Accessing flexshare

Offline

Accessing flexshare

Resolved

0 votes

Hello all,
Since a few days now, it's very difficult to access my flexshares from Windows computers.

I can connect to my server and it displays my flexshares but as sonn as I'd like to connect to a flexshare that is restricted to a group, I receive the information 'Connection refused'. for the flexshares which are open to 'allusers', no problems.
I had a look to the files directly and the owner of the folderas are 'flexshare'.
I tried restaring my samba, winbind services but still the same error. finally I tried to access my folders using different accounts and different groups but nothing succeed ..

Any idea on what I could try ?
Thanks to all for your help

PS : The only changed I saw is the Let's Encrypt certificate which has been renewed 2 weeks ago .. could it be the reason ?

Arnaud

In Windows Networking (Samba)

Monday, November 02 2020, 10:32 AM

Share this post:

Responses (16)

Accepted Answer
Nick Howitt

Offline
Wednesday, November 11 2020, 12:41 PM - #Permalink
Resolved

0 votes

I think that is a different issue? The exact issue I am trying to diagnose is where you can access a flexshare if the flexshare uses the group "allusers" but not if you use a user-defined group which the user belongs.
The reply is currently minimized Show
Accepted Answer
Arnaud Forster

Offline
Wednesday, November 11 2020, 11:43 AM - #Permalink
Resolved

0 votes

Hello Nick,
I've now another system with that problem ...

I made some tests and it seems that this happens on computers connected to the NT4 domain. I tried to connect to a flexshare with my personnal computer : a username / password has been requested and I could open my flexshare. With a computer connected to the domain and the same account ; I coudln't open my flexshare ...
Still making some tests ...
Thanks for your help
The reply is currently minimized Show
Accepted Answer
Nick Howitt

Offline
Thursday, November 05 2020, 10:10 AM - #Permalink
Resolved

0 votes

PM sent.....
The reply is currently minimized Show
Accepted Answer
Arnaud Forster

Offline
Wednesday, November 04 2020, 10:31 AM - #Permalink
Resolved

0 votes

ok, thank you
Yes, it seems that the groups that are created by me are not recognized.
For the while, I found a workaround adding the user into the flexshare.conf file ... hopefully I just have a few users to add
The reply is currently minimized Show
Accepted Answer
Nick Howitt

Offline
Wednesday, November 04 2020, 08:22 AM - #Permalink
Resolved

0 votes

Arnaud Forster wrote:
Did an update create this problem ?

Not to my knowledge. I saw it on one system in July and yours now. I just don't know why. I suspect something between Samba and OpenLDAP but I don't know.
The reply is currently minimized Show
Accepted Answer
Arnaud Forster

Offline
Wednesday, November 04 2020, 06:44 AM - #Permalink
Resolved

0 votes

Hello Nick,
Thanks for your help. Yes, this exactly the same behaviour you wrote :

[root@srv-cos ~]# smbclient //localhost/admin -c 'ls' -U emsp/haueterm Enter EMSP\haueterm's password: tree connect failed: NT_STATUS_ACCESS_DENIED

[root@srv-cos ~]# wbinfo --group-info='administration'
failed to call wbcGetgrnam: WBC_ERR_DOMAIN_NOT_FOUND
Could not get info for group administration

[root@srv-cos ~]# wbinfo --group-info='allusers' allusers:x:63000:email-archive,varrind,forstera,flexshare,testuser,ecole,jeannerett,anoukg,guest,morettis,varrinp,gossing,cornuf,niam,haueterm

Did an update create this problem ?
The reply is currently minimized Show
Accepted Answer
Nick Howitt

Offline
Tuesday, November 03 2020, 04:05 PM - #Permalink
Resolved

0 votes

This is sounding more and more like the other system I've seen.

