After hours of searching, I discovered that the share name and the share directory cannot be the same (and it's not case-sensitive, either). See this post on serverfault.
So, if I change my share name in smb.conf from:
[Music]
to
[Tunes]
I can both read and write to the share. No other changes to my smb.conf were necessary, and no need to chmod 0777.
Answer from the_meter413 on askubuntu.comAfter hours of searching, I discovered that the share name and the share directory cannot be the same (and it's not case-sensitive, either). See this post on serverfault.
So, if I change my share name in smb.conf from:
[Music]
to
[Tunes]
I can both read and write to the share. No other changes to my smb.conf were necessary, and no need to chmod 0777.
Under linux, you need to map your system account to the samba server account.
If you are creating a new user for samba access, then enter the following commands
sudo useradd {user}
sudo passwd {user}
To map a system account to a samba user use the following command
sudo smbpasswd -a {user}
The edit the file /etc/samba/smbusers to map the system account to the samba account, where the system account references the samba account
user = "user"
This solved my problem:
Windows 10 will try to negotiate SMB3_11, which Samba4 doesn't yet support
except in the current 4.3 release candidate. I suspect for now disabling
SMB2/3 on the Windows 10 client is your best, if not ideal, option.Instructions for doing.this can be found
here: https://support.microsoft.com/en-us/kb/2696547
https://lists.samba.org/archive/samba/2015-September/193886.html
Further reading:
- MSKB mentioned above: Microsoft support, KB2696547: How to detect, enable and disable SMBv1, SMBv2, and SMBv3 in Windows and Windows Server
Problem: Windows removed SMB v1 protocol on latest Windows OS, Linux try to connect with v1 protocol and Windows/Linux fails to try protocol 2, 3 etc.
Solution: edit linux (ubuntu) Samba conf file:
sudo nano /etc/samba/smb.conf
on the [GLOBAL] section add:
client min protocol = SMB2
client max protocol = SMB3
then save file and restart samba
in my case I also had to explicit put a password or my Samba user, but I think that was my specific system problem.
Samba permissions mess - can't write anything (from Windows)
networking - Samba share on Debian: Can see files from windows but can't write to them - Unix & Linux Stack Exchange
permissions - Samba (Cannot Write) issue - Stack Overflow
linux - Samba access is denied in windows - Unix & Linux Stack Exchange
Videos
for what it is worth, I couldn't access my samba share, maybe you have forgotten to add you username to the samba password group (for lack of beter description phrase)
this is what I did to get mine to work
smbpasswd -a username
after by using nautilus, shared my drive/folder with right-click, sharing, etc.
create your password, and use your username and passsword (which you just entered) to access your samba drive, you can also map this drive in Windows
hope this could help
Are the group and owner of the shared folder set properly for the samba user? Should be the same, or try
$ chown -R nobody:nogroup sharedfolder
for testing purposes...
In my case (Windows 10, ancient Samba 4.2.10 on CentOS 6) what helped was setting the min protocol to SMB2, max protocol to SMB3:
[global]
min protocol = SMB2
max protocol = SMB3
client min protocol = SMB2
client max protocol = SMB3
client ipc min protocol = SMB2
client ipc max protocol = SMB3
server min protocol = SMB2
server max protocol = SMB3
And then connecting the share as a network drive (Explorer -> Home -> Easy access -> Map as drive), putting in the share name (\\1.2.3.4\ShareName), ticking "Connect using different credentials", then Other, and put in username in the format DOMAIN\username.
When trying to get to the share in Explorer, it would never ask for credentials, nor was I able to specify the username with net use \\shareserver\data /user:testuser (got System Error 58).
Running smbpasswd -a user is crucial here!
My running smb.conf:
[global]
client max protocol = SMB3
name resolve order = wins lmhosts host bcast
security = USER
username map = /etc/samba/smbusers
idmap config * : backend = tdb
[rootfs]
create mask = 0644
force group = root
force user = root
path = /
read only = No
Hello,
I have a game server running on my machine, and I often move files and folders around.
