OSMC/Raspberry Pi 2 - New users can't connect to Samba share

Help and Support Raspberry Pi
1

I’m in the process of updating a Raspberry Pi 2 to OSMC 2016.09-1 and am having trouble getting a newly-created “kodi” user to mount a Samba share. The issue is that the kodi user can’t connect to my Media share, but the osmc user can.

The kodi user was added via the shell with:

sudo useradd kodi
sudo passwd kodi

and added to Samba with:

sudo smbpasswd -a kodi.

The Samba shares (both point to the same path for debugging purposes) in question are:

[test]
comment = Media drive
path = /media/Media
valid users = osmc kodi
read only = No

[Media]
comment = Media drive
path = /media/Media
valid users = osmc kodi
read only = No

and the shared /media/Media directory is owned by root and carries 777 permissions

drwxrwxrwx 1 root 12288 Jul 2 11:03 /media/Media

What I’m seeing is that the built-in osmc user can connect to the “Media” share:

cmayo@u ~ $ smbclient //192.168.2.95/Media -U osmc
Enter osmc’s password:
Domain=[WORKGROUP] OS=[Windows 6.1] Server=[Samba 4.2.10-Debian]
smb: >

But the new kodi user cannot

cmayo@u ~ $ smbclient //192.168.2.95/Media -U kodi
Enter kodi’s password:
Domain=[WORKGROUP] OS=[Windows 6.1] Server=[Samba 4.2.10-Debian]
tree connect failed: NT_STATUS_ACCESS_DENIED
cmayo@u ~ $

When the same path is shared as “test,” both osmc and kodi can connect to that share:

cmayo@u ~ $ smbclient //192.168.2.95/test -U osmc
Enter osmc’s password:
Domain=[WORKGROUP] OS=[Windows 6.1] Server=[Samba 4.2.10-Debian]
smb: >

cmayo@u ~ $ smbclient //192.168.2.95/test -U kodi
Enter kodi’s password:
Domain=[WORKGROUP] OS=[Windows 6.1] Server=[Samba 4.2.10-Debian]
smb: >

Anyone have an idea where I might look to resolve this issue?

NOTES:

smb.conf

osmc@raspberrypi:/etc/samba$ cat smb.conf
[global]

# If you require a fully custom smb.conf create smb-local.conf instead of editing smb.co                                  nf so your
# configuration will not be overwritten by samba upgrades. You can use smb.conf as a tem                                  plate by
# copying it to smb-local.conf then removing the config file line below in the new file.                                   If you only
# need to add some additional shares see smb-shares.conf below for a simpler way to do t                                  his.

    config file = /etc/samba/smb-local.conf

    workgroup = WORKGROUP
    security=user
    follow symlinks = yes
    wide links = no
    unix extensions = no
    lock directory = /var/cache/samba
    load printers = no
    printing = bsd
    printcap name = /dev/null
    disable spoolss = yes
    log level = 1
    map to guest = bad user
    usershare template share = automount template

    read raw = Yes
    write raw = Yes
    strict locking = no
    min receivefile size = 16384
    use sendfile = true
    aio read size = 2048
    aio write size = 2048
    socket options = TCP_NODELAY IPTOS_LOWDELAY SO_RCVBUF=131072 SO_SNDBUF=131072

[osmc]
    browsable = yes
    read only = no
    valid users = osmc
    path = /home/osmc
    comment = OSMC Home Directory

[automount template]
    browseable = yes
    -valid = no
    valid users = osmc
    path = %P
    hide files = /$RECYCLE.BIN/System Volume Information/desktop.ini/thumbs.db/

# Add custom shares in smb-shares.conf instead of editing smb.conf so they will not be
# overwritten by samba updates. You can only add new shares to smb-shares.conf, not chan                                  ge
# the default shares or global options. If you need full control see smb-local.conf abov                                  e.

include = /etc/samba/smb-shares.conf

smb-shares.conf

osmc@raspberrypi:/etc/samba$ cat smb-shares.conf
[test]
    browsable = yes
    read only = no
    valid users = osmc kodi
    path = /media/Media
    comment = Media drive
[Media]
    browsable = yes
    read only = no
    valid users = osmc kodi
    path = /media/Media
    comment = Media drive

cmayo@u ~ $ smbclient //192.168.2.95/test -U kodi
Enter kodi’s password:
Domain=[WORKGROUP] OS=[Windows 6.1] Server=[Samba 4.2.10-Debian]

cmayo@u ~ $ smbclient //192.168.2.95/Media -U kodi
Enter kodi’s password:
Domain=[WORKGROUP] OS=[Windows 6.1] Server=[Samba 4.2.10-Debian]
tree connect failed: NT_STATUS_ACCESS_DENIED

cmayo@u ~ $ smbclient //192.168.2.95/Media -U osmc
Enter osmc’s password:
Domain=[WORKGROUP] OS=[Windows 6.1] Server=[Samba 4.2.10-Debian]
smb: >

2

Did you restart Samba after adding kodi to the valid users list?

