About once every 10 years I need to wrestle with SAMBA as I migrate to new hosts, and then I repress the traumatic memory until I have to relearn it all the next time :S Hence this newbyish question.
I have a Ubuntu VM with a couple of shares - one ("Public") is unsecured, the other ("Public2") is secured, with the intention that it should be accessed only by an authenticated user account defined on the Ubuntu box. Both shares appear in Windows Explorer on both XP and Win8.1. However, I can't for the life of me work out how to log into the secure Public2 share.
Leaving Windows clients out of it, I've tried simply looping back to the box using smbclient, which produces the following output, indicating it just can't authenticate:
michael#ubuntu:~$ smbclient //ubuntu/Public2 --user=michael%mypasswd
Domain=[WORKGROUP] OS=[Unix] Server=[Samba 4.1.6-Ubuntu]
tree connect failed: NT_STATUS_ACCESS_DENIED
Meanwhile the unsecured share is accessible.
What (probably incredibly obvious) thing have I missed? Am I not specifying the username correctly?
/var/lib/samba/usershares/public (unsecure, works) contains:
#VERSION 2
path=/home/michael/Public
comment=
usershare_acl=S-1-1-0:F
guest_ok=y
sharename=Public
/var/lib/samba/usershares/public2 (which I can't access) contains:
#VERSION 2
path=/home/michael/Public2
comment=
usershare_acl=S-1-1-0:F
guest_ok=n
sharename=Public2
For users who are using for the command line option, use
$ sudo smbpasswd -a <user_name>
this will prompt you to assign the password.
WARNING: This refers to Samba 2. We are at Samba 4 now. Take care which version of Samba you are using. As stated in my comment, the GUI will break your configurations.
A work colleague has pointed me in the right direction:
The Linux user ID being used to access the Linux share needs to have a second "samba" password defined for it. The easiest way to do this is to install and run the GUI Samba Server Configuration app, which isn't installed by default.
The Samba documentation does explain this, but it's buried in the masses of documentation explaining all the various arcane aspects of samba.conf configuration etc.
The following article gets to the heart of the subject:
http://ubuntuhandbook.org/index.php/2014/05/ubuntu1404-file-sharing-samba/
You have to edit the '/etc/samba/smb.conf'
use sudo nano /etc/samba/smb.conf to edit the conf file.
Where Workgroup = [your Domain]
There is no 'second samba password'. There is linux password: /etc/passwd and then there is Samba password, which is either smbpasswd or passdb.tdb. Which one and where it is located depends on Samba version and setting in smb.conf. BOTH must be set. Both means Linux in /etc/passwd and in Samba (one of the above). This is in most cases the issue with this error message. Or try to restart Lanman service, or Windows.
But I want to comment on another, probably rarer case.
If you are using customized Samba and only in such case, there might be another (extended) reason for this error.
Samba might be compiled with additional permission checks, which will say "NO" (return false) after which Samba will announce error, the same as this Q is mentioning.
Check the log for errors. There might be a clue if it is such a case.
Again, this is specific for custom build Samba.
Specifically in my case, on QNAP NAS, Samba will call a binary /sbin/appriv -C -u 502 -S1
-C, --check Check user privilege.
-S, --samba [bit] The privilege of Samba
-u, --uid [uid] UID.
appriv is "appriv -> nasutil" which is QNAP own binary, not part of the linux or the GNU.
With so many options build in Samba, I can't find a reasoning for this additional check.
Especially when it could be satisfied with just a plain empty file returning "true".
Just a complication, possible source of issues, no safety advancement.
I've been updating old abandoned system from QNAP. Replaced Samba from another, newer NAS.
This is how I come about this issue and wasted a lot of time on it. Thanks QNAP.
Apparmor might also be the cause. You need to whitelist all share locations, otherwise you will always get the "permission denied" error.
Fix is adding to /etc/apparmor.d/local/usr.sbin.smbd:
"/path_to_share/" rk,
"/path_to_share/**" lrwk,
for each share. (The first line allows read-access to the base-directory, the second line allows read-write-access to everything within that base-directory recursively)
Source: https://wiki.archlinux.org/title/Samba#Permission_issues_on_AppArmor
Crosspost from: https://serverfault.com/a/1109267/592032
Related
I'm using Spring application and stack is like: Java 11, Spring Boot 2.2.1.RELEASE.
