Samba stopped working

Hi,

Quite recently (don’t know exact date when this started but within past 2 weeks) samba stopped working. No changes were made to config which used to work fine.

Home directory is still shared fine but /opt and /data no longer. Windows reports that folder does not exist. Dolphin the same.

With Dophin if I try to browse share: smb://server.lan/ (or using IP address) I get following folders:

  • data
  • homes
  • nobody
  • opt
  • private

I have not defined such a share as “nobody”. Rest are fine.

Log does not give much help either:

With server.lan:

[2022/10/29 21:38:53.101551,  0] ../../source3/smbd/msdfs.c:180(parse_dfs_path) 
  parse_dfs_path: trying to convert server.lan to a local path

With IP-address:

[2022/10/29 21:44:55.100598,  0] ../../source3/smbd/msdfs.c:180(parse_dfs_path) 
  parse_dfs_path: trying to convert 10.1.10.10 to a local path

Apparently something has changed in Samba recently but I have no idea what. Any idea what could cause this?

The config itself (this is pretty old config I’ve been using for years):

# smb.conf is the main Samba configuration file. You find a full commented 
# version at /usr/share/doc/packages/samba/examples/smb.conf.SUSE if the 
# samba-doc package is installed. 
[global] 
        workgroup = XXXX 
        passdb backend = tdbsam 
        printing = cups 
        printcap name = cups 
        printcap cache time = 750 
        cups options = raw 
        map to guest = Bad User 
        logon path = \\%L\profiles\.msprofile 
        logon home = \\%L\%U\.9xprofile 
        logon drive = P: 
        security = user 
        usershare max shares = 100 

        add machine script = /usr/sbin/useradd  -c Machine -d /var/lib/nobody -s /bin/false %m$ 
        domain logons = No 
        domain master = No 
        netbios name = ***********
        name resolve order = bcast host lmhosts wins 

        local master = yes 
        preferred master = yes 
        interfaces = br0 
        bind interfaces only = yes 
        usershare allow guests = No 
        wins support = No 
        ldap admin dn =  
        wins server =  
[homes] 
        comment = Home Directories 
        valid users = %S, %D%w%S 
        read only = No 
        inherit acls = Yes 
        create mask = 0664 
        delete veto files = No 
        directory mask = 0775 
        hide dot files = Yes 
        hide unreadable = Yes 
        veto files = .a*/.b*/.c*/.d*/.e*/.f*/.g*/.h*/.i*/.j*/.k*/.m*/.n*/.o*/.p*/.q*/.r*/.s*/.t*/.u*/.v*/.w*/.x*/.y*/.z* 
        guest ok = No 
#       browseable = No 
# [profiles] 
#       comment = Network Profiles Service 
#       path = %H 
#       read only = No 
#       store dos attributes = Yes 
#       create mask = 0600 
#       directory mask = 0700 
# [users] 
#       comment = All users 
#       path = /home 
#       read only = No 
#       inherit acls = Yes 
#       veto files = /aquota.user/groups/shares/ 
# [groups] 
#       comment = All groups 
#       path = /home/groups 
#       read only = No 
#       inherit acls = Yes 
# [printers] 
#       comment = All Printers 
#       path = /var/tmp 
#       printable = Yes 
#       create mask = 0600 
#       browseable = No 
# [print$] 
#       comment = Printer Drivers 
#       path = /var/lib/samba/drivers 
#       write list = @ntadmin root 
#       force group = ntadmin 
#       create mask = 0664 
#       directory mask = 0775 
[data] 
        comment = Media 
        create mask = 0664 
        delete veto files = No 
        directory mask = 0775 
        force group = users 
        hide dot files = Yes 
        inherit acls = Yes 
        path = /data/ 
        browsable = Yes 
        writable = Yes 
        read only = No 
        veto files = .*/ 
        guest ok = Yes 
[private] 
        comment = private 
        create mask = 0664 
        delete veto files = No 
        directory mask = 0775 
        force group = users 
        hide dot files = Yes 
        inherit acls = Yes 
        path = /private 
        read only = No 
        veto files = .*/ 
        guest ok = No 
[opt] 
        comment = Media 
        create mask = 0664 
        delete veto files = No 
        directory mask = 0775 
        force group = users 
        hide dot files = Yes 
        inherit acls = Yes 
        path = /opt 
        read only = No 
        veto files = .*/ 
        guest ok = Yes 