3

I did, yes, with sudo service samba restart. The issue has also survived multiple system reboots.

4

I think sudo service samba restart will only restart the Samba client, not the server.

The server can be restarted by issuing:

sudo systemctl restart smbd and sudo systemctl restart nmbd depending which part you wish you restart.

But if the issue has survived reboots that’s not the issue anyway. If you log in as (or su to) the kodi user on the box itself can you touch a file in /media/Media?

5

If you log in as (or su to) the kodi user on the box itself can you touch a file in /media/Media?

Good thought and was something I hadn’t tried, but yes. No problems touching/creating a file under /media/Media as the kodi user.

6

Maybe you could increase your Samba log level, replicate the problem and post the file Samba is logging to?

The only other thing I can think of is to changing the capital M on the name of the share and also in the folder name. Samba can be easily confused by the strangest things sometimes!

Also could you post the output of /etc/samba/smb-local.conf?

7

There is no /etc/samba/smb-local.conf file configured, and changing the share to use a lower-case M may well work but would defeat the original purpose of the exercise, i.e to set up my Samba shares so that all the other machines on my home network can map/mount them using their existing credentials.

Another wrinkle is that if I share the mount point, i.e. /media/Media, the kodi user can’t connect to it but if I share a directory on the drive itself, i.e. /media/Media/Television, the kodi user is able to connect to that share. I thought maybe I had an issue with the mount point so I moved those mount points from /media to /mnt, but the issue is unchanged.

Log links (at log level 2) are below.

/var/log/samba/log.samba
http://paste.osmc.io/mupimivega.vhdl

/var/log/samba/log.nmbd
http://paste.osmc.io/vogapopome.coffee

/var/log/samba$ log.smbd
http://paste.osmc.io/gucepuhexu.js

The only change to the logs during a login attempt occur in log.smbd. I’m seeing a lot of complaints in the log but no outright point of failure that I can see. Then again, I don’t really know what I’m looking for…

At log level = 1:

[2016/10/25 10:23:21.386280,  2] ../source3/param/loadparm.c:2596(lp_do_section)
  Processing section "[osmc]"
[2016/10/25 10:23:21.387420,  2] ../source3/param/loadparm.c:2596(lp_do_section)
  Processing section "[automount template]"
[2016/10/25 10:23:21.388869,  2] ../source3/param/loadparm.c:2596(lp_do_section)
  Processing section "[test]"
[2016/10/25 10:23:21.389567,  2] ../source3/param/loadparm.c:2596(lp_do_section)
  Processing section "[Movies]"
[2016/10/25 10:23:21.390197,  2] ../source3/param/loadparm.c:2596(lp_do_section)
  Processing section "[Television]"
[2016/10/25 10:23:21.390839,  2] ../source3/param/loadparm.c:2596(lp_do_section)
  Processing section "[Media]"
[2016/10/25 10:23:21.391497,  2] ../source3/param/loadparm.c:2596(lp_do_section)
  Processing section "[Documents]"
[2016/10/25 10:23:21.392130,  2] ../source3/param/loadparm.c:2596(lp_do_section)
  Processing section "[SG2TB]"
[2016/10/25 10:23:21.392742,  2] ../source3/param/loadparm.c:2596(lp_do_section)
  Processing section "[SG4TB]"
[2016/10/25 10:23:21.397018,  2] ../source3/auth/auth.c:305(auth_check_ntlm_password)
  check_ntlm_password:  authentication for user [kodi] -> [kodi] -> [kodi] succeeded
[2016/10/25 10:23:41.859350,  2] ../source3/smbd/server.c:443(remove_child_pid)
  Could not find child 3945 -- ignoring

which seem to suggest that the kodi user is clearing authentication.

