Community Forum

Resolved
1 votes
Hi all,

I may have created an unexpected situation, but from my point of view it's normal.
I want to have 2 differents access to the same content (huge) like videos.
So i need 2 flexshares :

  1. first Read-Write for me only
  2. second Read-Only for every one logged


So I've used bind mount this way :
#Disques LVM
/dev/WD_Group/Store /store/lv_store ext4 defaults 1 3
# Bind Mount : Store
/store/lv_store/divx /var/flexshare/shares/films none bind,rw 0 0
# Read-Only
/store/lv_store/divx /var/flexshare/shares/divx none bind,rw 0 0
/store/lv_store/divx /var/flexshare/shares/divx none remount,ro,bind 0 0

which works fine :
[root@home store]# cat /proc/mounts | grep tor
/dev/mapper/WD_Group-Store /var/flexshare/shares/films ext4 rw,relatime,data=ordered 0 0
/dev/mapper/WD_Group-Store /var/flexshare/shares/divx ext4 ro,relatime,data=ordered 0 0


The flexshare configuration (flexshare.conf) is OK :
<Share divx>
FileEnabled=1
FileAuditLog=0
FileRecycleBin=0
FilePermission=1
FileBrowseable=1
FileModified=1457711031
FileComment=Films Read Only
ShareSystemPermissions=0770
ShareDescription=Films Read Only
ShareGroup=maison
ShareCreated=1457711013
ShareModified=1457711013
ShareEnabled=1
ShareDir=/var/flexshare/shares/divx
ShareInternal=
</Share>
<Share films>
FileEnabled=1
FileAuditLog=0
FileRecycleBin=0
FilePermission=4
FileBrowseable=1
FileModified=1457711072
FileComment=Mes films
ShareSystemPermissions=0770
ShareDescription=Mes films
ShareGroup=moi
ShareCreated=1457711056
ShareModified=1457711056
ShareEnabled=1
ShareDir=/var/flexshare/shares/films
ShareInternal=
</Share>


BUT, I can only connect to only one share. I'm being rejected when connecting to the other share. I need to restart smb service in order to log again and get access to the second share.
So I can get only access to films or divx share but not both.
What I expected was to get acces to both :
<ul>
films : Read-Write
divx : Read-Only
</ul>

What did I miss ? Is it possible ?

Thanks in advance for your help.
Tuesday, July 11 2017, 10:33 PM
Share this post:
Responses (13)
  • Accepted Answer

    Thursday, July 13 2017, 03:43 PM - #Permalink
    Resolved
    0 votes
    No problem ;-), your orinal idea was very usefull at the end. I've got an editable slexshare. I just do not have OS level read Only protection, but now I can wait to find a solution...
    The reply is currently minimized Show
  • Accepted Answer

    Thursday, July 13 2017, 03:37 PM - #Permalink
    Resolved
    0 votes
    I read your previous post too quickly! I immediately thought you were editing /etc/samba/flexshare.conf.
    The reply is currently minimized Show
  • Accepted Answer

    Thursday, July 13 2017, 02:50 PM - #Permalink
    Resolved
    0 votes
    Hi,

    I agree but this is true for the file /etc/samba/flexshare.conf
    [divx]
    path = /var/flexshare/shares/divx
    comment = Films Read Only
    browseable = Yes
    guest ok = No
    directory mask = 0775
    create mask = 0664
    valid users = @"%D\maison", @maison
    veto files = /.flexshare*/


    The file i'm talking of is : /etc/clearos/flexshare.conf
    <Share divx>
    FileEnabled=1
    FileAuditLog=0
    FileRecycleBin=0
    FilePermission=1
    FileBrowseable=1
    FileModified=1499954487
    FileComment=Films Read Only
    ShareSystemPermissions=0770
    ShareDescription=Films Read Only
    ShareGroup=maison
    ShareCreated=1457711013
    ShareModified=1457711013
    ShareEnabled=1
    ShareDir=/var/flexshare/shares/divx
    ShareInternal=
    </Share>


    The only thing I change is ShareDir=/var/flexshare/shares/divx to ShareDir=/var/flexshare/shares/films
    This field is not editable on webconfig and is based on flexshare name "divx" and is build at flexshare creation.
    I've used webconfig to change the flexshare and every thing is fine.
    But you're right in the future it might change that's why I suggested to : Remove /var/flexshare/shares/New flexshare in order to prevent samba flexshare to works if config returns to the original folder..