So I decided to use samba (version 4.7.6-Ubuntu) to create a shared folder (which contains the game server) - and I can't write anything.
The folder is located at /home/locale/Documents.
locale is the username of the account I use to log physically on my machine, and is pretty much the "admin" account. (Note : they don't have root privileges, I'm not that dumb)
To connect to that folder, I use another account, named John. (The username of my Windows account).
I can connect to the share from Windows without any trouble, using the credentials from John (inputing the Unix password) ; but I cannot write anything.
This is what I have in my smb.conf for the folder :
[gameserver] path = /home/locale/Documents/ valid users = John browsable = yes read only = no writeable = yes available = yes create mask = 0775 force user = John
I've seen plenty of people on the internet using 644 or 755 as a create mask - I don't want that. The directories set in locale/Documents are all set at 775, and I don't want to change that.
drwxrwxr-x 5 locale locale 4096 mars 3 09:19 . drwxr-xr-x 19 locale locale 4096 mars 3 09:27 .. drwxrwxr-x 19 locale locale 4096 mars 1 23:53 gameserver
John is of course part of the locale group. So I should not be a problem to write in the folder right ? After all, it works like that for my FTP.
What I should do ? I am really forced to go full on 777 on my folder in order to make this thing work ?
Thanks.
Ok, figured it out. It wasn't in my samba settings. The error was actually in how I was "permanently" mounting my samba share.
I was doing:
//192.168.1.11/craig /home/craig/musicServer cifs username=craig,password=MYPASSWORD 0 0
but I needed
//192.168.1.11/craig /home/craig/musicServer cifs username=craig,password=MYPASSWORD,file_mode=0777,dir_mode=0777 0 0
Adding both file_mode and dir_mode solved it.
The difference in owner printout is probably due to different UID/GID you have on your local and remote machines.
You can use noperm option at mount instead (no need for file_mode or dir_mode). This option turns off the local file permission check (so UID/GID inconsistency will be okay) and assume the remote identity you authenticated at mount. Remote access control is still enforced.
To access the samba share, please pay attention to:
- You had to create a system user with the same username. In this case, please issue the following command:
useradd -s /sbin/nologin benjamin - If you are using a SELINUX-enabled system (eg: CentOS), try to temporarily disable it issuing
setenforce 0
EDIT: as the problem persists, try the following:
- maybe your Windows host is prepending your username with the wrong domain name. From the Windows machine, try to login using
localhost\benjaminas the username - issue
pdbedit -Land check if userbenjaminis listed. If so, set a trivial password (you can change it later) usingsmbpasswd benjamin - if user
benjaminis not listed, try to recreate it issuingsmbpasswd -a benjamin - if it does not work, delete the passwd file (it is named
passwd.tdb; for reference, in a CentOS 6.x system it is found under/var/lib/samba/private/). Then, recreate your user issuingsmbpasswd -a benjamin - if it still not working, try to use the root account issuing
smbpasswd -a rootand check if you can login using the root user. Note: this is only a try. After having done with it, you must delete root's entry issuingsmbpasswd -x root - Your last resort is to increase the verbosity of logging and see if you can find clues there. For authentication attempts, edit or add the following line on your smb.conf
log level = 2 winbind:5, check the logs with something liketail -f /var/log/samba/log*and try to login.
It is possible you need to add the user in question to your smb service in linux
sudo smbpasswd -a myuser
The problem is not the Samba share but a new security setting under Windows 10. They specifically made it so that you cannot bypass this behaviour from the Samba side. They explain why under the section Cause.
Symptoms
In Windows 10, Windows Server 2019, or Windows Server 2016, the SMB2 client no longer allows the following actions:
- Guest account access to a remote server.
- Fall back to the Guest account after invalid credentials are provided.
