Page 1 of 2 12 LastLast
Results 1 to 10 of 12

Thread: Samba, Symlinks and unix extensions

  1. #1

    Default Samba, Symlinks and unix extensions

    Hi all,

    I have a directory shared with Samba. I am connecting to it with my Mac. In this directory I created a symbolic link to another directory. When I try with the command line, it follows the symlink fine.
    I added the following to my /etc/samba/smb.conf
    Code:
    [global]
    unix extensions = no
    [someshare]
    follow symlinks = yes
    wide links = yes
    However, the log says
    Share 'someshare' has wide links and unix extensions enabled. These parameters are incompatible. Wide links will be disabled for this share.
    And when I try to click on the symlink, the Finder thinks it's an alias pointing to a local dir that I can't find on my Mac.

    Why does samba chose to ignore the unix extensions = no line in the smb.conf file?

    Code:
    smbd -V
    Version 3.6.7-48.12.1-2831-SUSE-SL12.2-x86_64
    
    fdisk -l
    
    
    Disk /dev/sda: 1000.2 GB, 1000204886016 bytes
    255 heads, 63 sectors/track, 121601 cylinders, total 1953525168 sectors
    Units = sectors of 1 * 512 = 512 bytes
    Sector size (logical/physical): 512 bytes / 512 bytes
    I/O size (minimum/optimal): 512 bytes / 512 bytes
    Disk identifier: 0x000dd094
    
    
       Device Boot      Start         End      Blocks   Id  System
    /dev/sda1            2048     4208639     2103296   82  Linux swap / Solaris
    /dev/sda2   *     4208640    46153727    20972544   83  Linux
    /dev/sda3        46153728  1953523711   953684992   83  Linux
    
    df
    Filesystem     1K-blocks      Used Available Use% Mounted on
    rootfs          20641788   7062368  12530796  37% /
    devtmpfs         1016868        36   1016832   1% /dev
    tmpfs            1023692         0   1023692   0% /dev/shm
    tmpfs            1023692       352   1023340   1% /run
    /dev/sda2       20641788   7062368  12530796  37% /
    tmpfs            1023692         0   1023692   0% /sys/fs/cgroup
    tmpfs            1023692       352   1023340   1% /var/run
    tmpfs            1023692       352   1023340   1% /var/lock
    tmpfs            1023692         0   1023692   0% /media
    /dev/sda3      938719072 894150340  26448724  98% /home
    
    cat /etc/fstab
    /dev/disk/by-id/ata-WDC_WD10EACS-00D6B1_WD-WCAU44133510-part1 swap                 swap       defaults              0 0
    /dev/disk/by-id/ata-WDC_WD10EACS-00D6B1_WD-WCAU44133510-part2 /                    ext4       acl,user_xattr        1 1
    /dev/disk/by-id/ata-WDC_WD10EACS-00D6B1_WD-WCAU44133510-part3 /home                ext4       acl,user_xattr        1 2
    proc                 /proc                proc       defaults              0 0
    sysfs                /sys                 sysfs      noauto                0 0
    debugfs              /sys/kernel/debug    debugfs    noauto                0 0
    devpts               /dev/pts             devpts     mode=0620,gid=5       0 0
    running openSUSE 12.2 (Mantis) x86_64
    P4 3.2 Ghz | 2 GB RAM | 1000 GB HDD
    Serves as Usenet downloader (couchpotato, headphones, sickbeard and sabnzbd) and SMB Media server.

  2. #2
    Join Date
    Nov 2009
    Location
    ND, USA
    Posts
    1,131

    Default Re: Samba, Symlinks and unix extensions

    On 1/18/2013 8:06 AM, ShaolinSatellite wrote:
    >
    > Hi all,
    >
    > I have a directory shared with Samba. I am connecting to it with my
    > Mac. In this directory I created a symbolic link to another directory.
    > When I try with the command line, it follows the symlink fine.
    > I added the following to my /etc/samba/smb.conf
    >
    > Code:
    > --------------------
    >
    > [global]
    > unix extensions = no
    > [someshare]
    > follow symlinks = yes
    > wide links = yes
    > --------------------
    >
    >
    > However, the log says
    >> Share 'someshare' has wide links and unix extensions enabled. These
    >> parameters are incompatible. Wide links will be disabled for this share.

