Samba Group shares, unable to connect from Mac

samba
fileshares
macos

#1

I’ve created a share on a member server and created a share “Installers” and assigned the owner as “root” and the group “Computer Admins” to it as base directory owner and group. It is impossible to connect to this group despite making myself a member of the “Computer Admins” group. I am connecting from a Mac OS X 10.12.6 client computer bound to the UCS AD DC. My default group for the user is “Domain Users” and then I belong to a number of other groups that I have created which includes the aforementioned “Computer Admins”. I have reviewed all posts here about it as well as the documentation.

I have tried force user and force group (both together and separately)
I have tried making myself the directory owner
I have tried setting and removing ACLs from the base directory

Nothing is working and I always get a, “You don’t have enough permissions” error on the client computer. I don’t understand why something like a simple share should be so difficult to mount.


#2

We need some more details. Please log in on the member server via SSH and post the output of the file /etc/samba/shares.conf.d/<your-share-name>.conf (replace <your-share-name> appropriately, of course).

Please also post the output of getfacl /path/to/the/shared/directory

Thanks.


#3

/etc/samba/shares.conf.d/Installers

[Installers]
path = /groups/Installers
vfs objects = acl_xattr
msdfs root = no
writeable = yes
browseable = yes
public = no
dos filemode = yes
hide unreadable = no
create mode = 0774
directory mode = 0775
force create mode = 00
force directory mode = 00
locking = 1
blocking locks = 0
strict locking = 0
oplocks = 1
level2 oplocks = 1
fake oplocks = 1
csc policy = manual
nt acl support = 1
inherit acls = 1
inherit owner = yes
inherit permissions = yes

getfacl /groups/Installers

# file: groups/Installers/
# owner: myusername
# group: Computer\040Admins
user::rwx
group::rwx
other::r-x

#4

Alright, thanks. Please try the following next on the very same server the share is offered from & post the output:

smbclient -NL $(hostname)
smbclient -U administrator //$(hostname)/Installers

The second command will ask for a password. Use the same password you’re using for logging in at the Univention Management Console (the domain administrator’s password). The second command should also give you a shell-like file transfer tool; its prompt will be smb: \>. You can get out of that with quit or pressing Ctrl+d.


#5

smbclient -NL $(hostname)

Sharename       Type      Comment
---------       ----      -------
print$          Disk      Printer Drivers
IPC$            IPC       IPC Service (groups univention corporate server)
Advancement     Disk      
Installers      Disk      

Server               Comment
---------            -------

Workgroup            Master
---------            -------
SKAGGSCATHOLICC      AD

smbclient -U administrator //$(hostname)/Installers

Enter SKAGGSCATHOLICC\administrator's password: 
smb: \> ^C

#6

This means that the share is present and that you may access it with the domain admin’s credentials. Now try accessing the same share from a client, e.g. a Mac or a Windows machine, and use the same credentials: SKAGGSCATHOLICC\administrator as the user name and the password you’ve typed when connecting with smbclient.


#7

The mac isn’t giving me the option because it is bound. It tries to use the username of the logged in currently

mount -v -t smbfs //groups.skaggscatholiccenter.org/Installers ~/Installers
Password for groups.skaggscatholiccenter.org: 
mount_smbfs: server rejected the connection: Authentication error

When I try through the “Connect to Server” dialog
16 PM
And when I connect…
25 PM

To which I tried without the “smb:” and used //groups.sk… and that turned into smb:////groups.sk… when it tried to connect So I tried backslashes \\groups.sk… and it was a different error about the server not existing but still an error. I tried with no slashes or smb: and it was the same error as before. I have also tried cifs:// with no luck either.


#8

The error message “URLs with the type ‘smb:’ are not supported” seems to hint that the file sharing support is not installed. See e.g. this article how to install it. As I don’t have a mac myself I cannot verify if that’s the actual problem, but the linked article talks about using smb: URLs after installing that software component, so…

Can you connect to other shares from your Mac? Do you have any non-Mac machine that you can test connecting to the newly-created Installers share with?


