No permission to access Samba share from windows

Hello,
I’ve been trying to solve this issue with accessing a samba share from a windows 7 box.
Samba is on a openSuse 13.1 computer and /mnt/media is shared.
From windows 7 I enter the IP of the suse server and enter my samba user name and password. It then shows me the share media. But when I double click it it says I don’t have permission to access \192.268.xxx.xxx\media.

Here is my smb.conf file

[global]

    passdb backend = tdbsam
    add machine script = /usr/sbin/useradd  -c Machine -d /var/lib/nobody -s /bin/false %m$
    domain logons = No
    domain master = No
    security = user
    usershare allow guests =No
    map to guest = bad use

[Media]
comment = mnt media
path = /mnt/media
valid users = bstent
force group = users
writable = yes

Here are the permissions on the /mnt/media

drwxrwxrwx 13 bstent media 4096 Mar 9 16:49 .
drwxr-xr-x 4 root root 4096 Mar 9 14:27 …
drwxrwxrwx 4 bstent media 4096 Feb 10 17:13 .Trash-1000
drwxrwxrwx 6 bstent media 4096 Mar 9 19:50 Files and Software
drwxrwxrwx 19 bstent media 4096 Mar 12 17:04 Movies
drwxrwxrwx 297 bstent media 20480 Mar 3 08:29 Music
drwxrwxrwx 67 bstent media 12288 Jan 23 14:35 Pictures

I have no idea what I’m doing wrong but I’m sure it’s a simple over sight or misunderstanding of permissions.
Please help me if you can. it is much appreciated.

Regards
Brian

Hi bstent and welcome to the openSUSE forums,

I don’t see any particular problem in your smb.conf file and in your share permissions. Did you add bstent to the Samba user database using smbpasswd as root?

Thanks for your reply.
I have added bstent to the smbpasswd when I enter \192.168.0.2 in windows explorer it asks for a username /password. I enter the one I used for bstent and then it presents me with the media share. When I go to click on that it says I don’t have permission to access the folder.

I’m not sure how this can be so difficult. I’m sure I’m missing something simple…

Thanks for your help.
Brian

You are welcome,

As you added bstent to the Samba user database, I read the contents of your smb.conf again, and I found two possible issues:


[global]

        passdb backend = tdbsam
        add machine script = /usr/sbin/useradd  -c Machine -d /var/lib/nobody -s /bin/false %m$
        domain logons = No
        domain master = No
        security = user
        usershare allow guests =No
        **map to guest = bad use**


[Media]
        comment = mnt media
        path = /mnt/media
        valid users = bstent
        
        writable = yes

The first issue is a typo I think, the correct value for map to guest is bad user. The second isn’t really an issue, but the permissions on /mnt/media show the group media as its group class. Maybe you should force group to media in the share definition?

If you still can’t access to the Media share from your Windows 7 computer, you should increase Samba verbosity by setting the parameter log level to 2 in the global section of your smb.conf file. Then:

  1. check your smb.conf file with testparm (just in case)
  2. restart smbd deamon
  3. wait for a minute
  4. attempt a connection to the Media share with you Windows 7 computer
  5. check Samba smbd deamon log in /var/log/samba (if I remember well, otherwise check log files’ location with smbd -b | grep LOGFILEBASE)

Of course, we will be happy to help you if you share with us the content of the log file. In that case, please copy its content between CODE tags (tag usage: [TAG]text[/TAG]).

Hi thanks again for your time!