    I hope it a little bit clearer ?
    The reply is currently minimized Show
  • Accepted Answer

    Thursday, July 13 2017, 02:39 PM - #Permalink
    Resolved
    0 votes
    Taryck BENSIALI wrote:

    A better workaround was to :

    1. Create a new Flexshare :
    2. Edit /etc/clearos/flexshare.conf to change ShareDir=/var/flexshare/shares/ New flexshare to existing flexshare (to set as read only)
    3. Remove /var/flexshare/shares/ New flexshare


    With that I do not need to edit smb.conf
    I'm afraid that is quite dangerous. Unless something has changed recently, every time you make any change to any flexshare definition in the Webconfig, the file is rewritten and it will remove you manual edits. This is why I pulled the new share out into a separate file.
    The reply is currently minimized Show
  • Accepted Answer

    Thursday, July 13 2017, 02:30 PM - #Permalink
    Resolved
    0 votes
    A better workaround was to :

    1. Create a new Flexshare :
    2. Edit /etc/clearos/flexshare.conf to change ShareDir=/var/flexshare/shares/ New flexshare to existing flexshare (to set as read only)
    3. Remove /var/flexshare/shares/ New flexshare


    With that I do not need to edit smb.conf
    The reply is currently minimized Show
  • Accepted Answer

    Thursday, July 13 2017, 02:06 PM - #Permalink
    Resolved
    0 votes
    Hi,

    I did the test it's works. at least it's a workaround solution...
    The reply is currently minimized Show
  • Accepted Answer

    Wednesday, July 12 2017, 07:05 PM - #Permalink
    Resolved
    0 votes
    OK, I understood, but in such situation you can't edit with webconfig.... and samba is the only read-only protection...
    I'll try, not sure it's works but it worth the try. Thanks for this suggestion...
    The reply is currently minimized Show
  • Accepted Answer

    Wednesday, July 12 2017, 06:27 PM - #Permalink
    Resolved
    0 votes
    I did not fully test. You can't do it directly through the flexshare system. What you can do is clone the flexshare definition into another file, say /etc/samba/myshares.conf and just change the relevant bits. Add a line to /etc/samba/smb.conf which says "include = /etc/samba/myshares.conf" and restart samba. I add my line directly below the "include = /etc/samba/flexshare.conf" line. The webconfig will leave this definition alone.

    It won't get round your other issue of o/s level read only control.
    The reply is currently minimized Show
  • Accepted Answer

    Wednesday, July 12 2017, 05:31 PM - #Permalink
    Resolved
    0 votes
    Well, 1st reason is that I don't know how to make 2 flexshare shares point to the same location without bind mount. May I use symbolic link ?
    2nd I want to ensure at OS level that Read only is ensure because I'll connect some sync tools like google photo sync that is not well documented and might want to delete file.
    On a read only mount point even if you are root you can't delete, modify files....

    If by
    Can you not define the share "divx" exactly the same as the share "films" except that you make the divx share read only and change the sharegroup through the webconfig?
    you means
    Even if I mount (bind) RW it's KO.
    , if i've not understood well then it's should be 1st reason :-)
    The reply is currently minimized Show
  • Accepted Answer

    Wednesday, July 12 2017, 05:19 PM - #Permalink
    Resolved
    0 votes
    Can I ask why you are trying to configure the flexshares like this? Can you not define the share "divx" exactly the same as the share "films" except that you make the divx share read only and change the sharegroup through the webconfig? There is no need for bind mounts or anything like that.
    The reply is currently minimized Show
  • Accepted Answer

    Wednesday, July 12 2017, 12:04 AM - #Permalink
    Resolved
    0 votes
    After incresing the log level to 99 I get this clue :
    [2017/07/12 01:40:01.084967,  5, pid=12089, effective(2000, 63000), real(2000, 0)] ../source3/smbd/filename.c:867(unix_convert)
    New file desktop.ini
    [2017/07/12 01:40:01.084995, 8, pid=12089, effective(2000, 63000), real(2000, 0)] ../source3/lib/util.c:1001(is_in_path)
    is_in_path: desktop.ini
    [2017/07/12 01:40:01.085025, 8, pid=12089, effective(2000, 63000), real(2000, 0)] ../source3/lib/util.c:1025(is_in_path)
    is_in_path: match not found
    [2017/07/12 01:40:01.085053, 10, pid=12089, effective(2000, 63000), real(2000, 0), class=vfs] ../source3/smbd/vfs.c:1160(check_reduced_name)
    check_reduced_name: check_reduced_name [desktop.ini] [/var/flexshare/shares/films]
    [2017/07/12 01:40:01.085095, 10, pid=12089, effective(2000, 63000), real(2000, 0), class=vfs] ../source3/smbd/vfs.c:1220(check_reduced_name)
    check_reduced_name realpath [desktop.ini] -> [/var/flexshare/shares/divx/desktop.ini]
    [2017/07/12 01:40:01.085125, 2, pid=12089, effective(2000, 63000), real(2000, 0), class=vfs] ../source3/smbd/vfs.c:1265(check_reduced_name)
    check_reduced_name: Bad access attempt: desktop.ini is a symlink outside the share path
    conn_rootdir =/var/flexshare/shares/films
    resolved_name=/var/flexshare/shares/divx/desktop.ini
    [2017/07/12 01:40:01.085172, 5, pid=12089, effective(2000, 63000), real(2000, 0)] ../source3/smbd/filename.c:1073(check_name)
    check_name: name desktop.ini failed with NT_STATUS_ACCESS_DENIED
    [2017/07/12 01:40:01.085219, 3, pid=12089, effective(2000, 63000), real(2000, 0)] ../source3/smbd/filename.c:1426(filename_convert_internal)
    filename_convert_internal: check_name failed for name desktop.ini with NT_STATUS_ACCESS_DENIED
    [2017/07/12 01:40:01.085255, 50, pid=12089, effective(2000, 63000), real(2000, 0), class=tevent] ../lib/util/tevent_debug.c:66(samba_tevent_debug)
    s3_tevent: Schedule immediate event "tevent_req_trigger": 0x7f2982d1f630
    [2017/07/12 01:40:01.085288, 50, pid=12089, effective(2000, 63000), real(2000, 0), class=tevent] ../lib/util/tevent_debug.c:66(samba_tevent_debug)
    s3_tevent: Cancel immediate event 0x7f2982d1f630 "tevent_req_trigger"
    [2017/07/12 01:40:01.085319, 3, pid=12089, effective(2000, 63000), real(2000, 0)] ../source3/smbd/smb2_server.c:3098(smbd_smb2_request_error_ex)
    smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1] status[NT_STATUS_ACCESS_DENIED] || at ../source3/smbd/smb2_create.c:293
    [2017/07/12 01:40:01.085352, 10, pid=12089, effective(2000, 63000), real(2000, 0)] ../source3/smbd/smb2_server.c:2989(smbd_smb2_request_done_ex)
    smbd_smb2_request_done_ex: idx[1] status[NT_STATUS_ACCESS_DENIED] body[8] dyn[yes:1] at ../source3/smbd/smb2_server.c:3146

    desktop.ini file seams to be dynamicaly created.. twice :
    check_reduced_name: check_reduced_name [desktop.ini] [/var/flexshare/shares/films]
    check_reduced_name realpath [desktop.ini] -> [/var/flexshare/shares/divx/desktop.ini]
    check_reduced_name: Bad access attempt: desktop.ini is a symlink outside the share path
    conn_rootdir =/var/flexshare/shares/films
    resolved_name=/var/flexshare/shares/divx/desktop.ini
    The reply is currently minimized Show
  • Accepted Answer

    Tuesday, July 11 2017, 11:16 PM - #Permalink
    Resolved
    0 votes
    smb log file do not provide anything interesting information.
    when I remove the bind mount RO :
    umount /var/flexshare/shares/divx

    it's OK.
    Even if I mount (bind) RW it's KO.
    For windows point of view, when I connect to 2 differents share it's like there is only ONE and unique share and I'm prevented to login.

    This is the same on shell :
    [root@home raid]# smbclient //ClearOS/divx -U taryck
    WARNING: The "syslog" option is deprecated
    Enter taryck's password:
    krb5_init_context failed (Invalid argument)
    smb_krb5_context_init_basic failed (Invalid argument)
    Domain=[HOME] OS=[Windows 6.1] Server=[Samba 4.4.4]
    tree connect failed: NT_STATUS_ACCESS_DENIED
    The reply is currently minimized Show
  • Accepted Answer

    Tuesday, July 11 2017, 10:56 PM - #Permalink
    Resolved
    0 votes
    Interesting approach. I'll have to try this out at home and see what I can do.
    The reply is currently minimized Show
Your Reply