    >

    <snip>
    >
    > --------------------
    >
    >

    ShaolinSatellite;

    Have you restarted smbd since editing /etc/samba/smb.conf? The [Global] section
    of smb.conf is only read when smbd starts.

    Could there be a typo? What does the following command give?
    Code:
    testparm -vs | grep unix
    --
    P.V.
    "We're all in this together, I'm pulling for you" Red Green

  3. #3
    Join Date
    Mar 2010
    Location
    Austin - Texas
    Posts
    10,140
    Blog Entries
    48

    Smile Re: Samba, Symlinks and unix extensions

    Quote Originally Posted by ShaolinSatellite View Post
    Hi all,

    I have a directory shared with Samba. I am connecting to it with my Mac. In this directory I created a symbolic link to another directory. When I try with the command line, it follows the symlink fine.
    I added the following to my /etc/samba/smb.conf
    Code:
    [global]
    unix extensions = no
    [someshare]
    follow symlinks = yes
    wide links = yes
    However, the log says


    And when I try to click on the symlink, the Finder thinks it's an alias pointing to a local dir that I can't find on my Mac.

    Why does samba chose to ignore the unix extensions = no line in the smb.conf file?

    Code:
    smbd -V
    Version 3.6.7-48.12.1-2831-SUSE-SL12.2-x86_64
    
    fdisk -l
    
    
    Disk /dev/sda: 1000.2 GB, 1000204886016 bytes
    255 heads, 63 sectors/track, 121601 cylinders, total 1953525168 sectors
    Units = sectors of 1 * 512 = 512 bytes
    Sector size (logical/physical): 512 bytes / 512 bytes
    I/O size (minimum/optimal): 512 bytes / 512 bytes
    Disk identifier: 0x000dd094
    
    
       Device Boot      Start         End      Blocks   Id  System
    /dev/sda1            2048     4208639     2103296   82  Linux swap / Solaris
    /dev/sda2   *     4208640    46153727    20972544   83  Linux
    /dev/sda3        46153728  1953523711   953684992   83  Linux
    
    df
    Filesystem     1K-blocks      Used Available Use% Mounted on
    rootfs          20641788   7062368  12530796  37% /
    devtmpfs         1016868        36   1016832   1% /dev
    tmpfs            1023692         0   1023692   0% /dev/shm
    tmpfs            1023692       352   1023340   1% /run
    /dev/sda2       20641788   7062368  12530796  37% /
    tmpfs            1023692         0   1023692   0% /sys/fs/cgroup
    tmpfs            1023692       352   1023340   1% /var/run
    tmpfs            1023692       352   1023340   1% /var/lock
    tmpfs            1023692         0   1023692   0% /media
    /dev/sda3      938719072 894150340  26448724  98% /home
    
    cat /etc/fstab
    /dev/disk/by-id/ata-WDC_WD10EACS-00D6B1_WD-WCAU44133510-part1 swap                 swap       defaults              0 0
    /dev/disk/by-id/ata-WDC_WD10EACS-00D6B1_WD-WCAU44133510-part2 /                    ext4       acl,user_xattr        1 1
    /dev/disk/by-id/ata-WDC_WD10EACS-00D6B1_WD-WCAU44133510-part3 /home                ext4       acl,user_xattr        1 2
    proc                 /proc                proc       defaults              0 0
    sysfs                /sys                 sysfs      noauto                0 0
    debugfs              /sys/kernel/debug    debugfs    noauto                0 0
    devpts               /dev/pts             devpts     mode=0620,gid=5       0 0
    Please read this. It looks like both should be yes for symlinks to work.

    unix extensions (G)


    This boolean parameter controls whether Samba implements the CIFS UNIX extensions, as defined by HP. These extensions enable Samba to better serve UNIX CIFS clients by supporting features such as symbolic links, hard links, etc... These extensions require a similarly enabled client, and are of no current use to Windows clients.Note if this parameter is turned on, the wide links parameter will automatically be disabled. See the parameter allow insecure wide links if you wish to change this coupling between the two parameters.

    Default: unix extensions = yes

    follow symlinks (S)

    This parameter allows the Samba administrator to stop smbd(8) from following symbolic links in a particular share. Setting this parameter to no prevents any file or directory that is a symbolic link from being followed (the user will get an error). This option is very useful to stop users from adding a symbolic link to /etc/passwd in their home directory for instance. However it will slow filename lookups down slightly.This option is enabled (i.e. smbd will follow symbolic links) by default.

