Join Log in
Score:0
avatar Server

Access denied when listing Samba shares

ru flag
Petr

I've installed Samba to share files with Windows 10 machines. The setup works correctly to access individual shares using their path such as \\myhost\sejf, but listing shares on \\myhost fails with access denied. I tried to investigate various possible options, but with no luck. I have a very similar setup on another machine (Raspbian) and there I have no issues, so I suspect it might be somehow related to the OS on the machine, Ubuntu 20.04.

My samba config (created by an Ansible role, but that doesn't really matter):

[global]
  # Server information
  netbios name = MYHOST
  workgroup = WORKGROUP
  server string = Fileserver %m


  # Logging
  logging = syslog

  # Authentication
  security = user
  passdb backend = tdbsam
  map to guest = never

  # Name resolution: make sure \\NETBIOS_NAME\ works
  wins support = yes
  local master = yes
  domain master = yes
  preferred master = yes

  # Don't load printers
  load printers = no
  printing = bsd
  printcap name = /dev/null
  disable spoolss = yes

  # Fix for CVE-2017-7494 in Samba versions from 3.5.0 and before 4.6.4
  # https://access.redhat.com/security/cve/cve-2017-7494
  nt pipe support = no

  include = /etc/samba/samba.global.conf


## Shared directories
[sejf]
  path = /srv/sejf
  public = no
  create mode = 0664
  force create mode = 0664
  directory mode = 0775
  force directory mode = 0775
  owner = minidlna

and the included files samba.global.conf:

hide files = /lost+found/
server role = standalone server
max log size = 1000000

protocol = SMB3

valid users = @sambashare
write list = @sambashare
guest ok = yes
writable = yes
browseable = yes
group = sambashare

I tried to force the protocol with protocol = SMB3, but I get the same error with and without it.

Then I tried to list the shares with smbclient and I got this strange error:

% smbclient -L //myhost/ -U guest
Unable to initialize messaging context
Enter WORKGROUP\guest's password:

        Sharename       Type      Comment
        ---------       ----      -------
smb1cli_req_writev_submit: called for dialect[SMB3_11] server[192.168.49.105]
Error returning browse list: NT_STATUS_REVISION_MISMATCH
Reconnecting with SMB1 for workgroup listing.
smbXcli_negprot_smb1_done: No compatible protocol selected by server.
protocol negotiation failed: NT_STATUS_INVALID_NETWORK_RESPONSE
Failed to connect with SMB1 -- no workgroup available

I also get the error Failed to connect with SMB1 -- no workgroup available for the other server where browsing works, so it's apparently unrelated to the issue.

305
0 + 0
Score:0
Andrew Roberts avatar Server
bt flag
Andrew Roberts

I'm using the same ansible role to manage my samba shares, and I was having the same problem. I think what you're running into is caused by the CVE mitigation

  nt pipe support = no

Obviously the RCE is problematic, but the version check in the ansible role is broken- I was running 4.13 and it was still including the mitigation. Manually disabling it in my config with

samba_mitigate_cve_2017_7494: false

fixed things for me.

+ 0
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.