# Samba permission issues

## Akaihiryuu

I just set up a new server...I installed samba on it, and I literally copied /etc/samba/smb.conf from the old server to the new one.  The new server has the exact same configuration...same IP address, everything.  But now I cannot connect to the Samba shares from a Windows machine, it comes up asking for a password.

I specifically set up a share browseable from any computer that's on my internal network.  Any computer I have authorized to be on my network I have specifically set up in DHCP and DNS so that the IP address reverse resolve to something on my domain, and I use this to determine whether Samba should allow someone to browse the public share (\\triforce\share).

I also have the user home directories accessible...in my case my username on my Windows machine matches the Linux machine, so I should be able to get in that way as well, but nothing works...either my specific stuff or the public share.  Even if I type in what I know to be my Linux login/password, it does not work.  I specifically went into smbpasswd and set my password to be the same as my login on my Windows machine.

I am assuming that I didn't set up something properly with Samba itself, as opposed to being a config file issue.

Here is my smb.conf:

```
[global]

   workgroup = INTERNAL

   netbios name = TRIFORCE

   server string = ""

   log file = /var/log/samba/log.%m

   max log size = 50

   hosts allow = localhost .internal.lan

   interfaces = lo br0

   bind interfaces only = yes

   map to guest = bad user

   security = user

   encrypt passwords = yes

   smb passwd file = /etc/samba/private/smbpasswd

   socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192

   local master = yes

   os level = 100

   domain master = yes

   preferred master = yes

   wins support = yes

   dns proxy = no

   printing = none

#   printing = cups

#   printcap name = cups

#   load printers = yes

#   print command = lpr-cups -P %p %s

[homes]

   comment = Home Directories

   browseable = no

   writable = yes

[share]

   comment = Share

   path = /home/akai/share

   public = yes

   writable = no

[printers]

   comment = All Printers

   path = /var/spool/samba

   browseable = no

   guest ok = yes

   writable = no

   printable = yes

   create mode = 0700
```

Last edited by Akaihiryuu on Sun Feb 12, 2012 3:28 am; edited 2 times in total

----------

## Hu

What is the output of emerge --info net-fs/samba?

