Smb network shares gets invalid permissions from smb server

As an experienced Windows user (currently Windows 10) I switched from Windows 10 to Zorin OS and installed Zorin version 17.2 on my HP Notebook.

System requirements:

I use the Zorin Client PC as a pure workstation, where the data is processed directly on the local network storage. A Synology NAS is used for this.

To do this, I connected the PC client to the Windows network according to the following Zorin instructions.

  1. Mounting with GUI file manager:

  2. Connected As “Registered User”.

  3. After authentification has been succeeded, we can see all smb shares:

After clicking on the individual folders, the shares are saved persistently in the system via the GUI file manager.

Now you might think that the connection to the network storage is working perfectly.

Error Symptom:

Unfortunately, I discovered that this is not the case, as the access rights from the Synology Diskstation are not correctly transmitted to the PC client!

As long as a file or folder is edited with the Zorin internal file manager (Nautilus), it can be deleted again without any problems. If a different file manager is used for this, neither folders nor files can be deleted from the network share!

Using bash shell, the access rights are displayed as follows:

If the file Test.txt is deleted using Nautilus, it is deleted irrevocably and not moved to the trash, which is different from the deletion behavior in local storage (move to the trash)!

If the file Text.txt is deleted using another file manager (e.g. GNOME Commander or Dolphin), an error is generated saying that this operation is not possible!

It is also interesting that the access rights are not displayed under either Nautilus or GNOME Commander!

My questions:

  1. Is the method recommended by Zorin for connecting a PC client to an SMB network share the right solution, or how can an SMB connection be set up persistently so that all file operations can be carried out correctly even with different file managers?

  2. Why are neither the network shares nor other PC client shares displayed in the file manager (Nautilus) under Windows Network, even though they were previously correctly connected to the Synology NAS?

It would be nice if an experienced Zorin OS developer could answer my questions. Or where I can find appropriate instructions.

I am convinced that I would not be the only one to benefit from these answers.

Many thanks in advance.

Kind regards,
Kobi

Welcome to the forum!

Just wanted to say thanks for the detailed information on the problem and screenshots showing exactly what you're talking about. It really helps in trying to get this stuff figured out :slight_smile: .

I'm at work right now, and as such won't be able to check how this behaviour works, because from what I can gather it seems that your files being created on the nas from Zorin aren't using the correct credentials (possibly) or something to that effect and aren't applying properly.

I don't have a synology, but I do have an rpi4 at home with an smb share, so I can test that way with multiple file managers and see what behaviour is showing when I test it. I usually only ever have one file manager in use, so I haven't really delved too far into it to be honest. Hopefully someone else might have an idea for you in the mean time.

I've tested this with my SMB share, and it appears to be functioning as it should. I am able to connect with my credentials, create and delete where I should, and am able to then open the same share in Thunar (I originally did the testing in Nautilus) and can do the same things there.

The only thing I do specifically is:
At the connection area, I enter smb://username@ip, rather than just IP. It shouldn't make a difference, but maybe it does. I'm also wondering if maybe there is something synology wise causing an issue, but I'm not well versed in those so I can't comment too much on that.

Also to save the location of the drive, you can add a bookmark to it, as shown here:


That will at least save the location on the side pane, making it easily available for future use.

As for deleting a file and it not going to trash, I believe that's standard practice for a share not on your computer. It would be dependant on the server itself supporting it, I believe. I haven't looked too in depth into that sort of issue, but every smb share i've dealt with has been final when you hit the delete button, making for some fun times when people hit it when they shouldn't.

Hello @applecheeks37

Many thanks for your prompt feedback on my request!

In the meantime, I have tried establishing a connection to Synology NAS by entering the user name (smb://Urs@10.0.0.2).

Unfortunately, networks, folders and files can still be created with other file manager applications (Dolphin, GNOME Commander), but the owner can no longer delete them.

The deletion behavior of files on an smb share is also the same under other connected operating systems such as Windows as you mentioned.

In the meantime, I tested the connection to the Synology NAS using a bash shell script.

I found that by calling the script file manually, the access rights are correctly transferred from the Synology NAS to my Zorin client PC. This also makes it easy to delete files with other file managers as expected.

In my Zorin PC, which is a multi-user PC, I would now like to have the call to the user-defined script executed automatically after the respective user has logged into the Zorin system.

Unfortunately, my Linux knowledge is not (yet) advanced enough, so I don't know the principle behind implementing this autostart on the Zorin client.

