# samba permissions problem after upgrade to 4.1

## ryszardzonk

Recently the upgrade to the samba 4.1 was possible in the unstable tree. As upgrade involved few blocks easiest way to upgrade was to "emerge -C mit-krb5 samba" after which update was possible which installed following

     Tue Mar 10 14:04:36 2015 >>> dev-db/lmdb-0.9.14

     Tue Mar 10 14:05:00 2015 >>> dev-util/cppunit-1.13.2-r2

     Tue Mar 10 14:05:31 2015 >>> dev-libs/check-0.9.13-r1

     Tue Mar 10 14:07:56 2015 >>> net-nds/openldap-2.4.40-r3

     Tue Mar 10 14:08:57 2015 >>> sys-libs/tevent-0.9.24

     Tue Mar 10 14:15:36 2015 >>> app-crypt/heimdal-1.5.3-r2

     Tue Mar 10 14:15:41 2015 >>> dev-python/mimeparse-0.1.4-r1

     Tue Mar 10 14:15:47 2015 >>> dev-python/extras-0.0.3

     Tue Mar 10 14:15:52 2015 >>> dev-python/unittest2-0.8.0

     Tue Mar 10 14:15:58 2015 >>> dev-python/testtools-1.5.0

     Tue Mar 10 14:16:16 2015 >>> dev-python/subunit-0.0.21-r1

     Tue Mar 10 14:18:27 2015 >>> sys-libs/tdb-1.3.4

     Tue Mar 10 14:19:21 2015 >>> sys-libs/ntdb-1.0-r1

     Tue Mar 10 14:19:56 2015 >>> sys-libs/ldb-1.1.20

     Tue Mar 10 14:26:46 2015 >>> net-fs/samba-4.1.17

     Wed Mar 11 12:37:54 2015 >>> net-fs/cifs-utils-6.4

Calculating dependencies... done!

[ebuild   R    ] net-fs/samba-4.1.17::gentoo  USE="aio winbind -acl -addns -ads -avahi -client -cluster -cups -dmapi -fam -gnutls -iprint -ldap -quota (-selinux) -syslog -systemd {-test}" PYTHON_TARGETS="python2_7" 0 KiB

Now as the result I am not able to log in from my boxes to the server as it apparently removed some files while unmerging. 

[2015/03/11 04:35:44.472013,  0] auth/user_util.c:357(map_username)

  can't open username map /etc/samba/smbusers. Error No file or directory

[2015/03/11 04:35:44.559258,  0] auth/pampass.c:797(smb_pam_accountcheck)

  smb_pam_accountcheck: PAM: Account Validation Failed - Rejecting User foobar!

Question is what steps should I take to resolve this situation as I am running out of ideas  :Sad: 

Could it be problem with PAM not the Samba itself?

----------

## ryszardzonk

[WORKAROUND]

I found samba4 to have all kinds of bugs open including

- https://bugs.gentoo.org/show_bug.cgi?id=542462 [app-crypt/heimdal and app-crypt/mit-krb5 need to be parallel-installable for gnome + samba]

- https://bugs.gentoo.org/show_bug.cgi?id=489770 [>=net-fs/samba-4.0 automagically depends on sys-libs/pam (libpam.so)]

- https://bugs.gentoo.org/show_bug.cgi?id=490872 [net-fs/samba-4.x: app-crypt/heimdal and app-crypt/mit-krb5 blocking by other package like openssl]

Therefore I have downgraded to the previous version of samba for which I did

masking new samba in the /etc/portage/package.mask

>=net-fs/samba-3.99

emerge -C samba heimdal && emerge mit-krb5 samba cifs-utils

Be warned that prior to emerging samba3 afer samba4 has been installed in the system you must remove /var/lib/samba otherwise your server would not start

https://bugzilla.redhat.com/show_bug.cgi?id=829694#c8

Access to the samba shares got restored...

----------

## Fitzcarraldo

I have had better luck. I have a tower PC running Windows 8.1 for family use (multiple user accounts), and several laptops running Linux (main laptop runs Gentoo; the others Sabayon), and other family members have laptops running Windows 7. I performed the various package upgrades on my main laptop after uninstalling samba-3.* and mit-krb5 (and following some of the advice in the Gentoo Wiki Samba4 Migration HowTo, such as 'equery d mit-krb5' and remerging those packages with USE="-kerberos", 'revdep-rebuild -i', and 'emerge @preserved-rebuild').