#9

Nope. That is not the answer. Sharing obviously works because all of our Macs can connect to UCS servers for samba home shares just fine. I can connect to an old mac server running samba shares so it seems by process of elimination that the fault is with the UCS server. When it was installed I joined this groups server as a “Member Server” and with “File and print” services.


#10

I’m trying to piece together your setup from your answers. You seem to be saying that the server with the “installers” share is a new server? That you’ve never had a successful connection with from a Mac? What about that “Advancement” share; can you connect to that one?

And again my question, can you try connecting to the “installers” share from a non-Mac client, please?


#11

Yes the setup is a new UCS server that is just serving group share points. And correct that I’ve never had a successful connection on that new server. Our old Mac server which was also using samba was able to successfully share to hundreds of clients. I’ve tried from several of my clients and none of them can connect even with the UCS domain admin user “administrator”

As for the smb: error I traced that back to the manual section 3.2.4 where it talks about altering the mac /etc/auto_master file and adding /etc/auto_custom. Once I reset those files to pre UCS suggestions I only got the “permission denied” error. Those alterations also prohibited me from mounting any other hard drives even when directly connected via USB or Thunderbolt connections.

I was going to look for a way to maybe specify an earlier version of the SMB protocol like SMB1 to test but all the clients connect to the home share servers just fine. Just not this group server.


#12

Oh and yes I can connect to the Installers share from a windows computer but only with the UCS AD Administrator login, I cannot connect with my credentials. When using mine I get an access denied error.


#13

Alright, all the behavior you’re describing is rather unusual. At this point I recommend you re-join the affected server again (which won’t destroy data, but it will copy LDAP content, certificates, re-create the server’s account in the LDAP etc.). First remove the machine account from the LDAP in the UMC. Next execute univention-join on the affected server and use administrator with the corresponding password as the credentials. After the (hopefully) successful join reboot the server.

Next you may have to re-create the share in the UMC as you did remove the server’s machine account earlier. Or at least check if the share definition is still present in LDAP and that the server it is set to appear on is correct.

Now check the output of smbclient -NL $(hostname) on the affected server. If the output contains the share, then try connecting.


#14

No change. I’m about to reformat this box and start over. It is driving me nuts.


#15

No change? Dang.

Before you reinstall it, please post the output of the following command from both the problematic server and from the server providing the home share that works fine:

ucr search --brief samba

Thanks.


