Guest Access and Shared Permissions

[spencerthayer]

Support guidelines

• I've read the support guidelines

I've found a bug and checked that ...

• ... the documentation does not mention anything about my problem
• ... there are no open or closed issues that are related to my problem

Description

I am encountering persistent issues with configuring the CrazyMax Samba container in Portainer to provide guest accounts with full read/write access. Despite following the documentation and testing multiple configurations, the container fails to initialize properly, Samba shares are inaccessible, and port 445 is reported as closed. Additionally, shared directory permissions conflict with other containers like Plex and SABnzbd, resulting in inaccessible files.

Expected behaviour

• The Samba container initializes without errors.
• Samba shares are accessible via guest accounts with full read/write permissions.
• Port 445 is open and accepting connections.
• Permissions for shared directories are consistent across containers (e.g., Plex, SABnzbd, and Samba).

Actual behaviour

• The Samba container logs repeated initialization errors, such as mkdir: cannot create directory '/var/lib/samba': File exists.
• Port 445 is reported as closed (445/tcp closed microsoft-ds) despite being exposed in docker-compose.yml.
• Attempts to access the Samba share result in Error NT_STATUS_CONNECTION_REFUSED.
• Files created by Plex or SABnzbd are not accessible via Samba, even when using force user and force group.

Steps to reproduce

1. Deploy the container using the following docker-compose.yml:

   version: '3.8'
   services:
     samba:
       image: crazymax/samba:latest
       container_name: samba
       restart: unless-stopped
       hostname: samba
       environment:
         # System
         - TZ=America/Los_Angeles
         - S6_LOGGING=0
         - DISABLE_SOCKLOG=1
         # Samba Core
         - SAMBA_WORKGROUP=WORKGROUP
         - SAMBA_SERVER_STRING=Samba Server
         - SAMBA_LOG_LEVEL=3
         # Security
         - SAMBA_HOSTS_ALLOW=0.0.0.0/0
         - SAMBA_HOSTS_DENY=
       volumes:
         # Config and data directories
         - /appdata/samba:/config
         - /appdata/samba/data:/data
         # Persistent directories
         - /appdata/samba/lib:/var/lib/samba
         # Shared folder
         - /media/samsung:/samba/samsung
       ports:
         - "445:445"
       cap_add:
         - NET_ADMIN
         - NET_RAW
       command: |
         sh -c 'rm -rf /config/* /data/* /var/lib/samba/* /run/samba/* || true &&
         mkdir -p /config /data /var/lib/samba/private/msg.sock /run/samba || true &&
         [ -d /var/lib/samba ] && chmod 755 /var/lib/samba &&
         [ -d /var/lib/samba/private ] && chmod 700 /var/lib/samba/private &&
         [ -d /var/lib/samba/private/msg.sock ] && chmod 700 /var/lib/samba/private/msg.sock &&
         echo "[global]
         workgroup = WORKGROUP
         server string = Samba Server
         security = USER
         map to guest = Bad User
         guest account = share
         bind interfaces only = no
         interfaces = 0.0.0.0/0
         unix extensions = no
         local master = no
         server min protocol = SMB2
         server smb encrypt = desired
         smb ports = 445
         create mask = 0664
         directory mask = 2775
         force create mode = 0664
         force directory mode = 2775
         vfs objects = fruit streams_xattr
   
         [samsung]
         path = /samba/samsung
         browseable = yes
         read only = no
         guest ok = yes
         writable = yes
         force user = share
         force group = share
         create mask = 0664
         directory mask = 2775" > /config/smb.conf &&
         testparm -s /config/smb.conf || exit 1 &&
         exec /init'

2. Attempt to access the Samba share:

   smbclient //10.0.0.200/samsung -U guest%

3. Verify port 445 status:

   nmap -p 445 10.0.0.200

Docker info

# Output from `docker info`

Logs

Container logs consistently show the following errors:

tcp   LISTEN 0      4096         0.0.0.0:445        0.0.0.0:*          
tcp   LISTEN 0      4096            [::]:445           [::]:*          
[s6-init] making user provided files available at /var/run/s6/etc...exited 0.
[s6-init] ensuring user provided files have correct perms...exited 0.
[fix-attrs.d] applying ownership & permissions fixes...
[fix-attrs.d] done.
[cont-init.d] executing container initialization scripts...
[cont-init.d] 01-config.sh: executing... 
Setting timezone to America/Los_Angeles
Initializing files and folders
cp: cannot stat '/var/lib/samba/*': No such file or directory
rm: cannot remove '/var/lib/samba': Resource busy
Setting global configuration
Load smb config files from /etc/samba/smb.conf
Loaded services file OK.
Weak crypto is allowed by GnuTLS (e.g. NTLM as a compatibility fallback)