My laptop running Gentoo and Samba4 can browse (R/W) the tower PC's folders and files in C:\Users\, and the tower PC can browse (R/W) the laptop's folders and files in /home/fitzcarraldo/ (both ends prompt for the username and password of the user account on the respective remote computer being accessed). It looks like the configuration for Samba3 on my laptop -- I used a good Samba HowTo PDF guide on the Web -- withstood the migration to Samba4.

After installing samba-4.1.17 I ran the testparm command:

```
# testparm /etc/samba/smb.conf

Load smb config files from /etc/samba/smb.conf

rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)

Processing section "[homes]"

Processing section "[netlogon]"

Processing section "[printers]"

Processing section "[print$]"

Processing section "[fitzcarraldo-share]"

Processing section "[PUBLIC]"

Loaded services file OK.

Server role: ROLE_STANDALONE

Press enter to see a dump of your service definitions

[global]

        interfaces = eth0, wlan0

        map to guest = Bad User

        smb passwd file = /etc/samba/private/smbpasswd

        log file = /var/log/samba3/log.%m

        max log size = 50

        smb ports = 139, 445

        name resolve order = bcast

        printcap name = cups

        os level = 110

        preferred master = Yes

        domain master = No

        dns proxy = No

        wins support = Yes

        idmap config * : backend = tdb

[homes]

        comment = Home Directories

        read only = No

[netlogon]

        comment = Network Logon Service

        path = /var/lib/samba/netlogon

        guest ok = Yes

[printers]

        comment = All Printers

        path = /var/spool/samba

        create mask = 0700

        guest ok = Yes

        printable = Yes

        print ok = Yes

        browseable = No

[print$]

        path = /var/lib/samba/printers

        write list = @adm, root

        guest ok = Yes

[fitzcarraldo-share]

        path = /home/fitzcarraldo/fitzcarraldo-share/

        valid users = fitzcarraldo

        read only = No

        guest ok = Yes

[PUBLIC]

        path = /home/fitzcarraldo/Public/

        valid users = fitzcarraldo

        read only = No

        guest ok = Yes
```

To get rid of the above-mentioned message "rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)" I followed the advice on the Web site http://linuxadmin.melberi.com/2013/06/rlimitmax-increasing-rlimitmax-1024-to.html and edited the file /etc/security/limits.conf to add the following line:

```
*                -       nofile          16384
```

I also edited the file /etc/samba/smb.conf and changed the line:

```
log file = /var/log/samba3/log.%m
```

to:

```
log file = /var/log/samba4/log.%m
```

I created the directory /var/log/samba4/ as it had not been created automatically when I installed the package net-fs/samba-4.1.17 or when the Samba4 samba service started.

The currently-installed packages and their USE flags are as follows:

```
# eix -I samba

[I] net-fs/samba

     Available versions:  [M]3.5.21^t [M]3.5.22^t 3.6.24^t 3.6.25^t (~)4.0.25^m (~)4.1.17^m [M](~)4.2.0^m {acl addns ads (+)aio avahi caps (+)client cluster cups debug dmapi doc examples fam gnutls iprint ldap ldb +netapi pam quota +readline selinux +server +smbclient smbsharemodes smbtav2 swat syslog systemd test (+)winbind ABI_MIPS="n32 n64 o32" ABI_PPC="32 64" ABI_S390="32 64" ABI_X86="32 64 x32" PYTHON_TARGETS="python2_7"}

     Installed versions:  4.1.17^m(01:21:59 13/03/15)(acl avahi client cups fam gnutls ldap winbind -addns -ads -aio -cluster -dmapi -iprint -quota -selinux -syslog -systemd -test PYTHON_TARGETS="python2_7")

     Homepage:            http://www.samba.org/

     Description:         Samba Suite Version 4

# eix -I cifs

[I] net-fs/cifs-utils

     Available versions:  5.9-r1 6.1-r1 (~)6.3 (~)6.4 {+acl (+)ads +caps (+)caps-ng creds}

     Installed versions:  6.4(03:00:34 13/03/15)(acl ads caps caps-ng -creds)

     Homepage:            http://wiki.samba.org/index.php/LinuxCIFS_utils

     Description:         Tools for Managing Linux CIFS Client Filesystems

# eix -I heimdal

[I] app-crypt/heimdal

     Available versions:  1.5.3-r2 {X afs +berkdb caps hdb-ldap ipv6 otp +pkinit selinux ssl static-libs test threads ABI_MIPS="n32 n64 o32" ABI_PPC="32 64" ABI_S390="32 64" ABI_X86="32 64 x32"}

     Installed versions:  1.5.3-r2(02:30:26 13/03/15)(X berkdb ipv6 pkinit -afs -caps -hdb-ldap -otp -selinux -ssl -static-libs -test -threads ABI_MIPS="-n32 -n64 -o32" ABI_PPC="-32 -64" ABI_S390="-32 -64" ABI_X86="64 -32 -x32")

     Homepage:            http://www.h5l.org/

     Description:         Kerberos 5 implementation from KTH

# eix -I mit-krb5

No matches found.
```