I tired your edits thanks, but still am getting blocked. I did create the logs and here is what they look like after I attempt to connect to the media share.
before you view the logs I thought I’d should post my mount settings from /etc/fstab just to be sure there isn’t an option there that is causing the problem. I am a newb after all :slight_smile:

suseserv:/home/bstent/log # cat /etc/fstab
/dev/disk/by-id/ata-WDC_WD1600AAJS-60B4A0_WD-WMAT20700566-part1 swap swap defaults 0 0
/dev/disk/by-id/ata-WDC_WD1600AAJS-60B4A0_WD-WMAT20700566-part2 / ext4 acl,user_xattr 1 1
/dev/disk/by-id/ata-WDC_WD1600AAJS-60B4A0_WD-WMAT20700566-part3 /home ext4 acl,user_xattr 1 2
/dev/sdb1 /mnt/media ext4 auto,rw,users,exec 0 1
/dev/sdc1 /mnt/backup ext4 auto,users,exec 0 1


suseserv:/home/bstent/log # cat samba.log.smbd
[2014/03/14 15:33:57.183297, 2] …/source3/smbd/server.c:437(remove_child_pid)
Could not find child 5842 – ignoring
[2014/03/14 15:34:57.244352, 2] …/source3/smbd/server.c:437(remove_child_pid)
Could not find child 5870 – ignoring
[2014/03/14 15:35:57.296604, 2] …/source3/smbd/server.c:437(remove_child_pid)
Could not find child 5901 – ignoring
[2014/03/14 15:36:57.348729, 2] …/source3/smbd/server.c:437(remove_child_pid)
Could not find child 5925 – ignoring
[2014/03/14 15:37:57.410528, 2] …/source3/smbd/server.c:437(remove_child_pid)
Could not find child 5941 – ignoring
[2014/03/14 15:38:57.444208, 2] …/source3/smbd/server.c:437(remove_child_pid)
Could not find child 5957 – ignoring
[2014/03/14 15:39:57.505701, 2] …/source3/smbd/server.c:437(remove_child_pid)
Could not find child 5973 – ignoring
[2014/03/14 15:40:57.557906, 2] …/source3/smbd/server.c:437(remove_child_pid)
Could not find child 5991 – ignoring


This looks like the log from my window client pc

suseserv:/home/bstent/log # cat samba.log.192.168.222.55
[2014/03/14 15:33:37.394149, 2] …/source3/param/loadparm.c:3581(do_section)
Processing section “[Media]”
[2014/03/14 15:33:37.395098, 2] …/source3/auth/auth.c:278(auth_check_ntlm_password)
check_ntlm_password: authentication for user [bstent] → [bstent] → [bstent] succeeded


This looks like the user log.

suseserv:/home/bstent/log # cat samba.log.bstent
[2014/03/14 15:33:37.726651, 2] …/source3/smbd/service.c:848(make_connection_snum)
bstent (ipv4:192.168.222.55:27926) connect to service Media initially as user bstent (uid=1000, gid=1000) (pid 5827)


Thanks
Brian

Good idea! That could explain a lot. Samba Wiki recommends to mount ext4 filesystems with acl an user_xattr options [1]. Futhermore, as users option automaticaly disables some features, my recommendation is to change /dev/sdb1 line in /etc/fstab to:


/dev/sdb1 /mnt/media ext4 acl,user_xattr 0 2

Note that the sixth field should have a value of 2 for filesystems other than the root filesystem (such as /dev/sdb1 and /dev/sdc1). See man fstab for details.

Don’t forget to make a copy of your /etc/fstab before any modification. I won’t like to be responsible of an unbootable system!

So authentification works. From your previous post we know that permissions on the share are OK. I hope changing the mount options will fix the problem, otherwise we will start to run in circles!

[1] “Setup and configure file shares - SambaWiki.” [Online]. Available: https://wiki.samba.org/index.php/Setup_and_configure_file_shares. [Accessed: 16-Mar-2014].

Hi!

