A File Server That Won't Share Shares

Question

I've moved on from my first post "What Are The Basics?"

For context, my HW:

Raspberry Pi 3 B+ and a 16Gb mSD card with LITE imaged onto it

Pi-Desktop and a Kingston 480Gb mSATA

USB Keyboard/Mouse combo

10.1” TFT LCD Colour Monitor and a 20cm HDMI cable

For context, my environment::

Cat5e with RJ45 ports leading to a HP hub.

(Wi-Fi useless in my old house with thick walls. Not willing to spend a fortune with Wi-Fi extenders. Tried one - doesn't work well.)

What I've done:

used fstab to mount three partitions on the mSATA so they are there at bootup.

lines follow the format:

PARTUUID=5daf9610-09 /mnt/MYLABEL vfat defaults,auto,umask=000,users,rw 0 0

where 09 is either 01, 02 or 03 and MYLABEL are the three associated folders in /mnt that are my mountpoints.

When I issue a "mount" command I get:

/dev/sda9 on /mnt/MYLABEL type vfat (rw, nosuid,nodev,noexec,relatime,fmask=000,dmask=000,allow_utime=0022,codepage=437,iocharset=asci,shortname=mixed.errors=remount-ro)

where 9 is either 1, 2 or 3 and MYLABEL are the three associated folders in /mnt that are my mountpoints.

The options "nosuid, nodev and noexec" are unexpected, as I thought the opposite values are set by the "default" option.

I have confirmed that these mounts are owned by root.

I have updated the smb.conf with the following:

[global]

case sensitive = auto

preserve case = yes

short preserve case = yes

netbios name = Pi

server string = RaspFS01

workgroup = MYWKGRP

[MYSHARE9]

# share for the partition MYLABEL

path = /mnt/MYLABEL

comment = My sharing folders

browseable = yes

writeable = yes

only guest = no

create mask = 0777

directory mask = 0777

public=no

valid users = MYUSERS

force group = MYWKGRP

where 9 is 1, 2 or 3. MYLABEL is the same as the mountpoints above. MYUSERS is a comma seperated list of accounts I created including the user pi (See my next step). MYWKGRP is the workgroup I have on my PC.

I have set up users using "adduser" command

I have also made them members of the same groups as user pi

I have made the Pi boot with a static IP address and identified the static gateway and static_domain_name_servers as my BT Router.

Once rebooted I can ping google, so I'm still connected to the internet. I've also successfully run the update on the OS.

Now the fun!

When I try to create a mapping from my PC to the Pi, I get "Access Denied" no matter what user I use, even pi.

I ran the diagnostics from my PC and I can find the server, (although it does not show up in Networks). I even confirm the share exists. I just can't map to it.

I try to change the ownership of the mounts from root using the chmod command, but I get "Operation is not allowed". (Yes with sudo.)

I can't seem to allow any user to use these mounts remotely. I can only use them from the Pi! This is not a file server, but just a workstation. I can't find a way to associate MYWKGRP with these mounts with the right permissions.

I've seen a way to explicitly state a user and passwaord in the fstab file, but that would not syncronise with any change of password with the PC. (Not to mention the horrible hole in security!)

Can anyone tell me what I'm missing? Thanks for reading this far.

14rhb · Answer

Steven,

Useful reading material on NFS and file access - I think your anser can be found in there, especially if you set up NFS.

https://linuxconfig.org/how-to-configure-nfs-on-linux

https://raspberrypi.stackexchange.com/questions/87057/cannot-automatically-mount-nfs-share-to-raspberry-pi

https://serverfault.com/questions/212178/chown-on-a-mounted-nfs-partition-gives-operation-not-permitted

The last link perhaps contains something really useful...

"By default the root_squash export option is turned on, therefore NFS does not allow a root user from the client to perform operations as root on the server, instead mapping it to the user/group id specified by anonuid and anongid options (default=65534). This is configurable in /etc/exports together with other export options."