The Uncomplicated Firewall configuration remains the same as it was for Samba3 (the CIFS entry is for Samba; the other entries are for KDE Connect):

```
# ufw status

Status: active

To                         Action      From

--                         ------      ----

CIFS                       ALLOW       192.168.1.0/24

1714:1764/tcp              ALLOW       Anywhere

1714:1764/udp              ALLOW       Anywhere

1714:1764/tcp              ALLOW       Anywhere (v6)

1714:1764/udp              ALLOW       Anywhere (v6)
```

And the file /etc/samba/smb.conf currently contains the following (the only thing I changed when migrating to Samba4 was the directory path for the log file):

```
# This is the main Samba configuration file. You should read the

# smb.conf(5) manual page in order to understand the options listed

# here. Samba has a huge number of configurable options (perhaps too

# many!) most of which are not shown in this example

#

# Any line which starts with a ; (semi-colon) or a # (hash)

# is a comment and is ignored. In this example we will use a #

# for commentry and a ; for parts of the config file that you

# may wish to enable

#

# NOTE: Whenever you modify this file you should run the command "testparm"

# to check that you have not made any basic syntactic errors.

#

#======================= Global Settings =====================================

[global]

workgroup = WORKGROUP

netbios name = meshedgedx

printcap name = cups

printing = cups

log file = /var/log/samba4/log.%m

max log size = 50

; log level = 3

security = user

map to guest = bad user

encrypt passwords = yes

smb passwd file = /etc/samba/private/smbpasswd

local master = yes

os level = 110

domain master = no

preferred master = yes

name resolve order = bcast

wins support = yes

dns proxy = no

smb ports = 139 445

interfaces = eth0 wlan0

#============================ Share Definitions ==============================

[homes]

comment = Home Directories

read only = no

# Un-comment the following and create the netlogon directory for Domain Logons

[netlogon]

comment = Network Logon Service

path = /var/lib/samba/netlogon

guest ok = yes

[printers]

comment = All Printers

path = /var/spool/samba

# to allow user 'guest account' to print.

guest ok = yes

printable = yes

create mask = 0700

[print$]

path = /var/lib/samba/printers

write list = @adm root

guest ok = yes

[fitzcarraldo-share]

path = /home/fitzcarraldo/fitzcarraldo-share/

guest ok = yes

read only = no

browseable = yes

valid users = fitzcarraldo

[PUBLIC]

path = /home/fitzcarraldo/Public/

guest ok = yes

read only = no

browseable = yes

valid users = fitzcarraldo
```

I left the file /etc/conf.d/samba as it was for Samba3.

So it's not looking bad at the moment and I don't need to consider downgrading from Samba4 to Samba3.

Recommended reading: http://wiki.gentoo.org/wiki/Samba4_Migrating/HOWTO (thanks to the hard work of user Dcmwai). I didn't do everything in it, as a lot of it is way above my head and probably not applicable in my case anyway.

----------

## ryszardzonk

Thanks for all the tips. I shall give it another try in some time, but I would say some stuff like requiring packages to be mit-krb5 free "-kerberos" and need for creation of the directory /var/log/samba4 should be taken care of by an ebuild. That would certainly make the migration less painful  :Wink: 

----------

## Fitzcarraldo

One of my printers is connected via USB to the aforementioned tower PC running Windows 8.1 on my home network. When I was using Samba3 I could print from my main laptop running Gentoo Linux to that remote printer using SMB. However, after installing Samba4 on the laptop the printer's status displayed on the CUPS Printer Manager browser page was as follows:

```
Paused - "Backend /usr/libexec/cups/backend/smb does not exist!"
```

I deleted that printer in CUPS Printer Manager and tried to re-add it but the option 'Windows Printer via SAMBA' was missing on the Add Printer page of CUPS Printer Manager.

