to create a user account in the main company server ?? In this case, I would agree, if it is possible to manage the user / login password from this server and not the workstation ?
2/ Howto allow write accesses in the folders created in the remote directory ? This actual setup does not permit it.
1/ why do we need to create a user account in the main company server ??
So that the Samba users can save files to the share
1A/ In this case, I would agree, if it is possible to manage the user / login password from this server and not the workstation ?
Big problem, you can add 'unix password sync = yes' to '[global]' and this will keep the Unix & Samba passwords in sync on the server, but there is nothing standard that will keep the client password in sync with the server, why do you think they came up with domains ? (note: that wasn't the only reason)
2/ Howto allow write accesses in the folders created in the remote directory ? This actual setup does not permit it.
recreate your smb.conf like this:
[global]
workgroup = OUTOFWORLD
server string = SHARED MACHINE
security = user
obey pam restrictions = Yes
passwd program = /usr/bin/passwd %u
passwd chat = *Enter\snew\sUNIX\spassword:* %n\n *Retype\snew\sUNIX\spassword:* %n\n .
unix password sync = yes
logging = syslog#0
log file = /var/log/samba/log.%m
max log size = 50
load printers = No
show add printer wizard = No
dns proxy = No
panic action = /usr/share/samba/panic-action %d
[files]
comment = operator files
path = /home/files_folder
valid users = PenguinUser
create mask = 0700
directory mask = 0700
read only = no
This will allow only the user 'PenguinUser' to connect to the 'files' share.
TL;DR: Time Machine cannot create a new backup on my shared drive, but can add to an existing backup.
I'm running macOS Catalina and my Time Machine backs up to a Debian 10 server with NetAtalk and Avahi. Since Mavericks macOS has preferred SMB, and given SMB is marginally faster I decided to switch to using SMB for the Time Machine shares. On a fresh AFP share I can start a new Time Machine backup in System Preferences and it will create a new .sparseimage without complaint.
If I use the exact same directory (/usr/local/smb), so same permissions etc, and create a samba share, when Time Machine attempts to create a new backup it give the error: "Time Machine couldn’t complete the backup to SERVER.local. The backup disk image could not be created."
If I first connect to the share with AFP and do the initial backup, I can then connect with SMB and add subsequent incremental backups without error. I thought maybe a permissions issue, but for debugging purposes I have /usr/local/smb set to 0777 and still get the error.
ls -la showing permissions of the share point:
drwxrwxrwx 5 root smbusers 4096 Apr 3 12:35 smb
I find the following possibly helpful error in the log:
Failed to create '/Volumes/.timemachine/SERVER._smb._tcp.local/DDE06691-7411-41DD-8419-24FEFC21CE29/TimeMachine Set A - SMB/8E394711-7E3F-520B-800C-192D4F680177.sparsebundle', results: {
}, error: 13 Permission denied
afp.conf:
[Global]
; Global server settings
vol preset = default_for_all
log file = /var/log/netatalk.log
uam list = uams_dhx2.so,uams_clrtxt.so
save password = no
[default_for_all]
file perm = 0664
directory perm = 0774
cnid scheme = dbd
[Time Machine Set A - AFP]
path = /usr/local/smb
time machine = yes
vol size limit = 4000000
I'm using some smb.conf options suggested in this GitHub: https://gist.github.com/ChloeTigre/4c2022c0d1a281deedba6f7539a2e3ae
smb.conf:
[global]