At log level = 3, the login attempt looks like this in log.smbd:

[2016/10/25 11:20:57.503192,  2] ../source3/param/loadparm.c:2596(lp_do_section)
  Processing section "[osmc]"
[2016/10/25 11:20:57.504453,  2] ../source3/param/loadparm.c:2596(lp_do_section)
  Processing section "[automount template]"
[2016/10/25 11:20:57.505788,  2] ../source3/param/loadparm.c:2596(lp_do_section)
  Processing section "[test]"
[2016/10/25 11:20:57.506592,  2] ../source3/param/loadparm.c:2596(lp_do_section)
  Processing section "[Movies]"
[2016/10/25 11:20:57.507400,  2] ../source3/param/loadparm.c:2596(lp_do_section)
  Processing section "[Television]"
[2016/10/25 11:20:57.508093,  2] ../source3/param/loadparm.c:2596(lp_do_section)
  Processing section "[Media]"
[2016/10/25 11:20:57.508872,  2] ../source3/param/loadparm.c:2596(lp_do_section)
  Processing section "[Documents]"
[2016/10/25 11:20:57.509610,  2] ../source3/param/loadparm.c:2596(lp_do_section)
  Processing section "[SG2TB]"
[2016/10/25 11:20:57.510348,  2] ../source3/param/loadparm.c:2596(lp_do_section)
  Processing section "[SG4TB]"
[2016/10/25 11:20:57.511470,  3] ../source3/param/loadparm.c:1476(lp_add_ipc)
  adding IPC service
[2016/10/25 11:20:57.512842,  2] ../source3/lib/interface.c:341(add_interface)
  added interface eth0 ip=192.168.2.95 bcast=192.168.2.255 netmask=255.255.255.0
[2016/10/25 11:20:57.537614,  3] ../auth/gensec/gensec_start.c:899(gensec_register)
  GENSEC backend 'gssapi_spnego' registered
[2016/10/25 11:20:57.538393,  3] ../auth/gensec/gensec_start.c:899(gensec_register)
  GENSEC backend 'gssapi_krb5' registered
[2016/10/25 11:20:57.538839,  3] ../auth/gensec/gensec_start.c:899(gensec_register)
  GENSEC backend 'gssapi_krb5_sasl' registered
[2016/10/25 11:20:57.539198,  3] ../auth/gensec/gensec_start.c:899(gensec_register)
  GENSEC backend 'spnego' registered
[2016/10/25 11:20:57.539571,  3] ../auth/gensec/gensec_start.c:899(gensec_register)
  GENSEC backend 'schannel' registered
[2016/10/25 11:20:57.539997,  3] ../auth/gensec/gensec_start.c:899(gensec_register)
  GENSEC backend 'naclrpc_as_system' registered
[2016/10/25 11:20:57.540346,  3] ../auth/gensec/gensec_start.c:899(gensec_register)
  GENSEC backend 'sasl-EXTERNAL' registered
[2016/10/25 11:20:57.540660,  3] ../auth/gensec/gensec_start.c:899(gensec_register)
  GENSEC backend 'ntlmssp' registered
[2016/10/25 11:20:57.540949,  3] ../auth/gensec/gensec_start.c:899(gensec_register)
  GENSEC backend 'ntlmssp_resume_ccache' registered
[2016/10/25 11:20:57.541235,  3] ../auth/gensec/gensec_start.c:899(gensec_register)
  GENSEC backend 'http_basic' registered
[2016/10/25 11:20:57.541552,  3] ../auth/gensec/gensec_start.c:899(gensec_register)
  GENSEC backend 'http_ntlm' registered
[2016/10/25 11:20:57.541850,  3] ../auth/gensec/gensec_start.c:899(gensec_register)
  GENSEC backend 'krb5' registered
[2016/10/25 11:20:57.542154,  3] ../auth/gensec/gensec_start.c:899(gensec_register)
  GENSEC backend 'fake_gssapi_krb5' registered
[2016/10/25 11:20:57.546677,  3] ../auth/ntlmssp/ntlmssp_util.c:69(debug_ntlmssp_flags)
  Got NTLMSSP neg_flags=0x60088215
[2016/10/25 11:20:57.549031,  3] ../auth/ntlmssp/ntlmssp_server.c:452(ntlmssp_server_preauth)
  Got user=[kodi] domain=[WORKGROUP] workstation=[U] len1=24 len2=144
[2016/10/25 11:20:57.549669,  3] ../source3/param/loadparm.c:3636(lp_load_ex)
  lp_load_ex: refreshing parameters