I looked at the CUPS backends in /usr/libexec/cups/backend/ and there was indeed no longer a /usr/libexec/cups/backend/smb entry (as pointed out by the CUPS Printer Manager!). So I created a symlink to /usr/bin/smbspool and restarted the CUPS daemon. The 'Windows Printer via SAMBA' entry is now back in the list of selectable items on the Add Printer page, and I was able to re-add the printer and then print again via SMB.

```
# ls -la /usr/libexec/cups/backend

total 728

drwxr-xr-x 2 root root   4096 Mar 15 01:12 .

drwxr-xr-x 9 root root   4096 Aug  2  2006 ..

-rwxr-xr-x 1 root root  43728 Sep 18 00:52 bjnp

-rwxr-xr-x 1 root root 141760 Feb 13 19:01 bluetooth

-rwxr-xr-x 1 root root  13860 Apr 22  2014 cnijusb

-rwx------ 1 root root 133952 Feb  1  2014 cups-pdf

-rwx------ 1 root root  18784 Mar 13 03:20 dnssd

-rwx------ 1 root root  79896 Jun  7  2014 gutenprint52+usb

-rwxr-xr-x 1 root root  18776 Mar  4 09:20 hp

-rwx------ 1 root root   9162 Mar  4 09:20 hpfax

lrwxrwxrwx 1 root root      3 Mar 13 03:21 http -> ipp

lrwxrwxrwx 1 root root      3 Mar 13 03:21 https -> ipp

-rwx------ 1 root root  77080 Mar 13 03:20 ipp

lrwxrwxrwx 1 root root      3 Mar 13 03:21 ipps -> ipp

-rwx------ 1 root root  43680 Mar 13 03:20 lpd

-rwxr-xr-x 1 root root  18688 Mar 15 01:12 parallel

-rwxr-xr-x 1 root root  14528 Mar 15 01:12 serial

-rwxr-xr-x 1 root root  27144 Mar 13 03:20 snmp

-rwxr-xr-x 1 root root  35344 Mar 13 03:20 socket

-rwxr-xr-x 1 root root  35448 Mar 13 03:20 usb

# ln -v -s /usr/bin/smbspool /usr/libexec/cups/backend/smb

‘/usr/libexec/cups/backend/smb’ -> ‘/usr/bin/smbspool’

# ls -la /usr/libexec/cups/backend

total 728

drwxr-xr-x 2 root root   4096 Mar 15 01:34 .

drwxr-xr-x 9 root root   4096 Aug  2  2006 ..

-rwxr-xr-x 1 root root  43728 Sep 18 00:52 bjnp

-rwxr-xr-x 1 root root 141760 Feb 13 19:01 bluetooth

-rwxr-xr-x 1 root root  13860 Apr 22  2014 cnijusb

-rwx------ 1 root root 133952 Feb  1  2014 cups-pdf

-rwx------ 1 root root  18784 Mar 13 03:20 dnssd

-rwx------ 1 root root  79896 Jun  7  2014 gutenprint52+usb

-rwxr-xr-x 1 root root  18776 Mar  4 09:20 hp

-rwx------ 1 root root   9162 Mar  4 09:20 hpfax

lrwxrwxrwx 1 root root      3 Mar 13 03:21 http -> ipp

lrwxrwxrwx 1 root root      3 Mar 13 03:21 https -> ipp

-rwx------ 1 root root  77080 Mar 13 03:20 ipp

lrwxrwxrwx 1 root root      3 Mar 13 03:21 ipps -> ipp

-rwx------ 1 root root  43680 Mar 13 03:20 lpd

-rwxr-xr-x 1 root root  18688 Mar 15 01:12 parallel

-rwxr-xr-x 1 root root  14528 Mar 15 01:12 serial

lrwxrwxrwx 1 root root     17 Mar 15 01:34 smb -> /usr/bin/smbspool

-rwxr-xr-x 1 root root  27144 Mar 13 03:20 snmp

-rwxr-xr-x 1 root root  35344 Mar 13 03:20 socket

-rwxr-xr-x 1 root root  35448 Mar 13 03:20 usb

# /etc/init.d/cupsd restart

 * Stopping cups-browsed ...     [ ok ]

 * Stopping cupsd ...            [ ok ]

 * Starting cupsd ...            [ ok ]

 * Starting cups-browsed ...     [ ok ]

#
```

I wonder why that specific backend was removed when I migrated from Samba3 to Samba4? Bug, perhaps? Anyway, printing via SMB now works fine again after adding the symlink.

----------

