I know this is an unusual scenario: sharing the entire filesytem ("/"). But it was working with 4.3.8, and broke sometime after, perhaps with the CVE-2017-2619 fixes since this involves symlinks and there were a few regressions with that particular CVE.
For the test I used 4.6.5 with the patch for bug #12860.
This is the smb.conf:
[global]
server string = %h server (Samba, Ubuntu)
netbios name = xenial
server role = standalone server
map to guest = Bad User
obey pam restrictions = Yes
pam password change = Yes
passwd program = /usr/bin/passwd %u
passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
unix password sync = Yes
syslog = 0
log file = /var/log/samba/log.%m
max log size = 1000
dns proxy = No
usershare allow guests = Yes
panic action = /usr/share/samba/panic-action %d
idmap config * : backend = tdb
[rootfs]
path = /
follow symlinks = yes
wide links = no
read only = no
guest ok = no
browseable = yes
This worked with 4.3.8 without the CVE-2017-2619 patch:
root@xenial-samba-rootfs:~# smbclient //localhost/rootfs -U ubuntu%ubuntu -m SMB2 -c "dir /opt/symlink-to-directory/*"
WARNING: The "syslog" option is deprecated
Domain=[XENIAL] OS=[] Server=[]
. D 0 Mon Jul 3 20:01:36 2017
.. D 0 Mon Jul 3 20:01:49 2017
244825344 blocks of size 1024. 244392448 blocks available
root@xenial-samba-rootfs:~# smbclient //localhost/rootfs -U ubuntu%ubuntu -m SMB2 -c "get \opt\symlink-to-file"
WARNING: The "syslog" option is deprecated
Domain=[XENIAL] OS=[] Server=[]
getting file \opt\symlink-to-file of size 6 as \opt\symlink-to-file (5.9 KiloBytes/sec) (average 5.9 KiloBytes/sec)
But it fails with 4.3.11 + CVE patches, and also 4.6.5 with the patch for bug #12860:
From Samba bug:
I know this is an unusual scenario: sharing the entire filesytem ("/"). But it was working with 4.3.8, and broke sometime after, perhaps with the CVE-2017-2619 fixes since this involves symlinks and there were a few regressions with that particular CVE.
For the test I used 4.6.5 with the patch for bug #12860.
This is the smb.conf: snew\s* \spassword: * %n\n *Retype\ snew\s* \spassword: * %n\n *password\ supdated\ ssuccessfully* . samba/log. %m samba/panic- action %d
[global]
server string = %h server (Samba, Ubuntu)
netbios name = xenial
server role = standalone server
map to guest = Bad User
obey pam restrictions = Yes
pam password change = Yes
passwd program = /usr/bin/passwd %u
passwd chat = *Enter\
unix password sync = Yes
syslog = 0
log file = /var/log/
max log size = 1000
dns proxy = No
usershare allow guests = Yes
panic action = /usr/share/
idmap config * : backend = tdb
[rootfs]
path = /
follow symlinks = yes
wide links = no
read only = no
guest ok = no
browseable = yes
/opt has this: samba-rootfs: ~# ls -lah /opt to-directory -> target-directory
root@xenial-
total 5.0K
drwxr-xr-x 3 root root 6 Jul 3 20:01 .
drwxr-xr-x 22 root root 22 Jun 19 23:52 ..
-rw-r--r-- 1 root root 6 Jul 3 20:01 file.txt
lrwxrwxrwx 1 root root 16 Jul 3 20:01 symlink-
lrwxrwxrwx 1 root root 8 Jul 3 20:01 symlink-to-file -> file.txt
drwxr-xr-x 2 root root 2 Jul 3 20:01 target-directory
This worked with 4.3.8 without the CVE-2017-2619 patch: samba-rootfs: ~# smbclient //localhost/rootfs -U ubuntu%ubuntu -m SMB2 -c "dir /opt/symlink- to-directory/ *"
root@xenial-
WARNING: The "syslog" option is deprecated
Domain=[XENIAL] OS=[] Server=[]
. D 0 Mon Jul 3 20:01:36 2017
.. D 0 Mon Jul 3 20:01:49 2017
244825344 blocks of size 1024. 244392448 blocks available
root@xenial- samba-rootfs: ~# smbclient //localhost/rootfs -U ubuntu%ubuntu -m SMB2 -c "get \opt\symlink- to-file" to-file of size 6 as \opt\symlink- to-file (5.9 KiloBytes/sec) (average 5.9 KiloBytes/sec)
WARNING: The "syslog" option is deprecated
Domain=[XENIAL] OS=[] Server=[]
getting file \opt\symlink-
But it fails with 4.3.11 + CVE patches, and also 4.6.5 with the patch for bug #12860:
root@xenial- samba-rootfs: ~# smbclient //localhost/rootfs -U ubuntu%ubuntu -m SMB2 -c "dir /opt/symlink- to-directory/ *" ACCESS_ DENIED listing \opt\symlink- to-directory\ *
WARNING: The "syslog" option is deprecated
Domain=[XENIAL] OS=[] Server=[]
NT_STATUS_
root@xenial- samba-rootfs: ~# smbclient //localhost/rootfs -U ubuntu%ubuntu -m SMB2 -c "get \opt\symlink- to-file" ACCESS_ DENIED opening remote file \opt\symlink- to-file
WARNING: The "syslog" option is deprecated
Domain=[XENIAL] OS=[] Server=[]
NT_STATUS_