Unable to share a NTFS partition as read-write in samba

prosit · August 2, 2018, 8:12am

(It's not the first time that I write about my problems about samba sharing. Anyway, I have tried so many different solutions that now I don't remember which was the exact initial situation, and I prefer to start a new thread describing the issue as it appear now.)

I have an usb disk attached to my Lede router.
Its NTFS partition can be shared only in read-only mode, even if I specify to share it in read-write mode.
It's not a disk issue: the partition is mounted as read-write, and when I try to write/copy a file using via ssh, I can do it without any problem.
So I think it's a permissions issue, even I was not able to solve it.
Do you have any hint/suggestion?
Here below I report my settings:

How the partition is listed by the mount command:

/dev/sda1 on /mnt/sda1 type fuseblk (rw,relatime,user_id=0,group_id=0,default_permissions,allow_other,blksize=4096)

The user list from /etc/passwd:

root:x:0:0:root:/root:/bin/ash
daemon:*:1:1:daemon:/var:/bin/false
ftp:*:55:55:ftp:/home/ftp:/bin/false
network:*:101:101:network:/var:/bin/false
nobody:*:65534:65534:nobody:/var:/bin/false
dnsmasq:x:453:453:dnsmasq:/var/run/dnsmasq:/bin/false
john:*:1000:65534:newuser:/var:/bin/false

Contents of /etc/config/samba:

config samba
        option name 'Lede'
        option description 'Lede'
        option autoshare '1'
        option homes '0'
        option workgroup 'WORKGROUP'

config sambashare
        option read_only 'no'
        option guest_ok 'yes'
        option path '/mnt/sda1'
        option name 'M'

config sambashare
        option path '/mnt/sda2'
        option read_only 'no'
        option guest_ok 'yes'
        option name 'P'
        option users 'john'

Contents of /etc/samba/smb.conf:

[global]
        netbios name = Lede
        display charset = UTF-8
        interfaces = lo br-lan
        server string = Lede
        unix charset = UTF-8
        workgroup = WORKGROUP
        bind interfaces only = yes
        deadtime = 30
        enable core files = no
        invalid users = root
        local master = no
        map to guest = Bad User
        max protocol = SMB2
        min receivefile size = 16384
        null passwords = yes
        passdb backend = smbpasswd
        security = user
        smb passwd file = /etc/samba/smbpasswd
        use sendfile = yes

[M]
        path = /mnt/sda1
        read only = no
        guest ok = yes

[P]
        path = /mnt/sda2
        valid users = john
        read only = no
        guest ok = yes

cshoredaniel · August 2, 2018, 1:20pm

Do you have a /etc/fuse.conf set to allow users to share fuse mounts as root (or other users). What user are you using for ntfs-3g mount? It's likely an issue with fuse refusing to allow access as a user other than mounting user.

prosit · August 2, 2018, 1:37pm

Thank you for your reply.
I haven't any fuse.conf file in /etc. I mount the partition with a command put inside the box in LUCI System > Startup section, I think it uses root.
What have I to do?

mike · August 2, 2018, 6:04pm

I think @cshoredaniel is correct that it's a user problem, I'm pretty sure this line in /etc/passwd -

john:*:1000:65534:newuser:/var:/bin/false

should have "john" replace "newuser", so -

john:*:1000:65534:john:/var:/bin/false

prosit · August 2, 2018, 8:14pm

Nothing changes: I continue to access the partition only in read-only mode.

mike · August 2, 2018, 9:23pm

Have you tried the mount command from the wiki? It works for my ntfs drive in 17.01.* -

ntfs-3g /dev/sda1 /mnt/usb-ntfs -o rw,async

just replace sync with async

prosit · August 2, 2018, 10:28pm

Same result: I cannot write the partition.
By the way, mount shows the same line as before:

/dev/sda1 on /mnt/sda1 type fuseblk (rw,relatime,user_id=0,group_id=0,default_permissions,allow_other,blksize=4096)

What's yours?

prosit · August 2, 2018, 10:31pm

Anyway, the NTFS disk partition was already mounted as read & write.
I think that the issue lies in samba options/user permissions.

mike · August 2, 2018, 11:23pm

Mine's the same. Try adding -

browseable=yes

to your mount point configs, so -

[M]
        path = /mnt/sda1
        read only = no
        guest ok = yes
        browseable=yes

[P]
        path = /mnt/sda2
        valid users = john
        read only = no
        guest ok = yes
        browseable=yes

JW0914 · August 3, 2018, 1:34am

Likely due to lacking the following in /etc/samba/smb.conf.template

browseable = yes
writeable = yes

NOTE:

/etc/samba/smb.conf is dynamically created from /etc/samba/smb.conf.template, so all edits should be performed on the template file.

