Samba Share - 2 users with 2 shares - Issue: 1 user works perfectly, the other is denied [Solved]

FrillyWRT · February 26, 2021, 5:22pm

I set up OpenWRT with an old MyBookLive, what I am trying to set up is 2 smb shares with 2 users. One for me and one for the kids.

1 user (me) allows for access to both shares
1 user (kids) allows for access to only the kids share

Both Samba shares are set to user access only. The challenge I am facing is that the Parents user works flawlessly and allows for full access to both the shares. But the kids user is getting access denied on both shares.

The error I am getting on the kidsuser is:

Fri Feb 26 16:45:30 2021 daemon.err smbd[2055]: [2021/02/26 16:45:30.188841,  0] ../../source3/smbd/uid.c:448(change_to_user_internal)
Fri Feb 26 16:45:30 2021 daemon.err smbd[2055]:   change_to_user_internal: chdir_current_service() failed!

In researching this, most people tend to talk about lack of appropriate access to the shared drives or using forceuser in the config. I am asking here because I can clearly access the drives with parentuser account, just not the other one. I have checked:

Verified and reset the passwords
Validated that the users are in the same group and set up accordingly

Below is my samba4 config file.

Any help thoughts are appreciated, if more logs are required, I am happy to provide them but not 100% certain on how to turn on the appropriate level of logging!

config samba 
        option workgroup 'WORKGROUP'
        option charset 'UTF-8'
        option description 'Samba on OpenWRT' 

config sambashare                                                                                                               
           option path '/mnt/sda3/KidsData'
           option create_mask '0774'
           option dir_mask '0774'
           option guest_ok 'no' 
           option read_only 'no'
           option name 'DriveKids'
           option users 'kidsuser,parentsuser'                                                                                                                                                                                                              

config sambashare
          option path 'mnt/sda3/ParentData'
          option users 'parentuser'
          option create_mask '0774'
          option dir_mask '0774'
          option guest_ok 'no'
          option read_only 'no'
          option name 'DriveParents'

pavelgl · February 26, 2021, 7:12pm

It really seems to be a permission problem.

I don't know who is the owner of the higher directories in the hierarchy (/mnt and /mnt/sda3), but check that they both have the right permission 774.

Also in the parrent share of the posted config a slash is missing. Maybe it works that way, but is good to be fixed.

Andy2244 · February 26, 2021, 7:15pm

Can you also get those infos:
cat /etc/passwd
cat /etc/samba/smbpasswd
ls -al /mnt/sda3/ParentData
ls -al /mnt/sda3/KidsData

FrillyWRT · February 26, 2021, 7:15pm

Thank you! I had a look and notice the owner of the folders is actually my parent user, and group 1000.

Can I ask a clarifying question then, who should the owner of the folders be? Should it be root? or should it be someone else?

FrillyWRT · February 26, 2021, 7:21pm

Thanks Andy, here's all the info:

(note that I have changed the parentusername and kidsusername but it is consistent across).

As Pavelgl said, it is a permission issue. It looks like the parentuser is the owner of the share folders. Question: Should the correct user be root? I do certainly want write access.

/etc/passwd

root:x:0:0:root:/root:/bin/ash
daemon:*:1:1:daemon:/var:/bin/false
ftp:*:55:55:ftp:/home/ftp:/bin/false
network:*:101:101:network:/var:/bin/false
nobody:*:65534:65534:nobody:/var:/bin/false
dnsmasq:x:453:453:dnsmasq:/var/run/dnsmasq:/bin/false
parentuser:*:1000:65534:alike:/var:/bin/false
kidsuser:*:1001:65534:pandj:/var:/bin/false

/etc/samba/smbpasswd

parentuser:1000:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:**Hash**:[U          ]:LCT-60386CBA:
kidsuser:1001:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:**Hash**:[U          ]:LCT-60391CF2:

ls -la /mnt/sda3

drwx------    6 parentuser    1000          4096 Feb 25 18:19 .
drwxr-xr-x    3 root     root          4096 Feb 26 03:05 ..
drwx------    2 parentuser    1000          4096 Aug  3  2013 .AppleDouble
drwxrwxr-x   19 parentuser    1000          4096 Feb 25 18:18 FolksData
drwxrwxr-x    4 parentuser    1000          4096 Feb 25 18:18 KidsData
drwx------    2 root     root         16384 Feb 24 05:46 lost+found

ls -la /mnt/sda3/KidsData

root@OpenWrt:/mnt/sda3/KidsData# ls -la
drwxrwxr-x    4 parentuser    1000          4096 Feb 25 18:18 .
drwx------    6 parentuser    1000          4096 Feb 25 18:19 ..
drwxrwxr-x   27 parentuser    1000          4096 Feb 25 18:19 KidsMovies
drwx------   20 parentuser    1000          4096 Feb 24 17:37 KidsTV

pavelgl · February 26, 2021, 7:37pm

If alike is in the same group with the other accounts, leave it as owner.
Type from the cli:
chmod 774 /mnt/ -R
and ckeck the result.

FrillyWRT · February 26, 2021, 7:57pm

I tried chmod 774 /mnt/ -R and service samba4 restart and now neither user account can access either share. Weird? What else can I try?

Fri Feb 26 19:54:55 2021 daemon.err smbd[1910]: [2021/02/26 19:54:55.888921,  0] ../../source3/smbd/uid.c:448(change_to_user_internal)
Fri Feb 26 19:54:55 2021 daemon.err smbd[1910]:   change_to_user_internal: chdir_current_service() failed!

pavelgl · February 26, 2021, 8:03pm

Let 's do it to chmod 777 /mnt/ -R

By the way in the Kids directory, the kids have no access to the KidsTv directory at all.
Parents is the owner with full right and that seems to be the problem.

FrillyWRT · February 26, 2021, 8:08pm

Alright, I have enabled chmod 777 for the drive and now they work exactly as I desire. A few questions

Should the create mask and dir mask also reflect the 777?
Is this not a security risk with the public having rwx access? I appreciate that it works (and thank you!) but is that not a risk?

pavelgl · February 26, 2021, 8:24pm

You dont have samba guest access activated.
Whoever access the samba share, he will need to have a valid samba account.
Those permissions are at Linux level.
First for the owner, second for the group and third everyone else (also with valid OpenWrt account).
Anyway, if you are worried, check chmod 775 /mnt/ -R.
In this case everyone else will have only read and execute rights, and I beleive that the problem is the missing execute permission.

FrillyWRT · February 26, 2021, 8:29pm

Thank you! I set chmod to 775 and it still works, so I'm going to leave that for now and if I really need to switch to 777 I appreciate knowing that it's still secure