Rod

oghma · Answer

14rhb,

Thanks for the imput, but I only have one Linux machine - the Pi. Not going to migrate my entire collection of computers over-night, especially since I'm having these issues.

shabaz,

This was useful. I went back to my notes on what I did and realised that I did not modify the permissions on the /mnt/MYLABELS mount points. So...

umount the three /MYLABELS

ls -l gives:

drwxr-xr-x 2 root root 4096 Jul 24 15:34 MYLABEL

where MYLABEL is one of my three mount point folders. They are all the same.

sudo chmod 777 /mnt/MYLABEL

Did this for all three.

sudo chgrp users *

(I only have the three mount point folders in /mnt, so I changed all of them at once.)

ls -l now gives:

drwxrwxrwx 2 root users 4096 Jul 24 15:34 MYLABEL

where MYLABEL is as above.

Now I try to map from Windows 10.

Network still doesn't show the Pi. However, I can ping either the IP or the HostName from my PC.

When I use \\HostName\SHARENAME

where SHARENAME is the section name in smb.conf, I can 'browse' and see all the shares.

However, providing the credentials of my new user I get the same Access Denied message.

Providing the credentials of the user pi I get the message 'The user name or password is incorrect'.

Obviously I rechecked the passwords by logging in and out with both the user pi and my new user. Both worked.

I seem to be creeping forward, but as you can imagine, this is very frustrating. There seems to be no central admin tool like there was in Novel. I'm sure I'm at the point where this behaviour is so unlikely that a solution is far from obvious. As I'm exhibiting more experience than the average newbie, I don't know if the assumption will be that I've done everything right, so the response will be, "Well, that's a poser!". I'm willing to check every step, again. But I'm currently out of ideas on where to look. Everything seems fine to me, except that it doesn't work. Thanks for reading this far.

shabaz · Answer

Hi Steven,

Great that things have progressed. Regarding the current issue, I'm not sure of the answer, but there were some comments here that could be useful:

https://www.raspberrypi.org/forums/viewtopic.php?t=40130

One of the comments mentions changing the permissions and ownership (chmod and chgrp or chown) of the folders and content prior to doing the mount.

Snippet from there:

You have to create the folder with the user used to mount the partition. The mount will not overwrite this ownership and rights. Only the content of the mounted partition will use this rights
Also on most modern linux distributions, the chown is for the root user so that's why you have the permission denied message
So first unmount the partition, do the chown with sudo, do the chmod with sudo and do again the mount

14rhb · Answer

Steven, Adding to shabaz useful link; they initially mention Samba - which is used for file sharing with Windows OS. On Linux-Linix you have the Network File System (NFS) which should help. Rod

colporteur · Answer

The last time i setup SAMBA was using the configuration from the following site.

https://github.com/thinkst/opencanary

It is a wide open share but it did work.

My thoughts are once you can see and interact with the share (i.e. working), you can make the access control changes.

I have limited MS windows knowledge so I am of little help when it comes to active directory tweaks in SAMBA.

Sean

jack.chaney56 · Answer

I'd like to suggest checking out http://www.linuxfromscratch.org and checking out the Beyond Linux From Scratch section. In there (Section IV. Networking) it covers software and configuration for setting up SAMBA as well as several other server host options. Jack

oghma · Answer

Sean, As I stated on my 6-Aug-2018 reply I can ping using both HOSTNAME and IPaddress. I have rechecked this and both still work. The default Windows workgroup is indeed WORKGROUP. However, I have changed it on both the Pi and my Windows 10 PC to the same thing, (even in the same case). As I can authenticate to this misterious "User share" that is not mentioned in any of my configuration files, I am assuming that the server and authentication parts work. When I map to the "User share", I don't even have to provide a password, as I have already syncronised the passwords on the Pi and the PC. When I try to map to the Shares, I get the error message above. (9-Aug-2018 reply) In order to keep my network simple, I have everything on the same subnet as my BT hub. This means that I do not need another router, nore do I need a DNS table. I feel that this would add yet another complication, and I appear to have enough of those to keep me occupied! Continued below...