This problem also showed up at other distributions. It could be related to:

If you have the line in smb.conf:
map to guest = Bad User

you need to change to

*map to guest = Bad Password

This applies to Samba versions higher than 4.10.10

https://wiki.archlinux.org/title/samba#Windows_clients_keep_asking_for_password_even_if_Samba_shares_are_created_with_guest_permissions
*

Changed according to above instructions. Restarts smb and nmb but did not help with the problem. Actually, didn’t see any change.

Can you show us some smbclient output? Eg…

smbclient -L //server.lan -d5
smbclient //server.lan/data -d5

Can you navigate a share successfully using smbclient?

From ‘man smbclient’…

-d|–debuglevel=DEBUGLEVEL level is an integer from 0 to 10. The default value if this parameter is not specified is 1 for client applications.
The higher this value, the more detail will be logged to the log files about the activities of the server. At level 0, only critical errors and serious warnings will be logged. Level 1 is a reasonable level for day-to-day running - it generates a small amount of information about operations carried out.
Levels above 1 will generate considerable amounts of log data, and should only be used when investigating a problem. Levels above 3 are designed for use only by developers and generate HUGE amounts of log data, most of which is extremely cryptic.
Note that specifying this parameter here will override the log level parameter in the ${prefix}/etc/smb.conf file.

Does not seem to work. According to above output it looks like credentials are not working.

tdb(/var/lib/samba/lock/gencache.tdb): tdb_open_ex: could not open file /var/lib/samba/lock/gencache.tdb: Permission denied

/var/lib/samba/lock:

-rw-r--r-- 1 root root 471040 Oct 30 02:10 gencache.tdb

Doesn’t look anything special here though.

Still trying to get a better handle on this…

Anything changed with permissions?

ls -ld /data
ls -ld /opt

With Dolphin if I try to browse share: smb://server.lan/ (or using IP address) I get following folders:

  • data
  • homes
  • nobody
  • opt
  • private

I have not defined such a share as “nobody”. Rest are fine.

Do you really require this entry?

add machine script = /usr/sbin/useradd  -c Machine -d /var/lib/nobody -s /bin/false %m$

Nope, no changes for ages.

ls -ld /data

drwxr-xr-x 26 *** users 4096 Aug 12 01:17 /data/

ls -ld /opt

dr-xr-xr-x 5 root root 4096 Jun 9 2021 /opt/

Do you really require this entry?

add machine script = /usr/sbin/useradd  -c Machine -d /var/lib/nobody -s /bin/false %m$

Actually, I don’t know :slight_smile: Took it out, restarted smb but no change.

With Doplhin when I go to: smb://server.lan/ I get:

  • data (does not exist)
  • homes (does not exist)
  • nobody (access denied)
  • opt (does not exist)
  • private (does not exist)

With Windows Explorer I get:

  • data (cannot be accessed)
  • homes (works)
  • <***> (user account name) (works)
  • opt (cannot be accessed)
  • private (cannot be accessed)

With Doplhin when I go to: smb://server.lan/ I get:

  • data (does not exist)
  • homes (does not exist)
  • nobody (access denied)
  • opt (does not exist)
  • private (does not exist)

Is this when accessing from the server (localhost) itself or via another Linux host on the network? If two different machines, are they both using recent samba versions?

With Windows Explorer I get:

  • data (cannot be accessed)
  • homes (works)
  • <***> (user account name) (works)
  • opt (cannot be accessed)
  • private (cannot be accessed)

Are you attempting to access with as a particular samba user with credentials or as a guest?