## Browsing/Identification ###
# Change this to the workgroup/NT-domain name your Samba server will part of
workgroup = WORKGROUP
wins support = yes
#### Debugging/Accounting ####
# This tells Samba to use a separate log file for each machine
# that connects
log file = /var/log/samba/log.%m
# Cap the size of the individual log files (in KiB).
max log size = 1000
# We want Samba to only log to /var/log/samba/log.{smbd,nmbd}.
# Append syslog#1 if you want important messages to be sent to syslog too.
logging = file
# Do something sensible when Samba crashes: mail the admin a backtrace
panic action = /usr/share/samba/panic-action %d
###MacOS compatability stuff
guest account = smbguest
min protocol = SMB2
map acl inherit = yes
vfs objects = catia fruit streams_xattr
fruit:metadata = netatalk
fruit:model = MacSamba
fruit:posix_rename = yes
fruit:veto_appledouble = yes
durable handles = yes
kernel oplocks = no
kernel share modes =no
posix locking = no
smb2 leases = yes
#Turned off for testing compatability
#fruit:wipe_intentionally_left_blank_rfork = yes
#fruit:delete_empty_adfiles = yes
####### Authentication #######
# Server role. Defines in which mode Samba will operate. Possible
# values are "standalone server", "member server", "classic primary
# domain controller", "classic backup domain controller", "active
# directory domain controller".
#
# Most people will want "standalone server" or "member server".
# Running as "active directory domain controller" will require first
# running "samba-tool domain provision" to wipe databases and create a
# new domain.
server role = standalone server
obey pam restrictions = yes
# This boolean parameter controls whether Samba attempts to sync the Unix
# password with the SMB password when the encrypted SMB password in the
# passdb is changed.
unix password sync = yes
# For Unix password sync to work on a Debian GNU/Linux system, the following
# parameters must be set (thanks to Ian Kahan <<kahan#informatik.tu-muenchen.de> for
# sending the correct chat script for the passwd program in Debian Sarge).
passwd program = /usr/bin/passwd %u
passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
# This boolean controls whether PAM will be used for password changes
# when requested by an SMB client instead of the program listed in
# 'passwd program'. The default is 'no'.
pam password change = yes
# This option controls how unsuccessful authentication attempts are mapped
# to anonymous connections
map to guest = bad user
######Security#######
security = user
valid users = #smbusers
username map = /etc/samba/users.map
guest ok = no
# Allow users who've been granted usershare privileges to create
# public shares, not just authenticated ones
usershare allow guests = yes
#======================= Share Definitions =======================
[TimeMachine Set A - SMB]
path = /usr/local/smb
comment = SMB Time Machine Destination Set A
browsable = yes
writeable = yes
create mode = 0664 #tried turning this off, no fix
directory mode = 0777 #tried turning this off, no fix
vfs objects = catia fruit streams_xattr
fruit:aapl = yes
fruit:time machine = yes
#guest ok = yes
fruit:time machine max size = 3.9T #tried turning this off, no fix
inherit acls = yes
As I was so helpfully informed here the issue boiled down to one variable. I needed to change fruit:metadata = netatalk to fruit:metadata = stream.
Thought I'd post some additional info for people. My currently working smb.conf is as follows. Note this is on Debian 10 (Buster) so things like password change command will be different on other distributions. Also note that the order of modules in the setting vfs objects = catia fruit streams_xattr is significant and important.
# NOTE: Whenever you modify this file you should run the command
# "testparm" to check that you have not made any basic syntactic
# errors.
[global]
workgroup = WORKGROUP
min protocol = SMB2
log file = /var/log/samba/log.%m
max log size = 5000
logging = file
security = USER
panic action = /usr/share/samba/panic-action %d
server role = standalone server
obey pam restrictions = yes
unix password sync = yes
passwd program = /usr/bin/passwd %u
passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
pam password change = yes
username map = /etc/samba/users.map
map to guest = bad user
guest account = XXXYOURGUESTACCOUNT
# Time Machine settings
vfs objects = catia fruit streams_xattr
fruit:model = MacSamba
fruit:advertise_fullsync = true
fruit:metadata = stream
fruit:veto_appledouble = no
#default is yes, not necessary to specify fruit:posix_rename = no
#default is yes, not necessary to specify fruit:zero_file_id = yes