Since SMB1 leaves any using it wide open to be exploited, minimum protocol as SMB2 must be specified.

Add: min protocol = SMB2

I believe in sane configs, even if sporadically managing the router via SSH, as it makes editing them, and/or identifying issues, much easier.

Since Samba, and most other, config files aren't processed in a hierarchical order, alphabetizing them causes less headaches for the user over the long term.

For example. this is my Samba config template:

#

     ##::[[---  OpenWrt Samba Template  ---]]::##

#===================================================
             ##----- Databases -----##
#===================================================

        # Disabled:
          # hosts allow       = 
          # interfaces        = |INTERFACES|
          # log file          = /var/log/log_%m-%I.log

    # Global Settings #
#---------------------------------------------------

[global]
    bind interfaces only      = yes
    browseable                = yes
    deadtime                  = 30
    display charset           = |CHARSET|
    domain master             = yes
    encrypt passwords         = true
    enable core files         = no
    guest account             = nobody
    guest ok                  = yes
    interfaces                = lo br-lan
    invalid users             = root
    local master              = yes
    load printers             = no
    map to guest              = Bad User
    max log size              = 50
    max protocol              = SMB2
    min protocol              = SMB2
    min receivefile size      = 16384
    netbios name              = |NAME|
    null passwords            = no
    obey pam restrictions     = yes
    os level                  = 20
    passdb backend            = smbpasswd
    preferred master          = yes
    printable                 = no
    security                  = user
    server string             = |DESCRIPTION|
    smb encrypt               = disabled
    smb passwd file           = /etc/samba/smbpasswd
    socket options            = TCP_NODELAY IPTOS_LOWDELAY
    syslog                    = 2
    unix charset              = |CHARSET|
    use sendfile              = yes
    workgroup                 = |WORKGROUP|
    writeable                 = yes

cshoredaniel · August 3, 2018, 2:25am

If you access the router via SSH as a user other than root can you read/write the NTFS partition? If not (assuming you're not using SMB as root) then it could be a fuse issue. If not (or you are logging in on SMB as root) then your problem is (as you suspect) somewhere in the Samba config.

prosit · August 3, 2018, 5:57am

No change.

prosit · August 3, 2018, 6:05am

Please advice me if I say a stupid thing (I am only a newbye), but I have no other (system) user apart root. john is only a samba user.
Anyway, I use it only to access the second partition of the disk when windows prompts me to input my credentials. On the other hand, the second partition has ext4 file system and I can access it without no problem in read/write mode. If you want, I can eliminate it at all from my configuration.

cshoredaniel · August 3, 2018, 8:38am

I think you mean you have 'john' system user that isn't allowed to login to a shell (i.e. no console, no SSH) but does exists in /etc/passwd and /etc/shadow? (If not that could be part of your problem).

Also did you do ''smbpasswd -a john'' on the router? (I haven't used the LuCI app for Samba so I don't know if it handles user creation and password management, I'm talking about what happens on the command line).

For the second partition what perms do you have on it? (i.e. is it possible you doing anonymous access and don't realize it?). If it's assigned to john and no world write then what I mention above shouldn't be the issue and it's probably the fuse stuff I was talking about.

In any Samba is obviously trying to access the drives as 'john' or 'nobody' (depending on if smbpasswd was run, either from cli or through UI if it does that), not root, which for the NTFS drive is probably your problem.

Anyway I have to reread the thread to see what exactly your config is to see if I can figure out where the problem is. Later though...

That I think is you problem: NTFS is mounted root, and ro to non-root users. Samba, if it's not asking your credentials, is probably doing an anonymous access (as user 'nobody').

Have you got 'root' allowed to login via Samba (i.e. ''smbpasswd -a root'' or equivalent in UI)? If not you won't be able to r/w the NTFS as it's only r/w for root.

prosit · August 3, 2018, 1:24pm

Forget user john. It is not involved in accessing partition one. If necessary, I will delete it. But I think it is not an issue.