Server role: ROLE_STANDALONE

# Global parameters
[global]
	disable netbios = Yes
	disable spoolss = Yes
	dns proxy = No
	local master = No
	map to guest = Bad User
	pam password change = Yes
	printcap name = /dev/null
	security = USER
	server role = standalone server
	server services = s3fs, rpc, wrepl, ldap, cldap, kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate
	server string = Samba Server
	smb1 unix extensions = No
	smb ports = 445
	usershare allow guests = Yes
	winbind scan trusted domains = Yes
	fruit:time machine = yes
	fruit:delete_empty_adfiles = yes
	fruit:wipe_intentionally_left_blank_rfork = yes
	fruit:veto_appledouble = no
	fruit:posix_rename = yes
	fruit:model = MacSamba
	fruit:metadata = stream
	idmap config * : backend = tdb
	create mask = 0664
	directory mask = 0775
	force create mode = 0664
	force directory mode = 0775
	hosts allow = 0.0.0.0/0
	hosts deny = 0.0.0.0/0
	printing = bsd
	strict locking = No
	vfs objects = fruit streams_xattr
	wide links = Yes
[cont-init.d] 01-config.sh: exited 0.
[cont-init.d] 02-svc-smbd.sh: executing... 
[cont-init.d] 02-svc-smbd.sh: exited 0.
[cont-init.d] 03-svc-wsdd2.sh: executing... 
[cont-init.d] 03-svc-wsdd2.sh: exited 0.
[cont-init.d] ~-socklog: executing... 
[cont-init.d] ~-socklog: exited 0.
[cont-init.d] done.
[services.d] starting services
[services.d] done.
mkdir: cannot create directory ‘/var/lib/samba/private’: No such file or directory
[cmd] sh exited 1
[cont-finish.d] executing container finish scripts...
[cont-finish.d] done.
[s6-finish] waiting for services.
s6-svwait: fatal: timed out
[s6-finish] sending all processes the TERM signal.
[s6-finish] sending all processes the KILL signal and exiting.
[s6-init] making user provided files available at /var/run/s6/etc...exited 0.
[s6-init] ensuring user provided files have correct perms...exited 0.
[fix-attrs.d] applying ownership & permissions fixes...
[fix-attrs.d] done.
[cont-init.d] executing container initialization scripts...
[cont-init.d] 01-config.sh: executing... 
Setting timezone to America/Los_Angeles
Initializing files and folders
cp: cannot stat '/var/lib/samba/*': No such file or directory
rm: cannot remove '/var/lib/samba': Resource busy
Setting global configuration
Load smb config files from /etc/samba/smb.conf
Loaded services file OK.
Weak crypto is allowed by GnuTLS (e.g. NTLM as a compatibility fallback)

Server role: ROLE_STANDALONE
# Global parameters
[global]

	disable netbios = Yes
	disable spoolss = Yes
	dns proxy = No
	local master = No
	map to guest = Bad User
	pam password change = Yes
	printcap name = /dev/null
	security = USER
	server role = standalone server
	server services = s3fs, rpc, wrepl, ldap, cldap, kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate
	server string = Samba Server
	smb1 unix extensions = No
	smb ports = 445
	usershare allow guests = Yes
	winbind scan trusted domains = Yes
	fruit:time machine = yes
	fruit:delete_empty_adfiles = yes
	fruit:wipe_intentionally_left_blank_rfork = yes
	fruit:veto_appledouble = no
	fruit:posix_rename = yes
	fruit:model = MacSamba
	fruit:metadata = stream
	idmap config * : backend = tdb
	create mask = 0664
	directory mask = 0775
	force create mode = 0664
	force directory mode = 0775
	hosts allow = 0.0.0.0/0
	hosts deny = 0.0.0.0/0
	printing = bsd
	strict locking = No
	vfs objects = fruit streams_xattr
	wide links = Yes
[cont-init.d] 01-config.sh: exited 0.
[cont-init.d] 02-svc-smbd.sh: executing... 
[cont-init.d] 02-svc-smbd.sh: exited 0.
[cont-init.d] 03-svc-wsdd2.sh: executing... 
[cont-init.d] 03-svc-wsdd2.sh: exited 0.
[cont-init.d] ~-socklog: executing... 
[cont-init.d] ~-socklog: exited 0.
[cont-init.d] done.
[services.d] starting services
[services.d] done.
mkdir: cannot create directory ‘/var/lib/samba/private’: No such file or directory
[cmd] sh exited 1
[cont-finish.d] executing container finish scripts...
[cont-finish.d] done.
[s6-finish] waiting for services.
s6-svwait: fatal: timed out
[s6-finish] sending all processes the TERM signal.
[s6-finish] sending all processes the KILL signal and exiting.
[s6-init] making user provided files available at /var/run/s6/etc...exited 0.
[s6-init] ensuring user provided files have correct perms...exited 0.
[fix-attrs.d] applying ownership & permissions fixes...
[fix-attrs.d] done.
[cont-init.d] executing container initialization scripts...
[cont-init.d] 01-config.sh: executing... 
Setting timezone to America/Los_Angeles
Initializing files and folders
cp: cannot stat '/var/lib/samba/*': No such file or directory
rm: cannot remove '/var/lib/samba': Resource busy
Setting global configuration
Load smb config files from /etc/samba/smb.conf
Loaded services file OK.
Weak crypto is allowed by GnuTLS (e.g. NTLM as a compatibility fallback)