(technology versions may vary here)
When I try to connect to the database via Data Source using Intellij IDEA, I get always the issue like:
The specified database user/password combination is rejected:
[28P01] FATAL: password authentication failded for user 'postgres'
How can I fix it?
To be noticed: this answer is similar, but not related to:
Unable to connect from Intellij to mySql running in docker container - "specified database user/password combination is rejected"
To fix it:
you need to check your application.properties file and change the value of user password on line:
spring.datasource.password=your_password
The cause of issue is:
your value of the property spring.datasource.password in application.properties
does not match the user password what was selected by default during installing your database system.
E.g. more specifically on the step "Enter the password for the database superuser (postgres)":
To clarify: provided example is for PostgreSQL, but it can be another database system.
Edit: this assumes you run Linux
if the other answer provided by invzbl3 doesn't work, check out this solution, it worked for me. Make sure to restart afterwards.
https://docs.fedoraproject.org/en-US/quick-docs/postgresql/#_initial_configuration
If you’re getting ident errors from your app you’ll probably need to perform the accepted solution described at https://serverfault.com/questions/406606/postgres-error-message-fatal-ident-authentication-failed-for-user?newreg=a4fdc3e21349449985cc65b82399c5b4
(if you don't have nano, just use any other text editor)
sudo nano /var/lib/pgsql/data/pg_hba.conf
and edit host all all 127.0.0.1/32 ident to host all all 127.0.0.1/32 md5.
This should allow most applications to connect with username/password.
I'm trying to setting up a Zeek IDS cluster (v.3.2.0-dev.271) on 3 Ubuntu 18.04 LTS hosts to no avail - running zeek deploy command fails with the following output:
fatal error: problem with interface ens3 (pcap_error: socket: Operation not permitted (pcap_activate))
I have followed the official documentation (which is pretty generic at best) and set up passwordless SSH authentication between the zeek nodes.
I also preemptively created the /usr/local/zeek path on all hosts and gave the zeek user full permissions on that directory. The documentation says The Zeek user must be able to either create this directory or, where it already exists, must have write permission inside this directory on all hosts.
The documentation also says that on the worker nodes this user must have access to the target network interface in promiscuous mode.
My zeek user is a sudoer AND a member of netdev group on all 3 nodes. Yet, the cluster deployment fails. Apparently, when zeekctl establishes the SSH connection to the workers it cannot get a hold of the network interfaces and set caps.
Eventually I was able to successfully run the cluster by following this article - however it requires you to set up the entire cluster as root, which I would like to avoid if at all possible.
So my question is, is there anything blatantly obvious that I am missing? To the best of my knowledge this setup should work, otherwise I don't know how to force zeekctl to run 'sudo' in front of every SSH command it is supposed to run on the workers, or how to satisfy this requirement.
Any guidance will be greatly appreciated, thanks!
I was experiencing the same error for my standalone setup. Found this question from googling it. More googling the error brought me to a few blogs including one in which the comments mentioned the same error. The author mentioned giving the binaries permissions using setcap:
$sudo setcap cap_net_raw,cap_net_admin=eip /usr/local/zeek/bin/zeek
$sudo setcap cap_net_raw,cap_net_admin=eip /usr/local/zeek/bin/zeekctl
After running them both, my instance of zeek is now running successfully.
Source: https://www.ericooi.com/zeekurity-zen-part-i-how-to-install-zeek-on-centos-8/#comment-1586
So, just in case someone else stumbles upon the same issue - I figured out what was happening.
I streamlined the cluster deployment with Ansible (using 'become' directive at task level) and did not elevate when running the handlers responsible for issuing the zeekctl deploy command.
Once I did, the Zeek Cluster deployment succeeded.
I have installed CouchDB on my Windows machine but while starting the CouchDB service, I am getting a message like:
Windows could not start the Apache CouchDB service on Local Computer. The service did not return an error. This could be an internal Windows error or an internal service error. If the problem persists, please contact your system administrator.
As the service is not running, I am unable to access Fauxton too.
I am using Windows 7. CouchDB is 2.0.0. Port 5984 is not in use.