Forget second partition. I haven't any issue in accessing it in read/write mode. If necessary, I will delete its share. But I think it is not an issue.

If it is so, how can I solve my issue?

I don't remember, but even after executing ''smbpasswd -a root'' I continue to have read only access.

prosit · August 3, 2018, 1:47pm

I tried to mount the partition via command:
ntfs-3g -o rw,uid=65534,user_id=65534 /dev/sda1 /mnt/sda1
and the problem disappeared.
Maybe one option among user_id and uid is superfluous, but I haven't touched anything yet, since now I have read/write access to my partition.

JW0914 · August 3, 2018, 2:38pm

Then your issue is either /etc/config/samba or it's not Samba, but file system access permissions.

/mnt/sda1
- Issue: chown -R john:john /mnt/sda1 && chmod -R 660 /mnt/sda1
- Issue: find /mnt/sda1 -type d -print0 | xargs -0 chmod 755
  - This fixes directory permissions, which should be 755, after the recurse
/mnt/sda2
- Issue: chown -R john:john /mnt/sda2 && chmod -R 660 /mnt/sda2
- Issue: find /mnt/sda2 -type d -print0 | xargs -0 chmod 755
  - This fixes directory permissions, which should be 755, after the recurse
Note:
- john must also be a Samba user:
  - Issue: smbpasswd -a john

Known Working Config

/etc/config/samba

#

     ##::[[---  OpenWrt Samba Config  ---]]::##

#===================================================
               ##----- Shares -----##
#===================================================

    # Global Settings #
#---------------------------------------------------
config samba
    option  description   'PNY USB 3'
    option  homes         '1'
    option  name          'LEDE'
    option  workgroup     'WRT'

    # Samba Shares #
#---------------------------------------------------
config sambashare
    option  browseable    'yes'
    option  create_mask   '0755'
    option  dir_mask      '0755'
    option  guest_ok      'no'
    option  name          'sda1'
    option  path          '/mnt/sda1'
    option  read_only     'no'
    option  users         'root'

config sambashare
    option  browseable    'yes'
    option  create_mask   '0755'
    option  dir_mask      '0755'
    option  guest_ok      'no'
    option  name          'sda3'
    option  path          '/mnt/sda3'
    option  read_only     'no'
    option  users         'root'

config sambashare
    option  browseable    'yes'
    option  create_mask   '0660'
    option  dir_mask      '0750'
    option  guest_ok      'no'
    option  name          'LEDE'
    option  path          '/mnt/sda3/JW0914'
    option  public        'no'
    option  read_only     'no'
    option  users         'JW0914'

/etc/samba.conf.template

#

     ##::[[---  OpenWrt Samba Template  ---]]::##

#===================================================
             ##----- Databases -----##
#===================================================

        # Disabled:
          # hosts allow       = 
          # interfaces        = |INTERFACES|
          # log file          = /var/log/log_%m-%I.log

    # Global Settings #
#---------------------------------------------------

[global]
    bind interfaces only      = yes
    browseable                = yes
    deadtime                  = 30
    display charset           = |CHARSET|
    domain master             = yes
    encrypt passwords         = true
    enable core files         = no
    guest account             = nobody
    guest ok                  = yes
    interfaces                = lo br-lan
    invalid users             = root
    local master              = yes
    load printers             = no
    map to guest              = Bad User
    max log size              = 50
    max protocol              = SMB2
    min protocol              = SMB2
    min receivefile size      = 16384
    netbios name              = |NAME|
    null passwords            = no
    obey pam restrictions     = yes
    os level                  = 20
    passdb backend            = smbpasswd
    preferred master          = yes
    printable                 = no
    security                  = user
    server string             = |DESCRIPTION|
    smb encrypt               = disabled
    smb passwd file           = /etc/samba/smbpasswd
    socket options            = TCP_NODELAY IPTOS_LOWDELAY
    syslog                    = 2
    unix charset              = |CHARSET|
    use sendfile              = yes
    workgroup                 = |WORKGROUP|
    writeable                 = yes

cshoredaniel · August 6, 2018, 8:11am

Yeah you've ended up doing anonymous mounts (i.e. passwordless = anyone with net access can access that share).

I'd add
guest ok = no

to your share, or remove


guest ok =  yes

from the template.

If you do that you will have to login with a known user and password, rather than leaving the share wide open.

madbad · September 20, 2018, 6:14pm

wrong section moved to right place