    Default: follow symlinks = yes

    Further the default is such that for Yes, they both may be omitted.

    I have a couple of blogs on Samba you can read here:

    Samba S.W.A.T. - Samba Web Administration Tool Setup for openSUSE: https://forums.opensuse.org/blogs/jd...p-opensuse-76/

    AND

    SWAT - Samba Web Administration Tool - Setup & Creation Script - 1.04: https://forums.opensuse.org/blogs/jd...ript-1-03-105/

    And to Edit that smb.conf file directly, have a look here:

    SYSEdit - System File Editor - Version 1.50: https://forums.opensuse.org/blogs/jd...rsion-1-00-60/

    Thank You,
    My Blog: https://forums.opensuse.org/blogs/jdmcdaniel3/

    Software efficiency halves every 18 months, thus compensating for Moore's Law

    Its James again from Austin, Texas

  4. #4
    Join Date
    Nov 2009
    Location
    ND, USA
    Posts
    1,131

    Default Re: Samba, Symlinks and unix extensions

    On 1/18/2013 10:06 PM, jdmcdaniel3 wrote:
    >
    > ShaolinSatellite;2519514 Wrote:
    >> Hi all,
    >>
    >> I have a directory shared with Samba. I am connecting to it with my
    >> Mac. In this directory I created a symbolic link to another directory.
    >> When I try with the command line, it follows the symlink fine.
    >> I added the following to my /etc/samba/smb.conf
    >>>

    > Code:
    > --------------------
    > > >

    > > [global]
    > > unix extensions = no
    > > [someshare]
    > > follow symlinks = yes
    > > wide links = yes

    > --------------------
    >>>

    >>
    >> However, the log says
    >>
    >>
    >> And when I try to click on the symlink, the Finder thinks it's an
    >> alias pointing to a local dir that I can't find on my Mac.
    >>
    >> Why does samba chose to ignore the unix extensions = no line in the
    >> smb.conf file?
    >>

    <snip>
    >>>

    >
    > Please read this. It looks like both should be yes for symlinks to
    > work.
    >
    > UNIX EXTENSIONS (G)
    > This boolean parameter controls whether Samba implements the CIFS
    > UNIX extensions, as defined by HP. These extensions enable Samba to
    > better serve UNIX CIFS clients by supporting features such as
    > symbolic links, hard links, etc... These extensions require a
    > similarly enabled client, and are of no current use to Windows
    > clients.Note if this parameter is turned on, the 'wide links'
    > (http://localhost:901/swat/help/manpa...html#WIDELINKS)
    > parameter will automatically be disabled. See the parameter 'allow
    > insecure wide links' (http://tinyurl.com/b3rbgb4) if you wish to
    > change this coupling between the two parameters.
    >
    > Default: --unix extensions- = yes -
    >
    > FOLLOW SYMLINKS (S)
    > This parameter allows the Samba administrator to stop 'smbd(8)'
    > (http://localhost:901/swat/help/manpages/smbd.8.html) from following
    > symbolic links in a particular share. Setting this parameter to no
    > prevents any file or directory that is a symbolic link from being
    > followed (the user will get an error). This option is very useful to
    > stop users from adding a symbolic link to /etc/passwd in their home
    > directory for instance. However it will slow filename lookups down
    > slightly.This option is enabled (i.e. smbd will follow symbolic links)
    > by default.
    >
    > Default: --follow symlinks- = yes -
    >
    > Further the default is such that for Yes, they both may be omitted.

    <snip>
    >
    > Thank You,
    >
    >


    You need the parameter, wide links, turned on to follow links outside the shared
    file system. For security reason, this has defaulted to off since Samba version
    3.5.0. For a discussion of the security problem with wide links on see:

    http://www.samba.org/samba/news/symlink_attack.html

    Notice that in the above article, Unix clients resolve symbolic links locally.
    Since the MAC is Unix based, that may be why the MAC is resolving the links
    locally. ( I had not thought about that in my first post.)



    From the manual for smb.conf:
    http://www.samba.org/samba/docs/man/...mb.conf.5.html

    wide links (S)
    This parameter controls whether or links in the UNIX file system may be followed
    by the server. Links that point to areas within the directory tree exported by
    the server are always allowed; this parameter controls access only to areas that
    are outside the directory tree being exported.