I think I’m having a similar issue, and no solutions as of yet as well:
My goal is sharing a r/w directory of my htpc for everyone

my smb.conf:

[global]
workgroup = WORKGROUP
netbios name = HTPC
passdb backend = tdbsam
map to guest = Bad User
log file = /var/log/samba/log.%m


[shared1]
path = /srv/samba/
read only = No
guest ok = Yes
guest only = Yes


[shared2]
path = /home/balint
read only = No
guest ok = Yes
guest only = Yes

This allows me to see the 2 shares, but I’m only able to enter 1 of them, the one in my home directory:
http://i58.tinypic.com/149sj0j.png

http://i58.tinypic.com/25a3dsg.png

http://i60.tinypic.com/29y1dsn.png

The permissions are:

htpc:/srv # ls -la
total 32
drwxr-xr-x  8 root root 4096 Mar 17 12:27 .
drwxr-xr-x 23 root root 4096 Mar 17 14:20 ..
drwxr-xr-x  3 root ftp  4096 Mar 15 12:06 ftp
drwxr-xr-x  3 root root 4096 Jan 21 10:59 git
drwxr-xr-x  2 root root 4096 Mar 17 14:32 samba
drwxr-xr-x  3 svn  svn  4096 Feb 22 09:26 svn
drwxr-x---  2 tftp tftp 4096 Sep 28 05:13 tftpboot
drwxr-xr-x  5 root root 4096 Dec 15 19:47 www
htpc:/srv #

What could be the problem???

Thanks:
Balint

To the poster above me, set the shares to public = yes.

And for the security conscious, it’s not a good idea.

Did that, no change, and FYI:
http://www.samba.org/samba/docs/man/manpages-3/smb.conf.5.html#GUESTACCOUNT


public
This parameter is a synonym for [guest ok](http://www.samba.org/samba/docs/man/manpages-3/smb.conf.5.html#GUESTOK).


In the end, I changed the permission of /srv/samba to 777, changed user to balint, group to users, added log level = 100 to smb.conf, and I’m seeing:

[2014/03/17 14:57:26.856598, 10, pid=3516, effective(65534, 65533), real(65534, 0)] ../source3/passdb/lookup_sid.c:1075(legacy_gid_to_sid)
  LEGACY: gid 100 -> sid S-1-22-2-100
[2014/03/17 14:57:26.856636, 10, pid=3516, effective(65534, 65533), real(65534, 0), class=acls] ../source3/smbd/posix_acls.c:2732(canonicalise_acl)
  canonicalise_acl: Access ace entries before arrange :
[2014/03/17 14:57:26.856670, 10, pid=3516, effective(65534, 65533), real(65534, 0), class=acls] ../source3/smbd/posix_acls.c:2745(canonicalise_acl)
  canon_ace index 0. Type = allow SID = S-1-1-0 other SMB_ACL_OTHER ace_flags = 0x0 perms rwx
[2014/03/17 14:57:26.856709, 10, pid=3516, effective(65534, 65533), real(65534, 0), class=acls] ../source3/smbd/posix_acls.c:2745(canonicalise_acl)
  canon_ace index 1. Type = allow SID = S-1-22-2-100 gid 100 (users) SMB_ACL_GROUP_OBJ ace_flags = 0x0 perms rwx
[2014/03/17 14:57:26.856749, 10, pid=3516, effective(65534, 65533), real(65534, 0), class=acls] ../source3/smbd/posix_acls.c:2745(canonicalise_acl)
  canon_ace index 2. Type = allow SID = S-1-22-1-1000 uid 1000 (balint) SMB_ACL_USER_OBJ ace_flags = 0x0 perms rwx
[2014/03/17 14:57:26.856792, 10, pid=3516, effective(65534, 65533), real(65534, 0), class=acls] ../source3/smbd/posix_acls.c:848(print_canon_ace_list)
  print_canon_ace_list: canonicalise_acl: ace entries after arrange
  canon_ace index 0. Type = allow SID = S-1-22-1-1000 uid 1000 (balint) SMB_ACL_USER_OBJ ace_flags = 0x0 perms rwx
  canon_ace index 1. Type = allow SID = S-1-22-2-100 gid 100 (users) SMB_ACL_GROUP_OBJ ace_flags = 0x0 perms rwx
  canon_ace index 2. Type = allow SID = S-1-1-0 other SMB_ACL_OTHER ace_flags = 0x0 perms rwx
[2014/03/17 14:57:26.856879, 10, pid=3516, effective(65534, 65533), real(65534, 0), class=acls] ../source3/smbd/posix_acls.c:1110(map_canon_ace_perms)
  map_canon_ace_perms: Mapped (UNIX) 1c0 to (NT) 1f01ff
[2014/03/17 14:57:26.856913, 10, pid=3516, effective(65534, 65533), real(65534, 0), class=acls] ../source3/smbd/posix_acls.c:1110(map_canon_ace_perms)
  map_canon_ace_perms: Mapped (UNIX) 1c0 to (NT) 1f01ff
[2014/03/17 14:57:26.856955, 10, pid=3516, effective(65534, 65533), real(65534, 0), class=acls] ../source3/smbd/posix_acls.c:1110(map_canon_ace_perms)
  map_canon_ace_perms: Mapped (UNIX) 1c0 to (NT) 1f01ff
[2014/03/17 14:57:26.856996, 10, pid=3516, effective(65534, 65533), real(65534, 0)] ../source3/smbd/open.c:172(smbd_check_access_rights)
**  smbd_check_access_rights: file . requesting 0x80 returning 0x0 (NT_STATUS_OK)**