----------

## Akaihiryuu

Here you go:

```
triforce samba # emerge --info net-fs/samba

Portage 2.1.10.44 (default/linux/amd64/10.0, gcc-4.5.3, glibc-2.13-r4, 3.2.1-gentoo-r2 x86_64)

=================================================================

                        System Settings

=================================================================

System uname: Linux-3.2.1-gentoo-r2-x86_64-AMD_A4-3300_APU_with_Radeon-tm-_HD_Graphics-with-gentoo-2.0.3

Timestamp of tree: Thu, 09 Feb 2012 10:30:01 +0000

app-shells/bash:          4.1_p9

dev-lang/python:          2.7.2-r3, 3.1.4-r3

dev-util/cmake:           2.8.6-r4

dev-util/pkgconfig:       0.26

sys-apps/baselayout:      2.0.3

sys-apps/openrc:          0.9.8.4

sys-apps/sandbox:         2.5

sys-devel/autoconf:       2.68

sys-devel/automake:       1.11.1

sys-devel/binutils:       2.21.1-r1

sys-devel/gcc:            4.5.3-r1

sys-devel/gcc-config:     1.4.1-r1

sys-devel/libtool:        2.4-r1

sys-devel/make:           3.82-r1

sys-kernel/linux-headers: 3.1 (virtual/os-headers)

sys-libs/glibc:           2.13-r4

Repositories: gentoo

ACCEPT_KEYWORDS="amd64"

ACCEPT_LICENSE="* -@EULA"

CBUILD="x86_64-pc-linux-gnu"

CFLAGS="-march=native -O2 -pipe"

CHOST="x86_64-pc-linux-gnu"

CONFIG_PROTECT="/etc /var/bind"

CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/fonts/fonts.conf /etc/gconf /etc/gentoo-release /etc/php/apache2-php5.3/ext-active/ /etc/php/cgi-php5.3/ext-active/ /etc/php/cli-php5.3/ext-active/ /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo"

CXXFLAGS="-march=native -O2 -pipe"

DISTDIR="/usr/portage/distfiles"

FEATURES="assume-digests binpkg-logs distlocks ebuild-locks fixlafiles news parallel-fetch protect-owned sandbox sfperms strict unknown-features-warn unmerge-logs unmerge-orphans userfetch"

FFLAGS=""

GENTOO_MIRRORS="ftp://lug.mtu.edu/gentoo/"

LDFLAGS="-Wl,-O1 -Wl,--as-needed"

LINGUAS="en en_US"

MAKEOPTS="-j3"

PKGDIR="/usr/portage/packages"

PORTAGE_CONFIGROOT="/"

PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages"

PORTAGE_TMPDIR="/var/tmp"

PORTDIR="/usr/portage"

PORTDIR_OVERLAY=""

SYNC="rsync://rsync.us.gentoo.org/gentoo-portage"

USE="acl amd64 apache2 berkdb bzip2 cli cracklib crypt cups cxx dri fortran gd gdbm gpm iconv ipv6 logrotate mmx modules mudflap multilib multiuser mysql ncurses nls nptl nptlonly openmp pam pcre pppd readline session smbsharemodes sse sse2 ssl sysfs tcpd unicode vhosts xorg zlib" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mmap_emul mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache cgi cgid dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" CALLIGRA_FEATURES="kexi words flow plan stage tables krita karbon braindump" CAMERAS="ptp2" COLLECTD_PLUGINS="df interface irq load memory rrdtool swap syslog" ELIBC="glibc" GPSD_PROTOCOLS="ashtech aivdm earthmate evermore fv18 garmin garmintxt gpsclock itrax mtk3301 nmea ntrip navcom oceanserver oldstyle oncore rtcm104v2 rtcm104v3 sirf superstar2 timing tsip tripmate tnt ubx" INPUT_DEVICES="keyboard mouse evdev" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LINGUAS="en en_US" PHP_TARGETS="php5-3" RUBY_TARGETS="ruby18" USERLAND="GNU" VIDEO_CARDS="fbdev glint intel mach64 mga neomagic nouveau nv r128 radeon savage sis tdfx trident vesa via vmware dummy v4l" XTABLES_ADDONS="quota2 psd pknock lscan length2 ipv4options ipset ipp2p iface geoip fuzzy condition tee tarpit sysrq steal rawnat logmark ipmark dhcpmac delude chaos account"

Unset:  CPPFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LANG, LC_ALL, PORTAGE_BUNZIP2_COMMAND, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS

=================================================================

                        Package Settings

=================================================================

net-fs/samba-3.5.11 was built with the following:

USE="acl aio client cups (multilib) netapi pam readline server smbclient smbsharemodes -addns -ads -avahi -caps -cluster -debug -doc -examples -fam -ldap -ldb -quota -smbtav2 -swat -syslog -winbind"
```

Also, I found out something additional.  It has something to do with using reverse DNS as authorization.  It worked on my old one, but it's not working on this one.  If I add 192.168.0. to hosts allow, it works.  This must have something to do with DNS.  But the odd thing is it worked on my old server.

----------

## Akaihiryuu

It looks like this isn't a Samba problem after all, but a DNS problem.  I'm using BIND, I actually copied my zone files over from my old server unchanged.  Reverse DNS appears to work with host and nslookup, but dig isn't returning correct information.