    Note: Turning this parameter on when UNIX extensions are enabled will allow UNIX
    clients to create symbolic links on the share that can point to files or
    directories outside restricted path exported by the share definition. This can
    cause access to areas outside of the share. Due to this problem, this parameter
    will be automatically disabled (with a message in the log file) if the unix
    extensions option is on.

    Default: wide links = no
    --
    P.V.
    "We're all in this together, I'm pulling for you" Red Green

  5. #5

    Default Re: Samba, Symlinks and unix extensions

    Alright, thanks for your help.
    I will share the directory separately rather than using symlinks.
    running openSUSE 12.2 (Mantis) x86_64
    P4 3.2 Ghz | 2 GB RAM | 1000 GB HDD
    Serves as Usenet downloader (couchpotato, headphones, sickbeard and sabnzbd) and SMB Media server.

  6. #6
    Join Date
    Mar 2010
    Location
    Austin - Texas
    Posts
    10,140
    Blog Entries
    48

    Smile Re: Samba, Symlinks and unix extensions

    Quote Originally Posted by ShaolinSatellite View Post
    Alright, thanks for your help.
    I will share the directory separately rather than using symlinks.
    You are very welcome for the help and let us know if we can be of further service to you.

    Thank You,
    My Blog: https://forums.opensuse.org/blogs/jdmcdaniel3/

    Software efficiency halves every 18 months, thus compensating for Moore's Law

    Its James again from Austin, Texas

  7. #7
    Join Date
    Nov 2009
    Location
    ND, USA
    Posts
    1,131

    Default Re: Samba, Symlinks and unix extensions

    On 1/20/2013 2:36 PM, ShaolinSatellite wrote:
    >
    > Alright, thanks for your help.
    > I will share the directory separately rather than using symlinks.
    >
    >

    ShaolinSatellite;

    Did you run "testparm" as in my first post? What did it return? The error
    message sounds to me like you have (had?) unix extensions enabled for some
    reason. All I can think of are:

    1. You edited the wrong copy of smb.conf.
    (The correct file is: /etc/samba/smb.conf)

    2. You have a typographical error in your entry for unix extensions.

    3. You have the parameter unix extensions entered twice. Once off and a second
    time on.

    Anyway, IMHO you are better off using separate shares rather than relying on links.

    --
    P.V.
    "We're all in this together, I'm pulling for you" Red Green

  8. #8
    Join Date
    May 2009
    Location
    Liège Walifornia
    Posts
    366

    Default Re: Samba, Symlinks and unix extensions

    First, apologizes to bother you, long time after the last post. I did read the different books I have concerning Samba and strangely all the books are saying that wide links and follow symlinks are "share scope". But technically I had only good results with symbolic links only if I put unix extensions = No follow symlinks = Yes wide links = Yes In the GLOBAL section. My question is the following: what the setting of "unix extensions" to "no" have as consequences ? If this "option" is set to "yes" by default there must be a reason, I did not yet find any answer. When setting wide links to "Yes" and unix extension to "Yes" leads to a conflict and the Samba server throws a warning. What "unix extensions" does ?

  9. #9
    Join Date
    Mar 2010
    Location
    Austin - Texas
    Posts
    10,140
    Blog Entries
    48

    Smile Re: Samba, Symlinks and unix extensions

    Quote Originally Posted by soundlord View Post
    First, apologizes to bother you, long time after the last post. I did read the different books I have concerning Samba and strangely all the books are saying that wide links and follow symlinks are "share scope". But technically I had only good results with symbolic links only if I put unix extensions = No follow symlinks = Yes wide links = Yes In the GLOBAL section. My question is the following: what the setting of "unix extensions" to "no" have as consequences ? If this "option" is set to "yes" by default there must be a reason, I did not yet find any answer. When setting wide links to "Yes" and unix extension to "Yes" leads to a conflict and the Samba server throws a warning. What "unix extensions" does ?
    These are the descriptions found for each:

    UNIX extensions (G)

    This boolean parameter controls whether Samba implements the CIFS UNIX extensions, as defined by HP. These extensions enable Samba to better serve UNIX CIFS clients by supporting features such as symbolic links, hard links, etc... These extensions require a similarly enabled client, and are of no current use to Windows clients.