...

[2014/03/17 14:57:26.857791,  5, pid=3516, effective(65534, 65533), real(65534, 0)] ../source3/smbd/files.c:125(file_new)
  allocated file structure fnum 835890537 (1 used)
[2014/03/17 14:57:26.857811, 10, pid=3516, effective(65534, 65533), real(65534, 0)] ../source3/smbd/files.c:713(file_name_hash)
**  file_name_hash: /srv/samba/. hash 0xf8ee8ccc**
[2014/03/17 14:57:26.857840, 10, pid=3516, effective(65534, 65533), real(65534, 0)] ../source3/smbd/open.c:406(fd_open)
**  fd_open: name ., flags = 0200000 mode = 00, fd = -1. Permission denied**
[2014/03/17 14:57:26.857862,  5, pid=3516, effective(65534, 65533), real(65534, 0)] ../source3/smbd/open.c:3187(open_directory)
**  open_directory: Could not open fd for . (NT_STATUS_ACCESS_DENIED)**
[2014/03/17 14:57:26.857880,  5, pid=3516, effective(65534, 65533), real(65534, 0)] ../lib/dbwrap/dbwrap.c:187(dbwrap_check_lock_order)
  check lock order 1 for /var/lib/samba/smbXsrv_open_global.tdb
[2014/03/17 14:57:26.857897, 10, pid=3516, effective(65534, 65533), real(65534, 0)] ../lib/dbwrap/dbwrap.c:133(debug_lock_order)
  lock order:  1:/var/lib/samba/smbXsrv_open_global.tdb 2:<none> 3:<none>
[2014/03/17 14:57:26.857915, 10, pid=3516, effective(65534, 65533), real(65534, 0)] ../lib/dbwrap/dbwrap_tdb.c:59(db_tdb_log_key)
  Locking key 31CA3802
[2014/03/17 14:57:26.857935, 10, pid=3516, effective(65534, 65533), real(65534, 0)] ../lib/dbwrap/dbwrap_tdb.c:143(db_tdb_fetch_locked_internal)
  Allocated locked data 0x0x7f4d0bdfa720
[2014/03/17 14:57:26.857958, 10, pid=3516, effective(65534, 65533), real(65534, 0)] ../lib/dbwrap/dbwrap_tdb.c:59(db_tdb_log_key)
  Unlocking key 31CA3802
[2014/03/17 14:57:26.857976,  5, pid=3516, effective(65534, 65533), real(65534, 0)] ../lib/dbwrap/dbwrap.c:146(dbwrap_lock_order_state_destructor)
  release lock order 1 for /var/lib/samba/smbXsrv_open_global.tdb
[2014/03/17 14:57:26.857997, 10, pid=3516, effective(65534, 65533), real(65534, 0)] ../lib/dbwrap/dbwrap.c:133(debug_lock_order)
  lock order:  1:<none> 2:<none> 3:<none>
[2014/03/17 14:57:26.858017,  5, pid=3516, effective(65534, 65533), real(65534, 0)] ../source3/smbd/files.c:525(file_free)
  freed files structure 835890537 (0 used)
[2014/03/17 14:57:26.858034, 10, pid=3516, effective(65534, 65533), real(65534, 0)] ../source3/smbd/open.c:4063(create_file_unixpath)
  create_file_unixpath: NT_STATUS_ACCESS_DENIED
[2014/03/17 14:57:26.858051, 10, pid=3516, effective(65534, 65533), real(65534, 0)] ../source3/smbd/open.c:4336(create_file_default)
  create_file: NT_STATUS_ACCESS_DENIED
[2014/03/17 14:57:26.858069, 50, pid=3516, effective(65534, 65533), real(65534, 0)] ../lib/util/tevent_debug.c:63(samba_tevent_debug)
  s3_tevent: Schedule immediate event "tevent_req_trigger": 0x7f4d0be021e0
[2014/03/17 14:57:26.858098, 50, pid=3516, effective(65534, 65533), real(65534, 0)] ../lib/util/tevent_debug.c:63(samba_tevent_debug)
  s3_tevent: Run immediate event "tevent_req_trigger": 0x7f4d0be021e0
[2014/03/17 14:57:26.858118, 10, pid=3516, effective(65534, 65533), real(65534, 0)] ../source3/smbd/smb2_server.c:2643(smbd_smb2_request_error_ex)
**  smbd_smb2_request_error_ex: idx[1] status[NT_STATUS_ACCESS_DENIED] || at ../source3/smbd/smb2_create.c:302**
[2014/03/17 14:57:26.858136, 10, pid=3516, effective(65534, 65533), real(65534, 0)] ../source3/smbd/smb2_server.c:2544(smbd_smb2_request_done_ex)
  smbd_smb2_request_done_ex: idx[1] status[NT_STATUS_ACCESS_DENIED] body[8] dyn[yes:1] at ../source3/smbd/smb2_server.c:2682
[2014/03/17 14:57:26.858197, 10, pid=3516, effective(65534, 65533), real(65534, 0)] ../source3/smbd/smb2_server.c:873(smb2_set_operation_credit)
  smb2_set_operation_credit: requested 1, charge 1, granted 1, current possible/max 482/512, total granted/max/low/range 31/8192/10/31




