Cannot mount samba drive for writing

OK, I'm stumped. I've don'e lots of samba mounts in the past, but I can't figure this one out. I have a new Samba 4.1.11 on a new Slackware64 14.1. My smb.conf is shown below. I'm mapping from a Windows 7 computer with user ID cantleys. I can mount homes OK (no password requested) and read and write to that directory. I can also mount webcontent (no password required), and can read, but not write. I get the error (on Windows) "W:\test.txt You don't have permission to save in this location. Contact the administrator to obtain permission.

This all worked with samba 3.5.8. I can't figure out what's wrong. smb.conf:
[global]
   workgroup = WORKGROUP

   server string = Cantleys Samba Server

   security = user

 load printers = no

  printcap name = /dev/null

   printing = bsd
disable spoolss = yes

guest account = guest

   log file = /var/log/samba.%m

   max log size = 50

   dns proxy = no

[homes]
   comment = Home Directories
   browseable = no
   writable = yes
   create mask = 0660

[webcontent]
hosts allow = 192.168.2.
path = /www/tomcat/webapps/cantleys/content
writable = yes
browsable = yes
printable = no
public = yes
guest ok = yes
guest only = yes
create mask = 0660

Open in new window

Note that user 'cantleys' and user 'guest' are mapped to the same (/etc/passwd)

cantleys:x:1001:2000:Cantley's Auto Parts:/home/cantleys:/bin/bash
guest:x:1001:2000:Local Mapped Drive User:/home/cantleys:/bin/bash

Permissions on the webcontent directory and sub-files:
drwxrwsr-x  7 cantleys tomcat    4096 2015-03-29 15:42 ./
drwxrwsr-- 11 cantleys tomcat    4096 2014-09-09 23:57 ../
drwxrwsr-x  3 cantleys tomcat    4096 2014-03-31 14:15 Home\ Images/
drwxrwsr-x  2 mfoley   tomcat    4096 2015-02-27 16:31 Special\ of\ the\ Week/
drwxr-sr-x  2 cantleys tomcat    4096 2012-10-05 22:52 TcpView/
-rwxrwxr--  1 mfoley   tomcat  291606 2012-10-05 22:51 TcpView.zip*
drwxrws---  2 cantleys tomcat    4096 2015-03-03 14:09 repairable/
drwxrwsr-x  2 mfoley   tomcat    4096 2012-08-12 00:51 save/
-rw-r-----  1 root     tomcat 1058467 2014-12-16 19:04 saveRepairables.zip
-rw-rw-r--  1 cantleys tomcat   55296 2012-10-09 13:24 zeroPriceEngines.xls
-rw-rw-r--  1 cantleys tomcat   50176 2012-10-09 13:24 zeroPriceTransmissions.xls

Open in new window

What am I doing wrong?
LVL 1
MarkAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

arnoldCommented:
try commenting out the guest only=yes to see what the effect is.

You have to check whether the path to the location is allowed access

/www/
tomcat/
webapps/
cantleys/
content

Check whether SELinux is also what prevents the writes into this location.

What are the security (chmod) on the directory?
getfacl /www/tomcat/webapps/cantleys/content
0
MarkAuthor Commented:
try commenting out the guest only=yes to see what the effect is.
The permission on this folder is as shown in my initial posting listing the 'dot' folder, and they are the same as the permission I had with Samba 3.5.8 when this all worked OK.

However, commenting out the "guest only=yes" did the trick! But, rather than just wave your wand and "poof", problem solved, can you give me any insight into why that worked? I've compared the 3.5.8 smb.conf and the 4.1.11 smb.conf. They are identical except in the 3.5.8 file I have "security = share" in the GLOBAL section and in the 4.1.11 config I have "security = user". When I run `testparm smb.conf-old` I get, "WARNING: Ignoring invalid value 'share' for parameter 'security'", which is undoubtedly why I changed that parameter.

Do you suppose this change of "security" parameters affects the "guest only" parameter?
0
arnoldCommented:
You had two entries in /etc/passwd sharing the same UID but at the same time access from the Windows system is using one of the entries that likely exists both in the local /etc/passwd as well as in your samba AD/DC such that when it connects, it might not be translating with UID of guest 1001 but of a different id.

The other it looked weired and could not place my finger on what made it look odd.

run the following
id cantleys

Do you get the 1001 for UID or do you get a UID from the AD cantleys properties, unix UID?

One option you can try
reactivate guest only=yes and add guest account=cantleys and see if the functionality is maintained.

The below might be a bit outdated, but should maintain the relevant information
https://www.samba.org/samba/docs/using_samba/ch09.html
0
Protecting & Securing Your Critical Data

Considering 93 percent of companies file for bankruptcy within 12 months of a disaster that blocked access to their data for 10 days or more, planning for the worst is just smart business. Learn how Acronis Backup integrates security at every stage

MarkAuthor Commented:
There is no DC/AD in this setup (different client than you've helped me on before!), but your suggested `id` command is potentially revealing:
$ id cantleys
uid=1001(cantleys) gid=2000(cantleys) groups=2000(cantleys),200(tomcat)

$ id guest
uid=1001(cantleys) gid=2000(cantleys) groups=2000(cantleys)

Open in new window

Notice that guest is not a member of group tomcat and that in my permission list in my initial posting the files are all group tomcat. That might be it right there.

I'll have to wait until after business hours to test, but I'll try putting 'guest only' back and make guest a member of tomcat and see if that makes the difference.
0
arnoldCommented:
Group membership might be given as you point out group tomcat has a SETGID on directory in question; though cantleys (UID 1001) is the owner and guest having the same UID should too have owner based access. .....
drwxrwsr-x
and cantleys is a member of the group while guest is not.

IMHO, one should have a single UID to name mapping.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
MarkAuthor Commented:
Making guest a member of group Tomcat did the trick.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Linux

From novice to tech pro — start learning today.