EDIT: Nevermind...I just wasn't using dig properly.  Reverse DNS is fine...so I'm still stumped.

```
triforce pri # host 192.168.0.1

1.0.168.192.in-addr.arpa domain name pointer triforce.internal.lan.
```

```
triforce ~ # dig -x 192.168.0.1

; <<>> DiG 9.8.1 <<>> -x 192.168.0.1

;; global options: +cmd

;; Got answer:

;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 28498

;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1

;; QUESTION SECTION:

;1.0.168.192.in-addr.arpa.      IN      PTR

;; ANSWER SECTION:

1.0.168.192.in-addr.arpa. 604800 IN     PTR     triforce.internal.lan.

;; AUTHORITY SECTION:

0.168.192.in-addr.arpa. 604800  IN      NS      triforce.internal.lan.

;; ADDITIONAL SECTION:

triforce.internal.lan.  604800  IN      A       192.168.0.1

;; Query time: 1 msec

;; SERVER: 127.0.0.1#53(127.0.0.1)

;; WHEN: Sat Feb 11 22:28:19 2012

;; MSG SIZE  rcvd: 107
```

----------

## dE_logics

In [share]  have you tried with guest ok = yes?

----------

## Akaihiryuu

 *dE_logics wrote:*   

> In [share]  have you tried with guest ok = yes?

 

Yes, I have.  Makes no difference.  Even the parts that are password protected (the home directory share), I cannot get in even if I put my login information in.

But if I add 192.168.0. (or individual IP addresses for the machines I want to let in), everything works fine.  It only doesn't work if I try to use DNS names in the hosts allow section.  I did use them on the old server.  But on this one I have to use IP addresses for some strange reason.

----------

## dE_logics

The syntax of hosts allow is not clear in the man page, or in that case anywhere.

Maybe the behaviour changed....

How about removing that '.' before your domain? Or wildcards?

As of user level security, last time I checked I concluded (after rigorous experimentation) -- 

 *Quote:*   

> In user level security, Windows will ask for username/password when opening the share (thus you can't browse without a valid username/password)

 

 *Quote:*   

> In user level security, if you want password less access to shares from Windows client without the user seeing Windows errors, put 'bad user =' option inside the resource.

 

----------

## Akaihiryuu

 *dE_logics wrote:*   

> The syntax of hosts allow is not clear in the man page, or in that case anywhere.
> 
> Maybe the behaviour changed....
> 
> How about removing that '.' before your domain? Or wildcards?
> ...

 

Tried that.  I even put the full DNS name of the computer I'm on and it won't accept it...IP address only.

----------

## dE_logics

Is /etc/hosts empty?

Have you added PTR records to the DNS server? That's cause I'm not sure if Samba does a reverse lookup of the IP of the incoming connection or does normal resolution of the given DNS.

Maybe you should try host deny with EXCEPT (just for testing purposes).

Lastly, in case this doesn't work, you always have iptables.

----------

## Akaihiryuu

 *dE_logics wrote:*   

> Is /etc/hosts empty?
> 
> Have you added PTR records to the DNS server? That's cause I'm not sure if Samba does a reverse lookup of the IP of the incoming connection or does normal resolution of the given DNS.
> 
> Maybe you should try host deny with EXCEPT (just for testing purposes).
> ...

 

/etc/hosts is empty except for localhost yes...but it was on the old one too.  I literally copied everything...DNS configuration, Samba configuration, everything from the old server to the new one.  So everything should be identical...that's what's confusing.  But yes, I do have PTR records set up in my DNS server (I made a complete zone for my home network).

I'll try the hosts file thing and see what happens though, even though I never had to do that before.

EDIT: No go with the hosts thing.  I have to either put in 192.168.0. in, which allows anything on my network in (including those I don't have set up in DNS/DHCP), or specific IP's of computers I want to let in.  Right now I'm going with the latter...there are only two computers on the network that use it so I just put their full IP's in.

----------

## dE_logics

This should be reported to the samba developers.

----------

## Akaihiryuu

I thought of that too, but I'm still thinking it has something to do with my setup, because it worked fine on my old one.  When I get a chance I'm going to check and see what options I compiled Samba with on my old one, maybe they're different.

----------