I don't think your question is a duplicate of https://stackoverflow.com/a/44107335/219187 because you are on Windows 7, and the problem described there is for Windows 10 with the creators update.
But maybe the solution fixes your problem as well? Here is the procedure:
Download the prelease build 2.2.4-101 from https://nssm.cc/download
Stop the CouchDB service through the Windows Services dialog (paused is not enough)
Overwrite nssm.exe in <CouchDbInstallDir>\bin with the one from the downloaded ZIP file (make sure you pick the right version 32 bit / 64 bit)
Start the CouchDB service
Issue it's happening since the last updates released by Microsoft. I'm not completely aware of what's causing it, but I think it's something related to CouchDB service not been able to start using Local Administrator rights.
However I've managed to start the service manually, by doing so:
Open Command Prompt - in the Search from the Start Menu or Task Bar type "cmd"
Run it as an Administrator - right click on the Command Prompt application and choose "Run as administrator" option /this is really IMPORTANT as it will allow the service to have administrator access/
Navigate to the folder where CouchDB is install - default path is "D:/CouchDB", but could be anywhere else; you have to find it
Go to the "bin" folder in there
Type "couchdb" as a command to start the service
You will see a message showing after this - "kernel-poll not supported; "K" parameter ignored"
If it adds some error messages after it or closes the whole terminal, you're making some things bad from this guide, so follow it strictly.
You can now open up the Fauxton application in the browser like normal from here - http://localhost:5984/_utils/
Keep in mind that you have to leave the cmd opened in order the service to be working as expected. As far as I saw no information was lost, so it's all good.
This is a temporary solution though, as we are waiting a relase from either Microsoft or Apache to solve the issue, or at least give us more explanation about it.
i just met the same problem.
the cause is space, you have to install CouchDB in a path without any space, even Program Files folder, because there is a space between Program and Files...
I have an installation of Magneto, and it couldn't send any emails. Upon investigation, httpd_can_sendmail was turned off. This can be shown by getsebool -a | grep mail.
First I tried setsebool -P httpd_can_sendmail on, which gave me an error Cannot set persistent booleans without managed policy.
Then I read this article, and it's saying this is a bug and that it should really complain that you need root privileges. So sudo setsebool -P httpd_can_sendmail on turned it on.. The bug report is 4 years old, and this site is on Red Hat Enterprise Linux Server release 6.5 (Santiago) hosted on AWS. Is this error message simply just mis-worded? Should I have run that command as root?
this error message is right, because you need to have a privileged user to set selinux Properties.
If you not need to be privileged user, every user on the system can change selinux and so things you dont want.
I hope this answer is useful for you.
Switching to root did indeed clear the problem for me.
I am configuring my centos server. I installed postgresql and phppgadmin
When i try accessing phppgadmin as my_server_ip/phpPgAdmin
It redirects to login page and when i try to login getting error as
Login disallowed for security reasons
I even change extra_login_security to false and restarted using following commands
/etc/init.d/httpd restart
and
service postgresql-9.2 restart
Can anyone help me.
1). Open -> /etc/phppgadmin -> config.inc.php
2). change $conf['extra_login_security'] = true; to $conf['extra_login_security'] = false;
// If extra login security is true, then logins via phpPgAdmin with no
// password or certain usernames (pgsql, postgres, root,
administrator) // will be denied. Only set this false once you have
read the FAQ and // understand how to change PostgreSQL's pg_hba.conf
to enable // passworded local connections.
I had this exact same problem - also on CentOS - and also had no luck changing that security setting to false.
It turned out that it's not using the config file we expected.
It's using:
/usr/share/phpPgAdmin/conf/config.inc.php
and not:
/etc/phpPgAdmin/config.inc.php
even though the RPM (phpPgAdmin-5.1-1.rhel6.noarch) installs both of them...
I really don't see why it has two unless there is an override defined somewhere... but I don't really have time to look into it. I'm sure there is no reason why you can't replace the one in /etc with a symlink (or hardlink) to the other, although it could cause problems if you try to uninstall the RPM. But I wouldn't unless you were dead keen to have it in /etc - just in case. I'm sure they didn't include two of these just for fun ;)
I know this is probably too late to help you but the fact I came across this today means it's likely to be of use to someone :)
You need to restart the postgresql
systemctl restart postgresql
systemctl restart apache2