Hello again,

I tried your recommendations to no avail. Before I re-post my current configs. I do want to mention like the other poster. I can access shares that are within my home folder /home/bstent/ Its just anything outside of that I can’t access.

Here is the permission of the share.
drwxrwxrwx 13 bstent users 4096 Mar 9 16:49 media

Here is my Fstab of the drive I’m trying to access.
/dev/sdb1 /mnt/media ext4 acl,user_xattr 0 2

Here is my smb.conf (note I added the home share to test and it allows me access)
[global]

    passdb backend = tdbsam
    add machine script = /usr/sbin/useradd  -c Machine -d /var/lib/nobody -s /bin/false %m$
    domain logons = No
    domain master = No
    security = domain
    usershare allow guests = Yes
    map to guest = bad user

Debug logging information

    log level = 2
    log file = /home/bstent/log/samba.log.%m
    max log size = 50
    debug timestamp = yes
    usershare max shares = 100
    workgroup =

[Media]
comment = mnt media
path = /mnt/media
valid users = bstent
force group = users
writable = yes
force group = users
guest ok = Yes
read only = No
public = yes
[bstent]
comment = bstent
inherit acls = Yes
path = /home/bstent
read only = No
guest ok = Yes

I’m not sure if OpenSuse 13.1 has some override that disables access to anything from outside the users /home folder? My firewall is also disabled if that helps.
Thanks again for troubleshooting.
It seems I’m not alone with this issue let me know if you find a solution Balint and I will do the same.

As a test, you could also try disabling apparmor temporarily and retry;

systemctl stop apparmor
or
rcapparmor stop

I had the same issue, here’s my solution:

  • open the Samba Server from Yast;
  • choose to open firewall ports and start the service at boot;
  • Identity Tab, ensure you have “WORKGROUP” and “Not a DC”;
  • **mount your data or documents partition in your home (e.g. create a “Data” folder") instead of /mnt/media/
    **I have this in fstab:
/dev/disk/by-id/ata-SAMSUNG_HD502HJ_S20BJ90B209770-part1 /home/ezio/Dati      ext4       noatime,acl,user_xattr              0 2
  • in the Shares tab leave all options unchecked (no guest access and no user directory sharing), add your folder with these options:
read only NO
inherit acls YES
comment WHATYOUWANT
path YOURMOUNTPATH
  • in the terminal add your user to smb:
su
smbpasswd -a YOURUSERNAME
  • done :smiley:

I can access my folders with r/w permission from Windows, Android ES File Manager and other devices.

This points towards our current assumption, that only directories under /home/ are shareable… :frowning:

Ah!

Surprise, surprise!
Apparmor blocks samba from sharing stuff outside the home dir.

Disable it like this, and you should be set!

http://i57.tinypic.com/358x7r4.png

Of course, you could also add the shared paths to the apparmor config:

The home folders could be shared because /etc/apparmor/profiles/extras/usr.sbin.smbd contains:


...
  /etc/samba/smb.conf r,
  /etc/samba/smbpasswd rw,


**  @{HOME}/**  rwl,**
**  @{HOMEDIRS} rwl,**
...

SUCCESS!!! Thank you so much to everyone who help me out with this!
I didn’t know about apparmor… I created a profile for my share using yast and then I was able to access my samba share from outside my home directory at /mnt/media with read and write access.

I know this thread will help a lot of other people out. Hopefully they will find it first before they search every samba thread on the internet like I did.

Thanks again for all your time and knowledge!

Brian:)

Thank you very much for the tip!!!

On Thu, 13 Mar 2014 20:16:01 GMT, bstent
<bstent@no-mx.forums.opensuse.org> wrote:

Just in case no one else sees it soon, isn’t the local class C address
space start with 192.168.X.X instead of 192.268.X.X

>
>Hello,
>I’ve been trying to solve this issue with accessing a samba share from a
>windows 7 box.
>Samba is on a openSuse 13.1 computer and /mnt/media is shared.
>From windows 7 I enter the IP of the suse server and enter my samba user
>name and password. It then shows me the share media. But when I double
>click it it says I don’t have permission to access
>\192.268.xxx.xxx\media.
>
>Here is my smb.conf file
>
>[global]
>
>passdb backend = tdbsam
>add machine script = /usr/sbin/useradd -c Machine -d
>/var/lib/nobody -s /bin/false %m$
>domain logons = No
>domain master = No
>security = user
>usershare allow guests =No
>map to guest = bad use
>
>
>[Media]
>comment = mnt media
>path = /mnt/media
>valid users = bstent
>force group = users
>writable = yes
>
>Here are the permissions on the /mnt/media
>
>drwxrwxrwx 13 bstent media 4096 Mar 9 16:49 .
>drwxr-xr-x 4 root root 4096 Mar 9 14:27 …
>drwxrwxrwx 4 bstent media 4096 Feb 10 17:13 .Trash-1000
>drwxrwxrwx 6 bstent media 4096 Mar 9 19:50 Files and Software
>drwxrwxrwx 19 bstent media 4096 Mar 12 17:04 Movies
>drwxrwxrwx 297 bstent media 20480 Mar 3 08:29 Music
>drwxrwxrwx 67 bstent media 12288 Jan 23 14:35 Pictures
>
>I have no idea what I’m doing wrong but I’m sure it’s a simple over
>sight or misunderstanding of permissions.
>Please help me if you can. it is much appreciated.
>
>Regards
>Brian

I’m on openSUSE 12.3, and there isn’t an “AppArmor Configuration” icon in Yast. What should I be looking for, instead?

I guess the spaces in the smb.conf file is creating the problem. Try replacing spaces with tabs.