ebalem · Answer

I've just seen your posts and the suggestions about share problems, and I wonder if the problem is with windows 10 not your pi server. In recent builds of win10 they have removed the homegroup support and do not by default include support for older versions of smb sharing. Simple workgroup sharing is now much more tricky even between windows pc's. It may be worth you searching on these issues to find more info.

shabaz · Answer

I'm wondering if the errors you're getting could be specific to the Windows versions. What is the precise text of the error messages?

There are some error messages on XP described here:

https://ask.fedoraproject.org/en/question/109910/samba-and-windows-xp-unknown-user-name-or-bad-password/

However with Windows 10 which you mention you tried, it refers to a slightly different error that doesn't mention the username:

https://superuser.com/questions/1125438/windows-10-password-error-with-samba-share

Anyway it could be worth making the changes suggested in these links too, in case it helps.

Unfortunately I've not tried this, so I can only suggest some vague ideas : (

Sometimes I'll also try to do a packet capture to see how far the protocol got, but I don't know this protocol well enough to be sure if this is a good idea, or a useless idea.

There could also possibly be error messages somewhere in /var/log on the pi (type ls -altr to see the latest modified files there as the last ones in the list).

oghma · Answer

The story so far: From the second link sueested by shabaz I've added the following lines to my smb.conf. (some where already there, but I include them for completeness.): #### Dubugging/Accounting #### log file = /var/log/samba/log.%m max log size = 100 syslog = 0 ###### Authentication ###### server role = standalone server passdb backend = tdbsam obey pam restrictions = yes unix password sync = yes password program = /usr/bin/passwd %u password chat = *Enter\snew\spassword:* *Retype\snew\spassword:* %n
 *password\supdated\ssuccessfully* pam password change = yes map to guest = bad user ntlm auth = yes encrypt passwords = yes smb passwd file = /etc/samba/smbpasswd security = user dns proxy = no [homes] read only = no create mask = 0775 directory mask = 0775 valid users = %S Each share section still looks like this: [shMYSHARE] # share for the partition MYSHARE path = /mnt/MYSHARE comment = Primary sharing folders browseable = yes writeable = yes only guest = no guest ok = no create mask = 0777 directory mask = 0777 public=no valid users = MYUSERS # user list separated by commas force group = MYWORKGROUP There are three MYSHARE sections. Now to what happens: I've managed to create a share called MYUSER which maps to the home directory of the user I log in as. Don't ask me how! I've chmod the permissions on the home directory to be rwxrwxrwx. As you can see above in the [homes] section , I've also changed the masks to 0775. This allows me to map to my 16Gb mSD card home directory. However, I still can't map to my shares. I get a different error message now. : I'm still thinking this is a permissions issue, but I've given all the permissions I can think of. The opencanary app suggested by sean looks terrifying. I'm on the Internet all the time, and having a completely open Pi is not what I want to do. I know Unix viruses are far less common, but hackers do things for 'fun'. Of course, they are never 'fun' for the poor victim. I just don't want to line myself up to be one. Is there a permissions editor to manage the whole set from O/S through samba to files and directories? This sure would make my life a lot easier! So, limiting the advise to the permission issues on the Pi, what do you suggest? What's my checklist? Thank you for reading this far.

colporteur · Answer

The configuration provided for use in opencanary I would not recommended for public use. I suggested it as as starting point since it was a known good configuration that last time I used SAMBA. If it worked (i.e. you saw the share and files) than you at least have a working install. By the sound of it, you are not at working. Can you ping the Pi from the windows desktop PC? i.e. ping <IP Address> I noticed you workgroup listing is MYWORKGROUP. Confirm that is what your windows desktop is using. I thought windows default was workgroup but I have limited experience with windows and try to keep it that way. Sean