# Global parameters
[global]
Server role: ROLE_STANDALONE

	disable netbios = Yes
	disable spoolss = Yes
	dns proxy = No
	local master = No
	map to guest = Bad User
	pam password change = Yes
	printcap name = /dev/null
	security = USER
	server role = standalone server
	server services = s3fs, rpc, wrepl, ldap, cldap, kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate
	server string = Samba Server
	smb1 unix extensions = No
	smb ports = 445
	usershare allow guests = Yes
	winbind scan trusted domains = Yes
	fruit:time machine = yes
	fruit:delete_empty_adfiles = yes
	fruit:wipe_intentionally_left_blank_rfork = yes
	fruit:veto_appledouble = no
	fruit:posix_rename = yes
	fruit:model = MacSamba
	fruit:metadata = stream
	idmap config * : backend = tdb
	create mask = 0664
	directory mask = 0775
	force create mode = 0664
	force directory mode = 0775
	hosts allow = 0.0.0.0/0
	hosts deny = 0.0.0.0/0
	printing = bsd
	strict locking = No
	vfs objects = fruit streams_xattr
	wide links = Yes
[cont-init.d] 01-config.sh: exited 0.
[cont-init.d] 02-svc-smbd.sh: executing... 
[cont-init.d] 02-svc-smbd.sh: exited 0.
[cont-init.d] 03-svc-wsdd2.sh: executing... 
[cont-init.d] 03-svc-wsdd2.sh: exited 0.
[cont-init.d] ~-socklog: executing... 
[cont-init.d] ~-socklog: exited 0.
[cont-init.d] done.
[services.d] starting services
[services.d] done.
mkdir: cannot create directory ‘/var/lib/samba/private’: No such file or directory
[cmd] sh exited 1
[cont-finish.d] executing container finish scripts...
[cont-finish.d] done.
[s6-finish] waiting for services.
s6-svwait: fatal: timed out
[s6-finish] sending all processes the TERM signal.
s6-log: warning: unable to read from stdin: Bad file descriptor
[s6-finish] sending all processes the KILL signal and exiting.
[s6-init] making user provided files available at /var/run/s6/etc...exited 0.
[s6-init] ensuring user provided files have correct perms...exited 0.
[fix-attrs.d] applying ownership & permissions fixes...
[fix-attrs.d] done.
[cont-init.d] executing container initialization scripts...
[cont-init.d] 01-config.sh: executing... 
Setting timezone to America/Los_Angeles
Initializing files and folders
cp: cannot stat '/var/lib/samba/*': No such file or directory
rm: cannot remove '/var/lib/samba': Resource busy
Setting global configuration
Load smb config files from /etc/samba/smb.conf
Loaded services file OK.
Weak crypto is allowed by GnuTLS (e.g. NTLM as a compatibility fallback)

