Have you been able to run Samba newer than 3.2.15 in Lion?

Discussion in 'Mac OS X Lion (10.7)' started by eduo, Feb 28, 2012.

  1. eduo macrumors member

    Joined:
    May 27, 2002
    Location:
    Mexico
    #1
    Hi, All.

    I have made a tool (called SMBUp) that is supposed to be a front-end for Samba for Lion. I made it mainly because a bunch of friends of mine have mediacenters or old devices that can only communicate through SMB1 and Lion's SMB implementation doesn't work for them.

    For this I have made an installer for Samba and its dependencies (my program allows the user to download and install it) but it's from the latest version supported by MacPorts (which is 3.2.15), a somewhat old one.

    This version has some issues with user group resolution so I've been trying to get a newer version to work, but I haven't had any luck. Newer versions either don't compile or crash on startup.

    So, my question is twofold. Either/or:

    1.-Have you been able to run MacPorts Samba version (3.2.15) in authentication mode? (guest mode works OK) If so, how did you manage to do so?

    2.-Have you been able to compile/run a newer version of Samba in Lion where authentication (not only guest access) works? If so, how did you do it, did you modify MacPorts or Homebrew for it?
     
  2. phobox macrumors member

    Joined:
    Dec 25, 2007
    #2
    I run Samba here from MacPorts and I have no issues with authentication. Its all about how you have it configured. There are various auth options available to you, but personally Im using the simplest method which is to use the smbpasswd backend. This can be specified in the configuration file with:

    passdb backend = smbpasswd

    You will then need to run the smbpasswd tool to setup the user and password. View its man page for more info on that. Once that is all setup correctly, you can specify which users/groups have what access to your shares on an individual basis.

    Just as a side note, regarding the crashing you experienced with later versions, you might try starting the smbd with the -l switch and specify a path for it to store its logs, that way you can see what is causing the crash by examining the logs. Also Samba4 is available on macports but I havent tried installing it myself, Im quite content with the current version.
     
  3. eduo thread starter macrumors member

    Joined:
    May 27, 2002
    Location:
    Mexico
    #3
    Hi. Thanks for answering.

    I should've clarified I can run authenticated to a degree. By leaving the default "security = share" I can store usernames and passwords with smbpasswd and it can authenticate. As long as:

    1.-The users from smbpasswd exist in the system (can't create ad-hoc smbpasswd users not already in Lion)
    2.-The default user (the default admin) won't ever work (this is the one that has group problems).

    When you say you use smbpasswd as the pass backend aren't you just using the default? Does it work for the default system account? If so, what do you use as your "security" entry in smb.conf?

    I can see that by default "passdb backend = tdbsam", so I'll try this change anyway

    Can you share your smb.conf? Feel free to edit it for privacy. But it would provide an ideal working starting point.

    I currently can connect authenticating with any user but my own. The problem with this approach is that most users have only one account in their systems so it's not an ideal solution.

    I currently store all logs. This is a hard core dump, without any useable information logged. I've been analyzing the stack traces and the debug logs but it's not too straightforward and I haven't really put as much time as I would need to, I'm still trying to find information out there so I can avoid that step :D
     
  4. phobox macrumors member

    Joined:
    Dec 25, 2007
    #4
    You need to set the passwd backend to smbpasswd and set the security mode to user. You will then be able to authenticate with any user in the system, including your current one. You will not however be able to create ad-hoc users using smbpasswd that dont already exist in the system. smbpasswd requires the user to exist under unix (which under OSX Lion is all handled by open directory). Once you've modified your config file as above, do one of the following:

    to enable authenticating with your current user, simply type smbpasswd. That will allow you set the samba password for the currently logged in user.

    to enable authenticating with another user in the system, type:

    sudo smbpasswd -a (username)

    Reply back here if you continue to have issues after this.
     
  5. eduo thread starter macrumors member

    Joined:
    May 27, 2002
    Location:
    Mexico
    #5
    Hi, Phobox.

    I assume you mean to say "passdb backend", not "passwd backend".

    This is currently my GLOBAL section:

    Code:
    [global]
            dos charset = CP437
            display charset = UTF-8
            netbios name = TESTSMBUP
            server string = Samba %v on %L
            map to guest = Bad User
            log file = /var/log/samba.log.%m
            max log size = 50
            debug timestamp = No
            debug pid = Yes
            smb ports = 445
            max xmit = 131072
            os level = 2
            dns proxy = No
            ea support = Yes
            veto files = /Thumbs.db/.DS_Store/.TemporaryItems/TheVolumeSettingsFolder/TheFindByContentFolder/Temporary Items/Network Trash Foder/.AppleDouble/.bin/.AppleDesktop/._*/
            mangled names = No
            wide links = No
            security = user
            passdb backend = smbpasswd
    
    Three users had been "activated" (created) in smbpasswd. One for the main admin user, the other two a "normal" user and an admin user.

    For the latter two I can open all shares, authenticated, with their correct permissions. For my user I can't validate. For them I can open even their home directories, but not for my own.

    This is a common problem in all Samba 3.2.15 implementations from MacPorts and it was my understanding it's unavoidable due to problems with the handling of groups in Lion, something Samba has acknowdledged.

    If I try to set the smbpasswd of all users with sudo (as root) I can. But my own user (the default admin user of the system) never works. From what I've seen around (e.g. ref0, ref1, ref2 ) this is a common problem with Lion, as groups can easily spill over the 16 maximum limit.

    If you try to connect you get an error with my user, not with any other.

    In the samba logs, if enabled, the error is
    Code:
    UNIX token of user 0
    Primary group is 0 and contains 0 supplementary groups
    You can see this yourself:

    Code:
    smbd -S -F -d 10 | grep groups
    get_current_groups: user is in 16 groups: 501, 401, 103, 502, 101, 403, 9, 12, 33, 61, 80, 98, 100, 204, 105, 102
    Primary group is 0 and contains 0 supplementary groups
     
  6. phobox macrumors member

    Joined:
    Dec 25, 2007
    #6
    My apologies, yes I did mean smbpassdb. This is what happens when I type too fast and Im in a rush :p

    The results you've shown are interesting. Having just had a quick look with the unix 'groups' command, as well as the smbd command you provided it seems my user is in only 12 groups. Could you do a 'groups' in terminal and paste me the results? Its probably not necessary for you to be in all 16, unless theres something specific about your setup, so we may be able to trim it. And yes, it does appear that the Lion >16 groups is the cause of the issues with Samba and it would explain why I dont see these issues.
     
  7. eduo thread starter macrumors member

    Joined:
    May 27, 2002
    Location:
    Mexico
    #7
    It's OK. I didn't need help with figuring out how to run Samba myself. I know I can remove myself from some groups and make it work. I was hoping you'd found a workaround to the issue, so I could propagate that to other places. This is currently the #1 problem with Samba on Lion for authenticated shares, and Samba has no special interest in getting it fixed (it had been fixed in 2007, but now any request to get the fix back in results in "It's Apple's problem" responses).

    So, the solution will continue being "only users with less than 16 groups can authenticate" :)
     
  8. phobox macrumors member

    Joined:
    Dec 25, 2007
    #8
    Well not knowing the specifics of what exactly causes the bug on a technical level, I shouldnt really comment too much. However it would seem to me that if the >16 groups issue can affect other platforms too with users belonging to 16 or more groups then it is in fact Samba's problem not Apple's. But hey, who am I :p

    I am curious however as to why on OSX some users are in 16 or more groups and some, like me, are not. Assuming the user has not done anything themselves with the users/group configuration on OSX, Im curious what is setup on peoples machines that causes this. What groups does your user belong to? I'd be interested to compare our results.
     
  9. eduo thread starter macrumors member

    Joined:
    May 27, 2002
    Location:
    Mexico
    #9
    I'm proficient enough technically to know what's causing the issue, but not proficient enough to fix it in the samba source. The problem is, oversimplifying, that the OS reports a maximum number of groups but when queried reports a bigger number. This is because Darwin has nested groups, pretty much. In Lion previous hacks stopped working.

    To be completely true, Apple is breaking with "tradition" here, even if it's not strictly breaking standards. This means that systems must have a Darwin-Specific workaround to work with OS X. The fact that it's still compliant is minor.

    I had assumed everyone had more than 16 groups for the main user in Lion (it seems pretty common in Lion, whereas it was sporadic in previous versions of OS X). Hence my excitement at knowing you didn't experience the problem.

    So, while now I know it doesn't happen to 100% of main OS X users, it's still a problem for those that do.

    Incidentally, it's a common issue. There're patches at some point in time for Python and several other packages to deal with this. The problem is especially bad for Samba as when the problem occurs it defaults to group 0, which is root and Samba will never serve anything as root.

    Thanks for your help, though. It did provide me with another piece of the puzzle.
     
  10. phobox macrumors member

    Joined:
    Dec 25, 2007
    #10
    Aha thank you for that info, it sheds some more light on the situation. I wonder why Apple chose to use nested groups? I guess only they can really answer that. I will keep up to date with any progress on the samba situation, Im very much reliant on samba here on Lion.. Apple's implementation is simply too lacking to be of any use to me at the moment.

    And Im glad my information was of some use to your efforts :)
     
  11. eduo thread starter macrumors member

    Joined:
    May 27, 2002
    Location:
    Mexico
    #11
    Easy (and silly). Darwin allows groups to be members of other groups (something Active Directory requires so it becomes a requirement if you want to enter the enterprise "properly" --microsoft-based enterprise networks, at least--).

    Before Lion, programs would get the "1st tier" groups associated with an account but from Lion onwards querying the user groups results in all groups. If you're member of "group1" and "group1" is a member of "group2" then you'll be shown as member of both.

    This problem was already licked before Lion, but all the moves to pure Cocoa and away from GNU libraries of all kinds mean, probably, that some of the basics behind these routines have been re-done, and we're getting years-old bugs resurfacing close enough to identify but not fix.

    Example:
    http://groups.google.com/group/macenterprise/msg/67a040b922068bd9

    Mention of the specific bug in the Samba list:
    https://lists.samba.org/archive/samba/2011-August/163821.html

    I'm glad to have brought up the groups limit, as it is HELL to isolate if you don't know about it and can't figure out why the system's main user can't share :D
     
  12. drlogic macrumors newbie

    Joined:
    May 20, 2012
    #12
    Hi Eduo,

    Any idea on how to remove the groups from users? I haven't managed to find a way to accomplish this. This post pretty much sums up what I've tried

    http://apple.stackexchange.com/questions/47851/how-to-remove-group-membership-from-user-using-the-lion-terminal

    I have been through various solutions trying to get Samba working on OS X Lion Server.

    I've so far tried DAVE (only local users can authenticate), SMBUp, MacPorts, Brew (the last 3 all come up against 16 group limit).

    My current working solution is having Debian run Samba in VirtualBox!

    If I can create users specifically for Samba on my Mac, remove groups and then add them on the Samba side with smbpasswd -a then I should be all good.
    Thanks,

    Roman
     
  13. eduo thread starter macrumors member

    Joined:
    May 27, 2002
    Location:
    Mexico
    #13
    Code:
    sudo dscl . delete /Groups/groupname GroupMembership shortusername
    This doesn't work for all groups, though. It works for unix-style groups but for OS-created groups it tends to error out.

    Thing is, there are at least five ways a user can be a member of a group in OS X. You have the user's groups by user and user ID, by UUID, inherited from other groups (and those groups' groups) and even automatically assigned by the system (groups like "everyone", of which you can't ever "unsubscribe".

    Fantastic summary, here: http://superuser.com/a/395738/135215

    You've been through two solutions only. Dave and Samba. Macports, SMBUp and Brew all install Samba (SMBUp actually installs Macports' version), SMBUp only provides a front-end.

    The problem, really, is that OS X is choosing a creative way to interpret a standard and the variable for how many groups can a user be part of is reported as 16 (pretty common Unix limit) but this is false, as OS X can assign secondary groups through additional means (strictly speaking, each of those 16 can in turn inherit 16 more, and so on). Most brand-new, non-admin users have 7 or so, but admin users start with 14 or so, and a lot of things create new groups (sharing disks, installing software like Boinc or Mysql, etc., all of which are then inherited by admin users).

    For example, there are some groups starting with com.apple.sharepoint.n where "n" is a number. Each shared drive in your system (using OSX's built-in sharing methods) creates its own group to manage its members. You can't delete these groups.

    You can't. Samba has never allowed non-system users to log into shares. You can create non-users and use those but you can't create any user you want. At least not in OS X.

    The reason for this is clear: Permissions needs to be properly assigned, and if the users are not in the system then permissions can't be set.
     
  14. distronic macrumors newbie

    Joined:
    Feb 26, 2010
    #14
    Creating a User belonging to less than 15 Groups

    Hi Eduo,

    Is there a method to creating a user with less than 15 group memberships? I tried to use SMBUp this weekend and everything is fine up until I start trying to add users to shares. Even with a brand new user that is added and not showing group membership to any group (in Server app, 10.8.3), I still get the message that the user I am adding to the share in SMBUp belongs to more than 15 groups. I read the part about how Mac OS X will report this number creatively in at least 5 different ways.

    In short, I want to be able to do what drlogic was trying to do: create user accounts specifically for use with Windows clients and SMB. Thank you very much in advance!
     
  15. jorks macrumors newbie

    Joined:
    Jun 5, 2011
    Location:
    Melbourne, VIC, Australia
    #15
    Hi,

    I am also running OSX Server 10.8.3 and am also having the same issues with users having too many groups. Has a work around for this been found?

    I'm happy for every user to use the same authentication details. I just cant create a user that has less that 15 groups.

    Cheers
     
  16. eduo thread starter macrumors member

    Joined:
    May 27, 2002
    Location:
    Mexico
    #16
    For some reason I never received notifications of these replies.

    To this date no path for Samba 3 seems to solve the 16 groups problem. I haven't tested Samba 4 because I've stopped trying to get the Samba group to pay attention to Mac OS X (I can only imagine they are making OS X Samba users pay for the perceived slight Apple paid them) when I go to them to ask about a bug in that version.

    You can, nonetheless, create sharing-only users in the Accounts control panel. These sharing-only users can have permissions assigned to them and then those same users can be created in Samba with sudo smbpasswd -a username and smbpasswd -e username and they'll work perfectly.
     
  17. distronic macrumors newbie

    Joined:
    Feb 26, 2010
    #17
    Can't add additional users in SMBUp

    Eduo,

    Thanks for the reply. I was able to get around the limitation and prevent SMBUp from giving me the error messages by doing as you said: creating SMB-sharing only accounts through the Server app. After doing so, I edited the user and unchecked access to services which I did not need (all except for File Sharing).

    But now, I have another problem. Sometimes in SMBUp, I cannot add anymore users. When I click on Manage Users, I only see one or two entries. When I go to add a user and input a password, clicking the Add User button does not do anything. The name doesn't move down into the list and as far as I can tell, the user is unable to access the shares.

    My question is, is there a file I can edit to "clean up" or make sure there isn't anything wrong with it? I was able to get around this somehow by deleting the smbpasswd file in /opt/local/var/db/smb but now that I've just re-set up about 40 accounts, I'd rather not redo all that work. Any help is greatly appreciated!
     

Share This Page