[2016/10/25 11:20:57.550338,  3] ../source3/param/loadparm.c:527(init_globals)
  Initialising global parameters
[2016/10/25 11:20:57.551373,  3] ../source3/param/loadparm.c:2579(lp_do_section)
  Processing section "[global]"
[2016/10/25 11:20:57.553286,  2] ../source3/param/loadparm.c:2596(lp_do_section)
  Processing section "[osmc]"
[2016/10/25 11:20:57.554004,  2] ../source3/param/loadparm.c:2596(lp_do_section)
  Processing section "[automount template]"
[2016/10/25 11:20:57.555202,  2] ../source3/param/loadparm.c:2596(lp_do_section)
  Processing section "[test]"
[2016/10/25 11:20:57.555806,  2] ../source3/param/loadparm.c:2596(lp_do_section)
  Processing section "[Movies]"
[2016/10/25 11:20:57.556379,  2] ../source3/param/loadparm.c:2596(lp_do_section)
  Processing section "[Television]"
[2016/10/25 11:20:57.556945,  2] ../source3/param/loadparm.c:2596(lp_do_section)
  Processing section "[Media]"
[2016/10/25 11:20:57.557492,  2] ../source3/param/loadparm.c:2596(lp_do_section)
  Processing section "[Documents]"
[2016/10/25 11:20:57.558022,  2] ../source3/param/loadparm.c:2596(lp_do_section)
  Processing section "[SG2TB]"
[2016/10/25 11:20:57.558604,  2] ../source3/param/loadparm.c:2596(lp_do_section)
  Processing section "[SG4TB]"
[2016/10/25 11:20:57.559563,  3] ../source3/param/loadparm.c:1476(lp_add_ipc)
  adding IPC service
[2016/10/25 11:20:57.560296,  3] ../source3/auth/auth.c:178(auth_check_ntlm_password)
  check_ntlm_password:  Checking password for unmapped user [WORKGROUP]\[kodi]@[U] with the new password interface
[2016/10/25 11:20:57.560734,  3] ../source3/auth/auth.c:181(auth_check_ntlm_password)
  check_ntlm_password:  mapped user is: [RASPBERRYPI]\[kodi]@[U]
[2016/10/25 11:20:57.563116,  3] ../source3/passdb/lookup_sid.c:1631(get_primary_group_sid)
  Forcing Primary Group to 'Domain Users' for kodi
[2016/10/25 11:20:57.565926,  3] ../source3/auth/auth.c:249(auth_check_ntlm_password)
  check_ntlm_password: sam authentication for user [kodi] succeeded
[2016/10/25 11:20:57.566486,  2] ../source3/auth/auth.c:305(auth_check_ntlm_password)
  check_ntlm_password:  authentication for user [kodi] -> [kodi] -> [kodi] succeeded
[2016/10/25 11:20:57.568105,  3] ../source3/auth/token_util.c:547(finalize_local_nt_token)
  Failed to fetch domain sid for WORKGROUP
[2016/10/25 11:20:57.568668,  3] ../source3/auth/token_util.c:579(finalize_local_nt_token)
  Failed to fetch domain sid for WORKGROUP
[2016/10/25 11:20:57.570689,  3] ../auth/ntlmssp/ntlmssp_sign.c:509(ntlmssp_sign_reset)
  NTLMSSP Sign/Seal - Initialising with flags:
[2016/10/25 11:20:57.571056,  3] ../auth/ntlmssp/ntlmssp_util.c:69(debug_ntlmssp_flags)
  Got NTLMSSP neg_flags=0x62088215
[2016/10/25 11:20:57.571504,  3] ../auth/ntlmssp/ntlmssp_sign.c:509(ntlmssp_sign_reset)
  NTLMSSP Sign/Seal - Initialising with flags:
[2016/10/25 11:20:57.571799,  3] ../auth/ntlmssp/ntlmssp_util.c:69(debug_ntlmssp_flags)
  Got NTLMSSP neg_flags=0x62088215
[2016/10/25 11:20:57.573260,  3] ../source3/auth/token_util.c:547(finalize_local_nt_token)
  Failed to fetch domain sid for WORKGROUP
[2016/10/25 11:20:57.573775,  3] ../source3/auth/token_util.c:579(finalize_local_nt_token)
  Failed to fetch domain sid for WORKGROUP
[2016/10/25 11:20:57.578803,  3] ../source3/lib/access.c:338(allow_access)
  Allowed connection from 192.168.2.108 (192.168.2.108)
[2016/10/25 11:20:57.579498,  3] ../libcli/security/dom_sid.c:209(dom_sid_parse_endp)