#16

From the homes server that’s working

# ucr search --brief samba
appcenter/apps/samba-memberserver/status: installed
appcenter/apps/samba-memberserver/ucs: 4.2
appcenter/apps/samba-memberserver/version: 4.6
directory/manager/samba3/legacy: <empty>
samba/acl/allow/execute/always: yes
samba/adminusers: administrator join-backup
samba/auth/methods: <empty>
samba/autostart: yes
samba/charset/display: <empty>
samba/charset/dos: <empty>
samba/charset/unix: <empty>
samba/client/max/protocol: <empty>
samba/client/min/protocol: <empty>
samba/client_use_spnego: yes
samba/cups/encrypt: <empty>
samba/deadtime: 15
samba/debug/level: 0
samba/domain/logons: auto
samba/domain/security: ads
samba/domainmaster: <empty>
samba/enable-msdfs: <empty>
samba/enable-privileges: <empty>
samba/encrypt_passwords: yes
samba/generate_smbpasswd: false
samba/getwd_cache: yes
samba/guest_account: nobody
samba/homedirletter: <empty>
samba/homedirpath: <empty>
samba/homedirserver: <empty>
samba/idmap/range: <empty>
samba/interfaces/bindonly: <empty>
samba/interfaces: <empty>
samba/invalid_users: <empty>
samba/kernel_oplocks: yes
samba/large_readwrite: yes
samba/ldap/replication/sleep: <empty>
samba/logonscript: <empty>
samba/machine_password_timeout: <empty>
samba/map_to_guest: Bad User
samba/max/protocol: <empty>
samba/max_log_size: <empty>
samba/max_open_files: 32808
samba/max_xmit: 65535
samba/memberserver/passdb/ldap: <empty>
samba/min/protocol: <empty>
samba/netbios/aliases: <empty>
samba/netlogon/sync: sync
samba/ntlm/auth: <empty>
samba/oplocks: yes
samba/os/level: 65
samba/passdb/expand/explicit: <empty>
samba/password/checkscript: /usr/share/univention-samba/password_check %u
samba/preserve_case: yes
samba/profilepath: <empty>
samba/profileserver: <empty>
samba/quota/command: /usr/sbin/univention-setquota
samba/read_raw: yes
samba/register/exclude/interfaces: docker0
samba/role: memberserver
samba/script/addgroup: true
samba/script/addmachine: true
samba/script/adduser: true
samba/script/addusertogroup: true
samba/script/deletegroup: true
samba/script/deleteuser: true
samba/script/deleteuserfromgroup: true
samba/script/postusermodify: false
samba/script/setprimarygroup: true
samba/serverstring: <empty>
samba/share/groups: no
samba/share/home: yes
samba/share/netlogon/path: <empty>
samba/share/netlogon: no
samba/short_preserve_case: yes
samba/socket_options: <empty>
samba/spoolss/architecture: <empty>
samba/store_dos_attributes: yes
samba/time_server: yes
samba/use_spnego: yes
samba/user/pwdfile: /etc/machine.secret
samba/user: cn=staff,cn=memberserver,cn=computers,dc=skaggscatholiccenter,dc=org
samba/usershare/allow_guests: <empty>
samba/usershare/max_shares: <empty>
samba/usershare/owner_only: <empty>
samba/usershare/path: <empty>
samba/usershare/prefix_allow_list: <empty>
samba/usershare/prefix_deny_list: <empty>
samba/usershare/template_share: <empty>
samba/vfs/acl_xattr/ignore_system_acls: <empty>
samba/wide_links: <empty>
samba/winbind/max/clients: <empty>
samba/winbind/nested/groups: no
samba/winbind/rpc/only: <empty>
samba/winbind/trusted/domains/only: <empty>
samba/write_raw: yes
samba4/ntacl/backend: native
security/packetfilter/package/univention-samba/tcp/137:139/all/en: netbios (Samba)
security/packetfilter/package/univention-samba/tcp/137:139/all: ACCEPT
security/packetfilter/package/univention-samba/tcp/445/all/en: microsoft-ds (Samba)
security/packetfilter/package/univention-samba/tcp/445/all: ACCEPT
security/packetfilter/package/univention-samba/udp/137/all: ACCEPT
security/packetfilter/package/univention-samba/udp/137:139/all/en: netbios (Samba)
security/packetfilter/package/univention-samba/udp/137:139/all: ACCEPT
security/packetfilter/package/univention-samba/udp/445/all/en: microsoft-ds (Samba)
security/packetfilter/package/univention-samba/udp/445/all: ACCEPT

From the Groups server that’s not working:

# ucr search --brief samba
appcenter/apps/samba-memberserver/status: installed
appcenter/apps/samba-memberserver/ucs: 4.2
appcenter/apps/samba-memberserver/version: 4.6
directory/manager/samba3/legacy: <empty>
samba/acl/allow/execute/always: yes
samba/adminusers: administrator join-backup
samba/auth/methods: <empty>
samba/autostart: yes
samba/charset/display: <empty>
samba/charset/dos: <empty>
samba/charset/unix: <empty>
samba/client/max/protocol: <empty>
samba/client/min/protocol: <empty>
samba/client_use_spnego: yes
samba/cups/encrypt: <empty>
samba/deadtime: 15
samba/debug/level: 0
samba/domain/logons: auto
samba/domain/security: ads
samba/domainmaster: <empty>
samba/enable-msdfs: <empty>
samba/enable-privileges: <empty>
samba/encrypt_passwords: yes
samba/generate_smbpasswd: false
samba/getwd_cache: yes
samba/guest_account: nobody
samba/homedirletter: <empty>
samba/homedirpath: <empty>
samba/homedirserver: <empty>
samba/idmap/range: <empty>
samba/interfaces/bindonly: <empty>
samba/interfaces: <empty>
samba/invalid_users: <empty>
samba/kernel_oplocks: yes
samba/large_readwrite: yes
samba/ldap/replication/sleep: <empty>
samba/logonscript: <empty>
samba/machine_password_timeout: <empty>
samba/map_to_guest: Bad User
samba/max/protocol: <empty>
samba/max_log_size: <empty>
samba/max_open_files: 32808
samba/max_xmit: 65535
samba/memberserver/passdb/ldap: <empty>
samba/min/protocol: <empty>
samba/netbios/aliases: <empty>
samba/netlogon/sync: sync
samba/ntlm/auth: <empty>
samba/oplocks: yes
samba/os/level: 65
samba/passdb/expand/explicit: <empty>
samba/password/checkscript: /usr/share/univention-samba/password_check %u
samba/preserve_case: yes
samba/profilepath: <empty>
samba/profileserver: <empty>
samba/quota/command: /usr/sbin/univention-setquota
samba/read_raw: yes
samba/register/exclude/interfaces: docker0
samba/role: memberserver
samba/script/addgroup: true
samba/script/addmachine: true
samba/script/adduser: true
samba/script/addusertogroup: true
samba/script/deletegroup: true
samba/script/deleteuser: true
samba/script/deleteuserfromgroup: true
samba/script/postusermodify: false
samba/script/setprimarygroup: true
samba/serverstring: <empty>
samba/share/groups: no
samba/share/home: yes
samba/share/netlogon/path: <empty>
samba/share/netlogon: no
samba/short_preserve_case: yes
samba/socket_options: <empty>
samba/spoolss/architecture: <empty>
samba/store_dos_attributes: yes
samba/time_server: yes
samba/use_spnego: yes
samba/user/pwdfile: /etc/machine.secret
samba/user: cn=groups,cn=memberserver,cn=computers,dc=skaggscatholiccenter,dc=org
samba/usershare/allow_guests: <empty>
samba/usershare/max_shares: <empty>
samba/usershare/owner_only: <empty>
samba/usershare/path: <empty>
samba/usershare/prefix_allow_list: <empty>
samba/usershare/prefix_deny_list: <empty>
samba/usershare/template_share: <empty>
samba/vfs/acl_xattr/ignore_system_acls: <empty>
samba/wide_links: <empty>
samba/winbind/max/clients: <empty>
samba/winbind/nested/groups: no
samba/winbind/rpc/only: <empty>
samba/winbind/trusted/domains/only: <empty>
samba/write_raw: yes
samba4/ntacl/backend: native
security/packetfilter/package/univention-samba/tcp/137:139/all/en: netbios (Samba)
security/packetfilter/package/univention-samba/tcp/137:139/all: ACCEPT
security/packetfilter/package/univention-samba/tcp/445/all/en: microsoft-ds (Samba)
security/packetfilter/package/univention-samba/tcp/445/all: ACCEPT
security/packetfilter/package/univention-samba/udp/137/all: ACCEPT
security/packetfilter/package/univention-samba/udp/137:139/all/en: netbios (Samba)
security/packetfilter/package/univention-samba/udp/137:139/all: ACCEPT
security/packetfilter/package/univention-samba/udp/445/all/en: microsoft-ds (Samba)
security/packetfilter/package/univention-samba/udp/445/all: ACCEPT

#17

Thanks, but unfortunately that’s not really enlightening either. I’d say go ahead with the reinstallation.


#18

Ok reinstall didn’t work either. Is there something funny about fstab and group shares? My raid volumes on my other servers for network homes work fine with defaults,user_xattr. Ive tried those options and variations on other as well but when the group share is on the raid volume it fails to mount. If I move it to a local folder on the boot drive it works fine. Currently using defaults,acl,user_xattr to no avail either.

ls -l of / output

drwxr-xr-x   3 root nogroup  4096 Aug 30 08:04 groups
drwx------  15 root root     4096 Aug 19 11:39 grpshares

“groups” is the local folder on the boot drive
“grpshares” is the raid volume I’m trying to use for group shares.

I was able to mount one of my shares by chgrp to “nogroup” on the “grpshares” directory and setting permissions to 755 like the “groups” directory.


#19

Yeah well, that’s Unix 101. If a parent directory is inaccessible to a user, then permissions on sub-directory don’t even come into play. The user needs at least directory traversal permission (the x bit on a directory) on parent directories.