SMBv2 has the following behavior in these versions of Windows:
- Windows 10 Enterprise and Windows 10 Education no longer allow a user to connect to a remote share by using guest credentials by default, even if the remote server requests guest credentials.
- Windows Server 2016 Datacenter and Standard editions no longer allow a user to connect to a remote share by using guest credentials by default, even if the remote server requests guest credentials.
- Windows 10 Home and Professional editions are unchanged from their previous default behavior.
If you try to connect to devices that request credentials of a guest instead of appropriate authenticated principals, you may receive the following error message:
You can't access this shared folder because your organization's security policies block unauthenticated guest access. These policies help protect your PC from unsafe or malicious devices on the network.
and
Cause
This change in default behavior is by design and is recommended by Microsoft for security.
A malicious computer that impersonates a legitimate file server could allow users to connect as guests without their knowledge. Microsoft recommends that you do not change this default setting. If a remote device is configured to use guest credentials, an administrator should disable guest access to that remote device and configure correct authentication and authorization.
Windows and Windows Server have not enabled guest access or allowed remote users to connect as guest or anonymous users since Windows 2000. Only third-party remote devices might require guest access by default. Microsoft-provided operating systems do not.
and
Resolution
If you want to enable insecure guest access, you can configure the following Group Policy settings:
- Open the Local Group Policy Editor (gpedit.msc).
- In the console tree, select Computer Configuration > Administrative Templates > Network > Lanman Workstation.
- For the setting, right-click Enable insecure guest logons and select Edit.
- Select Enabled and select OK.
Source
https://docs.microsoft.com/en-us/troubleshoot/windows-server/networking/guest-access-in-smb2-is-disabled-by-default
If you assign the "Everyone" role with Read or Read/Write it will allow you to connect without authenticating. Also remember the Share permissions don't override the NTFS permissions for files, so assign Everyone to Read/Write on the folders too (not just the share permissions).
Here's a tutorial https://websiteforstudents.com/create-shares-everyone-full-access-windows-10-server/
For Fedora 25, I am not familiar with fedora version numbers but I am with RHEL/Centos 7.x If you have selinux enabled by default, you might try as root setenforce 0 to temporarily put selinux into permissive mode until next reboot, see if this allows samba access to work. If so then it's a selinux problem, and in RHEL/Centos there is etc/samba/smb.conf.example which explains the samba related selinux commands needed to allow samba shares to work with selinux set to enforcing.
For your version of fedora, I would work off the /etc/samba/smb.conf.example.
for reference here is my working smb.conf from an older version of samba showing what i believe is the minimum required to get it to work. If you go too restrictive with settings then you can prevent a successful connection so sometimes it's best to not specify which generally means allow for all.
In your [myshare] take out allow hosts and valid users. Once samba working then consider adding restrictive measures like these as necessary.
[global]
# min protocol = SMB1 needed for winxp
min protocol = SMB1
# max protocol SMB2 needed to work with win10, unspecified for this older version of samba is smb1.
max protocol = SMB2
security = user
passdb backend = tdbsam
# map to guest = never prevents popup option, bad user allows popup in windows
map to guest = Bad User
[data]
path = /data
read only = No
# guest ok = no
# create mask = 660
# directory mask = 770
with guest ok = no, and map to guest bad user, will allow popup in windows giving anyone a chance to enter correct linux username and pw. map to guest never prevents popup, meaning the username of the windows user has to be the same as a valid local user in linux, per security=user. You likely do not need min/max protocol specified, I do in samba version 3.6. I don't know what verion of samba u have in fedora 25, if it's samba 3.x then try specifying the min/max protocol.
don't forget to do smbpasswd -a <username on your linux system.
I have a system that allows WinXP and Win7 to access samba as guests. A few entries that may help are:
[global]
security = user
null passwords = yes
map to guest = Bad Password
guest ok = Yes
I am using wide open shares on a trusted lan.