Set up ksmbd for read and write access as named user

manywrt · August 27, 2021, 2:19am

How can I set up a ksmbd server on my router so that I can have read and write access as a named user (not guest)?

I have managed to give myself read and write access as guest. For that I did the following:

Install packages ksmbd-server, ksmbd-utils, and luci-app-ksmbd to my router TP-Link C7 v5 running on the latest sysupgrade bin (release 19.07.8).
In C7, create directory /mnt/dump (and not mount anything there, e.g. not mount a USB storage)
# chmod 777 /mnt/dump (I know 777 is incontinent. Just trying to make it work for now.)
Use LuCI's setup page (Services > Network Shares) so that the config (/etc/config/ksmbd) ends up looking this way:

config globals
	option description 'Ksmbd on OpenWrt'
	option workgroup 'WORKGROUP'

config share
	option read_only 'no'
	option path '/mnt/dump'
	option name 'dump'
	option create_mask '0666'
	option dir_mask '0777'
	option guest_ok 'yes'

That gave me read and write access to /mnt/dump even from a Windows machine. (Actually I don't know how to get to it from Linux yet.)

To get read and write access as a name user, I thought all I had to do would be to enter 'root' for 'allowed users' and uncheck 'allow guests' (in LuCI) so that the config looks like (in relevant portions):

	option guest_ok 'no'
	option users 'root'

But that did not work (login was refused, never mind read or write). I even created a non-root user (on the thought that root may be subject to a special prohibition), but that made no difference.

Questions: What do I need to modify (in LuCI or the config file) so as to have read and write access as a named user (whether root or non-root)?

Or maybe I have to do something different on the Windows side? One thing that bothered me was that the Windows prompt for credentials would insist on the user being e.g. Windows-Machine-Name\root (or equivalently the 'domain' being Windows-Machine-Name). Maybe the username I am sending to ksmbd is not 'root' but some complex thing including the 'Windows-Machine-Name'?

Andy2244 · August 27, 2021, 2:27pm

What you are missing is that a linux user is not automatically a smb user. You need to first create a linux user.

opkg update
opkg install shadow-useradd
adduser smbuser
passwd smbuser

alternative via uci: https://openwrt.org/docs/guide-user/base-system/users

Now add that user as a valid smb (ksmb) user (same for samba4 via smbpasswd tool):

opkg install ksmbd-utils
ksmbd.adduser -a smbuser

Now add the smbuser to the allowed ksmb users list via luci or uci config for your share.

Under windows you can check/manage/add smb logins via the credential manager.

Reminder: Use the password from the ksmbd.adduser process not the linux user password, to connect to your share.

PS: Now you also need to ensure that the linux smbuser has valid access to the shared dir/files.
Also a trick i often use, is to use my windows Login/PW for the Linux smb user, this way it gets automatic login, since the name/pw match.

manywrt · August 27, 2021, 3:19pm

Thank you. Your instructions totally worked!

Some hiccups I encountered along the road.

ksmbd.adduser did not accept a single letter password. It didn't tell me that the password had to be at least two letter, just repeated the prompt.
I had to reboot the Windows machine (to clear some cache I suppose).

For future managing of access, could you kindly advise:

Where the config files for ksmbd users and their passwords are.
If a direct config modification is not feasible, the commands for (a) removing a ksmbd user and (b) changing its ksmbd password. Thanks.

Andy2244 · August 27, 2021, 3:36pm

/etc/ksmbd but its encrypted so we cant directly edit it.

ksmbd.adduser
Adds, updates or removes (-a/-u/-d) a user from ksmbd pwd file.

manywrt · August 27, 2021, 3:55pm

Thank you again.

How does one enter multiple users for a particular mount (e.g. my /mnt/dump)?

I have tried:

Entering in LuCI's 'allowed users': alice bob. This resulted in a config line of:

	option users 'alice bob'

Entering in LuCI: alice,bob. It gave me:

	option users 'alice,bob'

Adding the following to config. It wiped out the LuCI page.

	option users 'alice' 'bob'

Adding the following to config. LuCI lists only one of them.

	option users 'alice'
	option users 'bob'

Andy2244 · August 27, 2021, 5:07pm

I think space or comma should work.

manywrt · August 28, 2021, 1:09am

Yes. Space worked. I just had to reboot the Windows machine after trying each allowed user. None of the commands to clear the cache on Windows worked (e.g. net use * /DELETE did not work). Thank you. Also leaving this remark for anyone landing on this page.

Also for anyone landing on this page, adduser smbuser in one of Andy2244's comments should be useradd smbuser.

system · September 7, 2021, 1:09am

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.