    Note if this parameter is turned on, the wide links parameter will automatically be disabled.

    See the parameter allow insecure wide links if you wish to change this coupling between the two parameters.

    Code:
        Default: unix extensions = yes
    allow insecure wide links (G)

    In normal operation the option wide links which allows the server to follow symlinks outside of a share path is automatically disabled when unix extensions are enabled on a Samba server. This is done for security purposes to prevent UNIX clients creating symlinks to areas of the server file system that the administrator does not wish to export.

    Setting allow insecure wide links to true disables the link between these two parameters, removing this protection and allowing a site to configure the server to follow symlinks (by setting wide links to "true") even when unix extensions is turned on.

    If is not recommended to enable this option unless you fully understand the implications of allowing the server to follow symbolic links created by UNIX clients. For most normal Samba configurations this would be considered a security hole and setting this parameter is not recommended.

    This option was added at the request of sites who had deliberately set Samba up in this way and needed to continue supporting this functionality without having to patch the Samba code.

    Code:
        Default: allow insecure wide links = no
    smb encrypt (S)

    This is a new feature introduced with Samba 3.2 and above. It is an extension to the SMB/CIFS protocol negotiated as part of the UNIX extensions. SMB encryption uses the GSSAPI (SSPI on Windows) ability to encrypt and sign every request/response in a SMB protocol stream. When enabled it provides a secure method of SMB/CIFS communication, similar to an ssh protected session, but using SMB/CIFS authentication to negotiate encryption and signing keys. Currently this is only supported by Samba 3.2 smbclient, and hopefully soon Linux CIFSFS and MacOS/X clients. Windows clients do not support this feature.

    This controls whether the remote client is allowed or required to use SMB encryption. Possible values are auto, mandatory and disabled. This may be set on a per-share basis, but clients may chose to encrypt the entire session, not just traffic to a specific share. If this is set to mandatory then all traffic to a share must must be encrypted once the connection has been made to the share. The server would return "access denied" to all non-encrypted requests on such a share. Selecting encrypted traffic reduces throughput as smaller packet sizes must be used (no huge UNIX style read/writes allowed) as well as the overhead of encrypting and signing all the data.

    If SMB encryption is selected, Windows style SMB signing (see the server signing option) is no longer necessary, as the GSSAPI flags use select both signing and sealing of the data.

    When set to auto, SMB encryption is offered, but not enforced. When set to mandatory, SMB encryption is required and if set to disabled, SMB encryption can not be negotiated.

    Code:
        Default: smb encrypt = auto
    wide links (S)

    This parameter controls whether or not links in the UNIX file system may be followed by the server. Links that point to areas within the directory tree exported by the server are always allowed; this parameter controls access only to areas that are outside the directory tree being exported.

    Note: Turning this parameter on when UNIX extensions are enabled will allow UNIX clients to create symbolic links on the share that can point to files or directories outside restricted path exported by the share definition. This can cause access to areas outside of the share. Due to this problem, this parameter will be automatically disabled (with a message in the log file) if the unix extensions option is on.

    See the parameter allow insecure wide links if you wish to change this coupling between the two parameters.

    Code:
        Default: wide links = no
    Thank You,
    My Blog: https://forums.opensuse.org/blogs/jdmcdaniel3/

    Software efficiency halves every 18 months, thus compensating for Moore's Law

    Its James again from Austin, Texas

  10. #10

    Default Re: Samba, Symlinks and unix extensions

    I've encountered a problem with wide symlinks in Samba 4.1 under Open Suse 13.2, migrating from a Samba 3.0 installation set up in 2006. On that system, "insecure" wide links were later needed because of unbalanced partitioning that meant that the home partition became too small.

    Although there is scope in the new system to avoid the need to copy the same arrangement from the old server, it seemed wise to start with that arrangement, and tidy it up later, so that the migration would be as seamless as possible. However, even with the most relaxed settings (follow symlinks=yes, wide links=yes, allow insecure wide links=yes) symlinks are not working as expected in the new environment.

    The result is that rsync-ing with symbolic links being followed instead of preserved causes the home directories to be copied to two locations. This may not be a problem but, because some of the home folders have group access, I cannot be sure that the link targets can safely be removed from the migrated system.

Page 1 of 2 12 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •