Creating a bug report/issue:
Required Information:
- DietPi version 6.12
- Distro version stretch
Kernel version Linux DietPi 4.14.32+ #1 SMP PREEMPT Thu Apr 5 12:46:33 UTC 2018 armv7l GNU/Linux
SBC device Odroid XU4
- Power supply used 5V 4A
- SDcard used SanDisk ultra
Additional Information (if applicable):
- Software title SAMBA-Server
- Was the software title installed freshly or updated/migrated? FRESHLY
Can this issue be replicated on a fresh installation of DietPi? YES
Bug report sent, reference code: 68298967-4506-4406-8e36-bc559bb039c4
Steps to reproduce:
I install Dietpi on my Odroid XU4 freshly
Install Samba with dietpi-software.
Try to connect to "standard" sambashare "dietpi" where "valid users = root" in smb.con from Ubuntu 18.04.1 LTS or Windows 10 => works \DIETPI-IP\dietpi on Windows and with GUI in Ubuntu
Change the user "valid users = dietpi" in smb.conf, try to connect from Ubuntu or Windows => doesn't work.
Change /mnt to 777 and chmod -R 777 dietpi_userdata, but still no connection.
Do: chown dietpi:dietpi /mnt => still no connection
Tried with other USB-Drive (mounted thruough dietpi-config) and other users, which were created on the system and also other shares in smb.conf but same problem.
Expected behaviour:
When i make own samba-shares and own local users, which have permission for the share, i should get a connection to this share using this specific user.
Actual behaviour:
The connection seems only to work, when user "root" is allowed and being used for the samba-share.
Other users won't work.
Extra details:
Also tried this in Ubuntu, but didn't help:
https://ubuntuforums.org/showthread.php?t=2390873
client max protocol = NT1
Before this new installation, i had dietpi jessy and everything worked without problem.
I faced this behavior, as i tried to install stretch.
redone101
All 8 comments
@redone101
Change the user "valid users = dietpi" in smb.conf, try to connect from Ubuntu or Windows => doesn't work.
Hi, thanks for the report 👍
I'll do some local testing and see if we can find a solution for non-root.
Fourdee
on 5 Aug 2018
@redone101
This worked for me, you need to create a samba user/password:
#"valid users = dietpi" in smb.conf
smbpasswd -a dietpi
#New SMB password:
#Retype new SMB password:
#Added user dietpi.
#restart services
dietpi-services restart
Mmm, there must be a way to use the current linux user password for login details, leave it with me.
EDIT: cant see a way to achieve this, appears both the linux user and smbpasswd user must exist:
https://askubuntu.com/questions/208013/how-can-i-set-up-samba-shares-to-only-be-accessed-by-certain-users
🈯️ https://dietpi.com/phpbb/viewtopic.php?f=8&t=5&p=56#p56 I'll add the above information to our online doc.
Fourdee
on 5 Aug 2018
Marking as completed with tested workaround (https://github.com/Fourdee/DietPi/issues/1991#issuecomment-410505982).
@redone101
If problems still persist, please let us know, however, the above should allow you to change the Samba user as needed.
Fourdee
on 5 Aug 2018
@Fourdee
I think we should only add a single user by default, at best "dietpi" or even a new "samba" user, and not allow root here. Otherwise, if I understand it right, we allow to get root access by using the global password, which should have been changed already by end user on first startup. Having two different users set up with the same global, clear text within dietpi.txt, password, could be confusing and a security risk, if users don't know about them (?).
Of course it is a bid difficult to have a good security vs usability share with "samba" user by default then, but I think anyway most users will configure it then as they need.
E.g. allow read access to "samba" only for /mnt/dietpi_userdata, as we have raw database and other critical software data there, that you don't want to touch accidentally by external access.
Create a separate samba_upload folder or similar for this, where samba user has full permissions. Also the Music/Videos/Pictures/downloads folders can be 660 (664?) permissions e.g. to allow samba r/w access by adding it to "dietpi" group.
MichaIng
on 5 Aug 2018
@MichaIng
Having two different users set up with the same global, clear text within dietpi.txt, password, could be confusing and a security risk, if users don't know about them (?).
Yep, i'll disable the root user, stick with dietpi.
E.g. allow read access to "samba" only for /mnt/dietpi_userdata, as we have raw database and other critical software data there, that you don't want to touch accidentally by external access.
Create a separate samba_upload folder or similar for this, where samba user has full permissions. Also the Music/Videos/Pictures/downloads folders can be 660 (664?) permissions e.g. to allow samba r/w access by adding it to "dietpi" group.
Makes sense, however, this over-complicates a system we try to simplify for the user. From my experience, our users simply want "things to work" without multiple user accounts and additional settings to apply.
However, advanced users who want to further tweak items, can (and will) do so afterwards.
The info to change password and add new users in now in the samba online doc anyway: https://dietpi.com/phpbb/viewtopic.php?f=8&t=5&start=10#p56
, that you don't want to touch accidentally by external access.
edit:
mmmm, if we change this for samba, we'd need to do the same for proftpd and all other items. I'd personally rather just give the required access to everything under /mnt/dietpi_userdata. Yes, accidents could happen, however, we need to put some trust in the user and not cripple them?
Fourdee
on 5 Aug 2018
@Fourdee
Yeah reasonable, different run users do not make it more complicated for end user, but different/new login users do. Have "dietpi" as default login user, where possible, also helps to make users aware of this existing beside "root".
And the database issue is I think non, as the mysql dir is owned by mysql user and thus dietpi should only have read permissions on it, or even none? chmod 640 at least makes sense there, or even 600, which does not make any practical difference if no other user was added to mysql group.
MichaIng
on 5 Aug 2018
I'll mark this as closed as the:
- original issue has now been answered.
- We switched to dietpi user by default: https://github.com/Fourdee/DietPi/commit/bc53c44d81358e4c0a01945c150bd22bdafc0d1e
- Info added to https://dietpi.com/phpbb/viewtopic.php?f=8&t=5&start=10#p56
Fourdee
on 10 Aug 2018
Hello,
thank you for your replies and sorry for the late response.
The workaround with smbpasswd command works for me (yay) !
Even if i add a new user, i can still access the sambashare, as long as i use smbpasswd command for that user.
The confusing thing for me was, that i didn't have to do that in the previous dietpi-version (Jessie).
Therefor i didn't come up with the idea, to try the smbpasswd command.
As for the dietpi user: i was just using it to test the connection to the samba.
Now that it works as expected, i will add additional users and use an extra usb-drive as sambashare. So i will not have to make any extra permissions on /mnt, as i am going to mount the drive on a different filesystem/mountpoint.
Thanks again for your help! :)
redone101
on 10 Aug 2018
Related issues
Fourdee
·
83Comments
k-plan
·
90Comments
Phil1988
·
60Comments
Invictaz
·
58Comments
FusionPlmH
·
173Comments
Most helpful comment
Hello,
thank you for your replies and sorry for the late response.
The workaround with smbpasswd command works for me (yay) !
Even if i add a new user, i can still access the sambashare, as long as i use smbpasswd command for that user.
The confusing thing for me was, that i didn't have to do that in the previous dietpi-version (Jessie).
Therefor i didn't come up with the idea, to try the smbpasswd command.
As for the dietpi user: i was just using it to test the connection to the samba.
Now that it works as expected, i will add additional users and use an extra usb-drive as sambashare. So i will not have to make any extra permissions on /mnt, as i am going to mount the drive on a different filesystem/mountpoint.
Thanks again for your help! :)