fruit:wipe_intentionally_left_blank_rfork = yes
fruit:delete_empty_adfiles = yes
ea support = yes
#default is yes, not necessary to specify fruit:aapl = yes
# Make share visible to Windows
#Disabled for a Mac-Only network
# lanman auth = no
# ntlm auth = yes
# wins support = yes
# local master = yes
# preferred master = yes
# Allow symlinks
# follow symlinks = yes
# wide links = yes
# unix extensions = no
#======================= Share Definitions =======================
[SHARED DRIVE]
path = /PATH/TO/YOUR/SHARED/FOLDER
valid users = #YOURGUESTUSERGROUP
writable = yes
durable handles = yes
kernel oplocks = no
kernel share modes = no
posix locking = no
vfs objects = catia fruit streams_xattr
#default is yes, not necessary to specify ea support = yes
#default is yes, not necessary to specify browseable = yes
read only = no
inherit acls = yes
fruit:time machine = yes
fruit:metadata = stream
fruit:locking = netatalk
guest ok = yes
[Time Machine]
path = /PATH/TO/YOUR/SHARED/FOLDER
valid users = #YOURGUESTUSERGROUP
writable = yes
durable handles = yes
kernel oplocks = no
kernel share modes = no
posix locking = no
vfs objects = catia fruit streams_xattr
#default is yes, not necessary to specify ea support = yes
browseable = no
read only = no
inherit acls = yes
fruit:time machine = yes
fruit:metadata = stream
fruit:locking = netatalk
fruit:time machine max size = 1.9T
Also note that The Samba build with Debian 10 currently does not have built-in support for advertising Time Machine shares. Normally specifying fruit:time machine = yes will trigger Samba to advertise a Time Machine destination via Avahi, but this specific support is not built with the Samba included in Debian 10. You'll need to configure a .service definition in /etc/avahi/services/. I created time_machine_advert.service in that folder. You'll need to restart avahi to be sure it gets applied with sudo systemctl restart avahi. I have two Time Machine destinations. Multiples can be advertised within a single file by simply duplicating the txt record and incrementing dkX, i.e. dk1, dk2 etc.
<?xml version="1.0" standalone='no'?><!--*-nxml-*-->
<!DOCTYPE service-group SYSTEM "avahi-service.dtd">
<service-group>
<name replace-wildcards="yes">%h</name>
<service>
<type>_adisk._tcp</type>
<txt-record>sys=waMa=0,adVF=0x100</txt-record>
<txt-record>dk0=adVN=SAMBA SHARE NAME EXACTLY,adVF=0x82</txt-record>
<txt-record>dk1=adVN=SAMBA SHARE NAME #2 EXACTLY,adVF=0x82</txt-record>
</service>
<service>
<type>_smb._tcp</type>
<port>445</port>
</service>
</service-group>
There are some additional useful sites for Samba configuration with regards to Time Machine here:
Samba team's official guide to Time Machine configuration, although this alone didn't get a working config for me: https://wiki.samba.org/index.php/Configure_Samba_to_Work_Better_with_Mac_OS_X
smb.conf reference: https://www.samba.org/samba/docs/current/man-html/smb.conf.5.html
vfs_fruit (the Apple compatibility module for Samba) reference https://www.samba.org/samba/docs/current/man-html/vfs_fruit.8.html
Ken Murphy's smb.conf on GitHub that finally pushed me over the edge and got my setup working: https://github.com/KenMurphy/SambaConfigs/blob/master/smb.conf
A general Samba on Debian guide: https://www.antoneliasson.se/journal/time-machine-compatible-samba-on-debian-buster/
How to deploy the hashicorp vault in openshift with out using persistent volumes(PV)?
In the openshift cluster as a normal user(not a cluster admin),need to deploy the vault server. I followed the URL but it has persistent volumes (/vault/file) in vault.yaml file in it, which requires permission for my account to create persistent container but I do not have enough permission for my account. so i removed the pv mount paths in the vault-config.json like below, but I am seeing the below error.
{"backend":
{"file":
{"path": "/tmp/file"}
},
...
...
}
Is it possible to create the vault server without PV, like using the local file path (/tmp/file) as backend storage as a normal user?
What is the alternative way to deploy vault in openshift without PV to deploy hashicorp vault?
Below is the error when run with pv,
--> Scaling vault-1 to 1
--> FailedCreate: vault-1 Error creating: pods "vault-1-" is forbidden: unable to validate against any security context constraint: [spec.containers[0].securityContext.privileged: Invalid value: true: Privileged containers are not allowed]
error: update acceptor rejected vault-1: pods for rc 'dev-poc-environment/vault-1' took longer than 600 seconds to become available
How to deploy the hashicorp vault in openshift with out using
persistent volumes(PV)?