Localhost.

Are you attempting to access with as a particular samba user with credentials or as a guest?

Doesn’t ask user nor password. Data and opt has been configured to be guest ok. Homes and private with user account. Dolphin asks user account and password despite being ok for quests and yet does not allow in (“does not exist”).

I’m wondering if this is related to some security changes what have been done recently. These settings are now obsoleted (recently):

client use spnego = no
client ntlmv2 auth = no

Someone had similar issues but much earlier and these settings were used to solve the problem. Anyway, this problem sounds very much a security related. Has there been limitations to the path that can be used? Opt, data and private are located in root. Homes under /home/<user>/.

No, but directory permissions are important.

FWIW, here’s a reddit thread where a user describes getting an error when browsing network shares: “The file or folder does not exist.”, and not getting prompted for credentials…
https://www.reddit.com/r/kde/comments/vkgis9/dolphin_the_file_or_folder_smbservernamelocal/

I don’t know whether this is similar to what you report with Dolphin at least, but the another user in that thread suggested…

In System Settings look for Windows Shares. It should ask for a username and password.Put anything in (I currently have user:a/pass:b).
Close Dolphin. Re-open and try your shares again.

In terms of the Windows client I know the Credential Manager can be used to manage the required samba credentials for a given host…

Saw that earlier but no help. Does not even ask credentials when I access that setting.

Is guest accounts still OK without username and password or has that changed?

I don’t understand your comment here. System Settings > Network > Settings >Windows Shares brings up a dialogue box allowing one to enter the credentials. Unfortunately, it can only be configured for one particular set of credentials. The Windows credential manager can at least be made specific to a given host.

Is guest accounts still OK without username and password or has that changed?

Not that I’m aware of. I’m still openSUSE Leap 15.4 with samba version 4.15.8, and quest access still works for me. I just tested access via a Windows 10 machine, and my share with guest access just worked. Credentials are prompted for with other shares requiring it as expected.

From a Windows 10 POV, sometimes security policies can prevent guest access to a remote file server…
https://serverfault.com/questions/1035142/how-to-create-a-working-samba-public-share-on-linux-smbd-for-latest-windows-10
…although this doesn’t explain the strange behaviour reported by the Dolphin client (with the samba server itself.)

As an experiment, rename your existing smb.conf to smb.old, and create a minimal server for guest access using the following guide
https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Standalone_Server#Creating_a_Basic_guest_only_smb.conf_File
Adjust for the share (directory) that you want to provide for. Does that result in a working samba server with guest access as desired?

Problem solved (mainly). Access permission problem still remaining.

Turned out that parameter

veto files

has changed a bit. Previously all folders and files starting with . where also visible. It was possible to remove these from listing with “veto files” parameter (“veto files = .*/”). Now this setting eliminates folders and files. At some point the visibility of dot-files/folders have changed as well since they are no longer listed - with or without having “hide dot files = yes” parameter (could also be that Dolphin and Windows explorer is hiding them automatically nowadays). smbclient still shows dot-files despite the parameter to hide them.

Anyway, commented all “veto” parameters and things got back to normal regarding folder and file visibility.

Furthermore, there is a change is permission handling. I’ve been using the shown config for years. Read and writing files in shared folders but now it was not possible - access denied. For shares “data” and “opt” I’ve forced group to “users”. All used to be fine i.e. created files got “.users" owner definition. This is no longer working the same way. It’s not possible to e.g. create file in a folder where group does not have write access. Still, the file created has correct owner definition ".users”. Haven’t found yet how to change this. Tried “force user = ***” but did not help.

In my case it does not bring up dialogue for credentials.

I’m using Win7 on the machine I’m trying to access. But the particular problem got solved and permission problem raised instead.

You may need to take your findings to one of the samba mailing lists
https://lists.samba.org/

Not something I can add value to. Good luck!