  string_to_sid: SID osmc is not in a valid format
[2016/10/25 11:20:57.581195,  3] ../source3/passdb/lookup_sid.c:1631(get_primary_group_sid)
  Forcing Primary Group to 'Domain Users' for osmc
[2016/10/25 11:20:57.582099,  3] ../libcli/security/dom_sid.c:209(dom_sid_parse_endp)
  string_to_sid: SID kodi is not in a valid format
[2016/10/25 11:20:57.583201,  3] ../source3/passdb/lookup_sid.c:1631(get_primary_group_sid)
  Forcing Primary Group to 'Domain Users' for kodi
[2016/10/25 11:20:57.584636,  3] ../libcli/security/dom_sid.c:209(dom_sid_parse_endp)
  string_to_sid: SID osmc is not in a valid format
[2016/10/25 11:20:57.585986,  3] ../source3/passdb/lookup_sid.c:1631(get_primary_group_sid)
  Forcing Primary Group to 'Domain Users' for osmc
[2016/10/25 11:20:57.586848,  3] ../libcli/security/dom_sid.c:209(dom_sid_parse_endp)
  string_to_sid: SID kodi is not in a valid format
[2016/10/25 11:20:57.587887,  3] ../source3/passdb/lookup_sid.c:1631(get_primary_group_sid)
  Forcing Primary Group to 'Domain Users' for kodi
[2016/10/25 11:20:57.589144,  3] ../libcli/security/dom_sid.c:209(dom_sid_parse_endp)
  string_to_sid: SID osmc is not in a valid format
[2016/10/25 11:20:57.590291,  3] ../source3/passdb/lookup_sid.c:1631(get_primary_group_sid)
  Forcing Primary Group to 'Domain Users' for osmc
[2016/10/25 11:20:57.591131,  3] ../libcli/security/dom_sid.c:209(dom_sid_parse_endp)
  string_to_sid: SID kodi is not in a valid format
[2016/10/25 11:20:57.592143,  3] ../source3/passdb/lookup_sid.c:1631(get_primary_group_sid)
  Forcing Primary Group to 'Domain Users' for kodi
[2016/10/25 11:20:57.596986,  3] ../source3/lib/access.c:338(allow_access)
  Allowed connection from 192.168.2.108 (192.168.2.108)
[2016/10/25 11:20:57.597580,  3] ../libcli/security/dom_sid.c:209(dom_sid_parse_endp)
  string_to_sid: SID osmc is not in a valid format
[2016/10/25 11:20:57.598810,  3] ../source3/passdb/lookup_sid.c:1631(get_primary_group_sid)
  Forcing Primary Group to 'Domain Users' for osmc
[2016/10/25 11:20:57.599814,  3] ../libcli/security/dom_sid.c:209(dom_sid_parse_endp)
  string_to_sid: SID kodi is not in a valid format
[2016/10/25 11:20:57.601042,  3] ../source3/passdb/lookup_sid.c:1631(get_primary_group_sid)
  Forcing Primary Group to 'Domain Users' for kodi
[2016/10/25 11:20:57.602479,  3] ../libcli/security/dom_sid.c:209(dom_sid_parse_endp)
  string_to_sid: SID osmc is not in a valid format
[2016/10/25 11:20:57.603594,  3] ../source3/passdb/lookup_sid.c:1631(get_primary_group_sid)
  Forcing Primary Group to 'Domain Users' for osmc
[2016/10/25 11:20:57.605219,  3] ../libcli/security/dom_sid.c:209(dom_sid_parse_endp)
  string_to_sid: SID kodi is not in a valid format
[2016/10/25 11:20:57.606365,  3] ../source3/passdb/lookup_sid.c:1631(get_primary_group_sid)
  Forcing Primary Group to 'Domain Users' for kodi

and at level 4:

http://paste.osmc.io/icukukizut.coffee

8

I can’t see any evidence in the log of Samba denying access to anyone for anything, which is very odd. It’s also off that this only happens with the mount point directly and not a subfolder.

Strange idea, but what happens if you create a symlink to /media/Media and then try setting your test share to the symlink path?

Other than that I’m out of ideas I’m afraid, maybe someone else with more knowledge could help. Or maybe someone on a Samba/SysAdmin forum may be better placed to answer?