You can use In-Memory storage backend as mentioned here. So your vault config looks something like this:
$cat config.hcl
disable_mlock = true
storage "inmem" {}
listener "tcp" {
address = "0.0.0.0:8200"
tls_disable = 0
tls_cert_file = "/etc/service/vault-server/vault-server.crt"
tls_key_file = "/etc/service/vault-server/vault-server.key"
}
ui = true
max_lease_ttl = "7200h"
default_lease_ttl = "7200h"
api_addr = "http://127.0.0.1:8200"
But with this data/secrets are not persistent.
Another way is to add a file path to the storage, so that all the secrets which are encrypted stored at the mentioned path.
so now your config changes to
storage "file" {
path = "ANY-PATH"
}
POINTS TO BE NOTED HERE:
Path defined should have permissions to write/read data/secrets
This could be any path that is inside the container, just to avoid dependency on persistence volume.
But what is the problem with this model? When the container restarts, all the data will be lost as the container doesn't store data.
No High Availability – the Filesystem backend does not support high
availability.
So what should be the ideal solution? Anything that makes our data highly available, which is achieved by using dedicated backend storage using a database.
For simplicity, let us take PostgreSQL as backend storage.
storage "postgresql" {
connection_url = "postgres://user123:secret123!#localhost:5432/vault"
}
so now config looks something like this:
$ cat config.hcl
disable_mlock = true
storage "postgresql" {
connection_url = "postgres://vault:vault#vault-postgresql:5432/postgres?sslmode=disable"
}
listener "tcp" {
address = "0.0.0.0:8200"
tls_disable = 0
tls_cert_file = "/etc/service/vault-server/vault-server.crt"
tls_key_file = "/etc/service/vault-server/vault-server.key"
}
ui = true
max_lease_ttl = "7200h"
default_lease_ttl = "7200h"
api_addr = "http://127.0.0.1:8200"
So choosing backend storage helps you to persist your data even if the container restarts.
As you are specifically looking for a solution in openshift, create a postgresSQL container using template provided and make vault point it to it using the service name as explanied in the above config.hcl
Hope this helps!
We are installing samba on Ubuntu18.04 and samba has default version 4.7.4-ubuntu
Configured samba for a share and set create_mode as 0664 and directory_mode as 0700:
[Sharemike]
path = /opt/shareonly
create mask = 0664
directory mask = 0700
browseable = yes
writeable = yes
comment = sharing /opt/sharepublic folder
read only = no
valid users = mike
Mounted share locally. Able to create file and directory using smbclient and also with mike user account.
But when checked the directory_mode and creare_mode, they are showing 755 and 755
Also tried below combinations in smb.conf but did nto work:
inherit permissions = yes
unix extensions = no
obey pam restrictions = no
force create mode = 0664
force directory mode = 2700
force user = mike
In Ubuntu16 it is working as configured in samba.
Can anyone explain why this behaviour in Ubuntu18?
I have added this in my /etc/samba/smb.conf
[srv]
comment = another share
path = /srv
browseable = yes
create mask = 0777
directory mask = 0777
[slash]
comment = another sharedsad
path = /
browseable = yes
writable = yes
create mask = 0777
directory mask = 0777
I can easily access sub-directory inside \\IP\srv\ but I cannot do so with \\IP\slash\.
SMB server is installed in a Linux Mint 17.3 VM and I am trying to access it from a windows host.
smbclient on guest is giving error too NT_STATUS_ACCESS_DENIED listing \bin
Logs say:
[2016/02/01 03:42:52.256236, 0] ../source3/param/loadparm.c:4365(process_usershare_file)
process_usershare_file: stat of /var/lib/samba/usershares/vk failed. No such file or directory
This turned out to be a bug introduced in Samba 4.1+
https://www.turnkeylinux.org/forum/support/20160104/samba-updated-and-broke-root-share-any-ideas
There are two workarounds for this:
A) Enable symlinks. Add this to your smb.conf
[global]
wide links = yes
unix extensions = no
B) https://bugzilla.samba.org/show_bug.cgi?id=11647#c7
mkdir /mnt/root
mount -o rbind / /mnt/root
and use "path = /mnt/root" instead of "path = /"