At a guess, you get, when using group permissions:
[root@server ~]# smbclient //localhost/your_flexshare -c 'ls' -U your_domain/haueterm Enter your_domain\haueterm's password: tree connect failed: NT_STATUS_ACCESS_DENIED
And:
wbinfo --group-info='administration'
fails but:
wbinfo --group-info='allusers'
works.
The reply is currently minimized Show
Accepted Answer
Arnaud Forster

Offline
Tuesday, November 03 2020, 02:29 PM - #Permalink
Resolved

0 votes

Hello Nick,
Yes, I've another flexshare with the 'allusers' group and it works without any problem...
Thanks
The reply is currently minimized Show
Accepted Answer
Nick Howitt

Offline
Monday, November 02 2020, 04:34 PM - #Permalink
Resolved

0 votes

Have you tried with the allusers group?
The reply is currently minimized Show
Accepted Answer
Arnaud Forster

Offline
Monday, November 02 2020, 04:28 PM - #Permalink
Resolved

0 votes

Hello Nick,
Yes I'm using a domain. I tried with user and domain\user but it didn't make any change
The computer is included in my domain ; and I tried with both type of computers. one in the domain and 1 not.
Thanks Nick
The reply is currently minimized Show
Accepted Answer
Nick Howitt

Offline
Monday, November 02 2020, 01:19 PM - #Permalink
Resolved

0 votes

The change on the 21st would probably have been adding the user and group "wsdd".

Are you using a domain?
The reply is currently minimized Show
Accepted Answer
Nick Howitt

Offline
Monday, November 02 2020, 01:16 PM - #Permalink
Resolved

0 votes

I'll bet it works with allusers as the group
The reply is currently minimized Show
Accepted Answer
Arnaud Forster

Offline
Monday, November 02 2020, 12:37 PM - #Permalink
Resolved

0 votes

So, I tried several solutions :

With the group :

valid users = %D\administration

valid users = administration

but none worked. Then I tied with a username :

valid users = haueterm

and this worked instantly
doesnt know why it dosent work with groupname ....
The reply is currently minimized Show
Accepted Answer
Arnaud Forster

Offline
Monday, November 02 2020, 12:10 PM - #Permalink
Resolved

0 votes

Hello Nick and thanks for your message.

the higher h've in etc/passwd is 999 : clearsync:x:999:998:ClearSync:/usr/sbin/clearsyncd:/bin/false
and in etc/group is 998 :clearsync:x:998:

Interseting is that both files have been modified on october 21 ...

I'm going to make a try with %D\administration and administration on their own

thanks Nick
The reply is currently minimized Show
Accepted Answer
Nick Howitt

Offline
Monday, November 02 2020, 11:33 AM - #Permalink
Resolved

0 votes

This one puzzles me and I may have seen it before but not on my system. The suspicion was a clash between users added by a third party package colliding with machine RIDs and is not something I understand.
Do you have anyone in /etc/passwd or /etc/group >= 1000

Are you using a domain on that server?

Rather than adding to the string, can you try simplifying it. Quotes should only be needed if there is a space in the group name, so you can remove them. Can you try %D\administration and administration on their own?
The reply is currently minimized Show
Accepted Answer
Arnaud Forster

Offline
Monday, November 02 2020, 11:00 AM - #Permalink
Resolved

0 votes

I made a new test by adding the user into the flexshare.conf file :

My user 'haueterm' belongs to the group 'administration' but had no access to my flexshare :

[2020/11/02 11:22:05.578694, 1] ../../source3/smbd/service.c:359(create_connection_session_info)
create_connection_session_info: user 'haueterm' (from session setup) not permitted to access this share (admin)

So I modified my flexshare.conf file and added directly the username in the following line :

valid users = @"%D\administration", @"administration", "haueterm"

Now it works. It seems that I can't give access to the group anymore but can to spectific user.... so maybe there's a problem linking the group members and the flexshare ?
any idea is welcomed....
The reply is currently minimized Show

Your Reply

Please login to post a reply

You will need to be logged in to be able to post a reply. Login using the form on the right or register an account if you are new here.

Community Forums

ClearOS Portal

ClearVM Platform

ClearVM 2 Platform

Forums