Server role: ROLE_STANDALONE
# Global parameters
[global]

	disable netbios = Yes
	disable spoolss = Yes
	dns proxy = No
	local master = No
	map to guest = Bad User
	pam password change = Yes
	printcap name = /dev/null
	security = USER
	server role = standalone server
	server services = s3fs, rpc, wrepl, ldap, cldap, kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate
	server string = Samba Server
	smb1 unix extensions = No
	smb ports = 445
	usershare allow guests = Yes
	winbind scan trusted domains = Yes
	fruit:time machine = yes
	fruit:delete_empty_adfiles = yes
	fruit:wipe_intentionally_left_blank_rfork = yes
	fruit:veto_appledouble = no
	fruit:posix_rename = yes
	fruit:model = MacSamba
	fruit:metadata = stream
	idmap config * : backend = tdb
	create mask = 0664
	directory mask = 0775
	force create mode = 0664
	force directory mode = 0775
	hosts allow = 0.0.0.0/0
	hosts deny = 0.0.0.0/0
	printing = bsd
	strict locking = No
	vfs objects = fruit streams_xattr
	wide links = Yes
[cont-init.d] 01-config.sh: exited 0.
[cont-init.d] 02-svc-smbd.sh: executing... 
[cont-init.d] 02-svc-smbd.sh: exited 0.
[cont-init.d] 03-svc-wsdd2.sh: executing... 
[cont-init.d] 03-svc-wsdd2.sh: exited 0.
[cont-init.d] ~-socklog: executing... 
[cont-init.d] ~-socklog: exited 0.
[cont-init.d] done.
[services.d] starting services
[services.d] done.
mkdir: cannot create directory ‘/var/lib/samba/private’: No such file or directory
[cmd] sh exited 1
[cont-finish.d] executing container finish scripts...
[cont-finish.d] done.
[s6-finish] waiting for services.
s6-svwait: fatal: timed out
[s6-finish] sending all processes the TERM signal.
[s6-finish] sending all processes the KILL signal and exiting.
Error response from daemon: Container 35c76c3def3b6a8478e9201d0abde7e30064c2746bec8866e114de0e75ed1313 is restarting, wait until the container is running

smbclient //dockerlxc/samsung -U guest% -d 3
lp_load_ex: refreshing parameters
Initialising global parameters
rlimit_max: increasing rlimit_max (256) to minimum Windows limit (16384)
Can't load /usr/local/etc/smb.conf - run testparm to debug it
added interface en5 ip=10.0.0.177 bcast=10.0.0.255 netmask=255.255.255.0
added interface en0 ip=10.0.0.199 bcast=10.0.0.255 netmask=255.255.255.0
Client started (version 4.21.2).
resolve_lmhosts: Attempting lmhosts lookup for name dockerlxc<0x20>
resolve_wins: WINS server resolution selected and no WINS servers listed.
resolve_hosts: Attempting host lookup for name dockerlxc<0x20>
Connecting to 10.0.0.200 at port 445
convert_string_handle: E2BIG: convert_string(UTF-8,CP850): srclen=17 destlen=16 error: No more room
Connecting to 10.0.0.200 at port 139
do_connect: Connection to dockerlxc failed (Error NT_STATUS_CONNECTION_REFUSED)
-----
smbclient //10.0.0.200/samsung -U guest% -d 3
lp_load_ex: refreshing parameters
Initialising global parameters
rlimit_max: increasing rlimit_max (256) to minimum Windows limit (16384)
Can't load /usr/local/etc/smb.conf - run testparm to debug it
added interface en5 ip=10.0.0.177 bcast=10.0.0.255 netmask=255.255.255.0
added interface en0 ip=10.0.0.199 bcast=10.0.0.255 netmask=255.255.255.0
Client started (version 4.21.2).
Connecting to 10.0.0.200 at port 445
convert_string_handle: E2BIG: convert_string(UTF-8,CP850): srclen=17 destlen=16 error: No more room
Connecting to 10.0.0.200 at port 139
do_connect: Connection to 10.0.0.200 failed (Error NT_STATUS_CONNECTION_REFUSED)
-----
nmap -p 445 10.0.0.200
Starting Nmap 7.95 ( https://nmap.org ) at 2024-12-11 09:36 PST
Nmap scan report for dockerlxc (10.0.0.200)
Host is up (0.053s latency).

PORT    STATE  SERVICE
445/tcp closed microsoft-ds

Nmap done: 1 IP address (1 host up) scanned in 0.14 seconds

Additional context

I have attempted the following troubleshooting steps without success:

1. Verified permissions for /appdata/samba and /media/samsung.
2. Ensured port 445 is not blocked by the host system's firewall.
3. Tested the configuration with testparm and validated the generated smb.conf.
4. Manually started smbd in debug mode to identify potential issues.
5. Confirmed no conflicting services are using port 445 on the host.

Similarish issues:

• smbd - Failed to load config file
• More share properties

[spencerthayer]

At this point, I am abandoning crazy-max/docker-samba in favor of another solution, likely dperson/samba. However, I will still test it for the community if a fix is provided.

[spencerthayer]

Any word?