So that you can get an idea of ​​my manual script solution, I have listed it in the following checklist:

  1. Create hidden user-specific credentials file and save it under \home\username\.credentials with the following content:
    username=Urs
    password=**************
    domain=WORKGROUP

  2. Create custom script with the file name mount_NAS_username.sh with the following content:

#!/bin/bash

# Requirements
# sudo apt install cifs-utils

# Create user specific mount folders to connect local network shares
mkdir -p ~/NAS/home
mkdir -p ~/NAS/music
mkdir -p ~/NAS/photo
mkdir -p ~/NAS/video
mkdir -p ~/NAS/Common
mkdir -p ~/NAS/Business

# Connect network share with mount folder
sudo mount -t cifs //diskstation/home ~/NAS/home -o uid=$USER,gid=$USER,auto,vers=3.1.1,users,_netdev,nofail,credentials=/home/$USER/.smbcredentials
sudo mount -t cifs //diskstation/music ~/NAS/music -o uid=$USER,gid=$USER,auto,vers=3.1.1,users,_netdev,nofail,credentials=/home/$USER/.smbcredentials
sudo mount -t cifs //diskstation/photo ~/NAS/photo -o uid=$USER,gid=$USER,auto,vers=3.1.1,users,_netdev,nofail,credentials=/home/$USER/.smbcredentials
sudo mount -t cifs //diskstation/video ~/NAS/video -o uid=$USER,gid=$USER,auto,vers=3.1.1,users,_netdev,nofail,credentials=/home/$USER/.smbcredentials
sudo mount -t cifs //diskstation/Common ~/NAS/Common -o uid=$USER,gid=$USER,auto,vers=3.1.1,users,_netdev,nofail,credentials=/home/$USER/.smbcredentials
sudo mount -t cifs //diskstation/Business ~/NAS/Business -o uid=$USER,gid=$USER,auto,vers=3.1.1,users,_netdev,nofail,credentials=/home/$USER/.smbcredentials
  1. Make the script file mount_NAS_username.sh executable with the following bash shell command:
sudo chmod u+a
  1. Save the script file mount_NAS_username.sh in the NAS directory

  2. Create the script file umount_NAS.sh with the following content:

#!/bin/bash

# unmout smb shares recursivly
sudo umount -R -q ~/NAS/*
  1. Save the script file umount_NAS.sh in the NAS directory

  2. Make the script file umount_NAS.sh executable with the following bash shell command:

sudo chmod u+a
  1. Run the script mount_NAS_username.sh using the context menu and put in your password. All user specific shares are then displayed in the dash panel at the bottom right and can be used by various file managers.

It would be nice if an experienced Linux user could show me how to automatically run the manual script call after the user login without the specific user having to manually run the script and enter their password?

Perhaps there is a more elegant solution than my example? I find it very unpleasant and a security risk that the hidden file .smbcredentials contains the access data in plain text.

Perhaps someone can explain to me why I can't see any network resources (printer, Win10 PC, Windows network) apart from the FritzBox7590-1 router?

Many thanks for your support.

Kind regards,
Kobi

Ok, I see your new idea that you're trying to do. I think I might have a couple of ideas, but I won't be able to test any of them until I get home from work much later. I agree that having the credentials in a plain file isn't ideal, but for most people they do accept that risk. However, in your situation, having a multi-user computer, I can see the worry.

One question I do have though is; If you have a file with their credentials already available for the nas connection, why are they required to put in their password to enable the connection? If the specific users are given permission to execute that "mount_NAS_username.sh", would that not automatically connect since it has a file with the permissions needed? Sorry if I misunderstand that part, but it seems like that's how it should work in my head.

Hopefully someone can help you in the meantime, but later today when I'm home I'll give a couple ideas I have a shot and see what I can come up with.

Here's a way that I found that may work for your situation, it seems to possibly be a little more elegant and secure than your method:

So to start:

  1. Connect to your share through nautilus as you did before (smb://user@ip/share)
  2. Make sure "Never Forget" is selected
  3. Once done, you can remove the connection in nautilus so the share isn't there anymore, we just wanted the filesystem to remember the password, which gets stored in "Password and Keys"
  4. For this method, we're going to use gio to mount the share at startup, my very basic test file is as follows:
#!/bin/bash

gio mount smb://$USER@192.168.250.49/dietpi

5 What's important here is making sure the user that's on the computer is the same name (exactly) as the user on the nas. You could put this file somewhere where all accounts could get to it, so you only need 1 file.

  1. Make sure the file is executable (either how you did it or just go right click, properties, check Enable executing)

6 Go to startup applications -> add , and add your file and the name you wish to give it (can just browse for the file with the button)

  1. logout and in and you should see the share automatically mounted and available through whichever file manager you desire (I only tested both Thunar and Nautilus)

Doing your mounts this way does not make the user enter their credentials on boot, since they're already saved in the system, so it doesn't need to ask. This only works if both the system user and the user on the nas matches.

As for auto-unmounting, you can use the same command but use

gio mount -u

To unmount. I don't think this is strictly necessary, because as far as I can tell, when a user logs out on the system, they appear to automatically disconnect. I could be wrong, but I've only got my one system with a couple accounts to test this with.

Hello @applecheeks37

Thank you for your detailed answer.

First of all, to your question as to why I need the user-specific credentials file with the access data for my script solution when the user already has the same password for the smb share:

Answer:
I have not found any other solution without using an external credentials file!

Thanks for your idea with the gio utility. I tried it out according to your instructions.

It works in principle, so that all user-specific SMB shares appear after the login process. Unfortunately in the same way as I would have created them with the method already mentioned (smb://diskstation/) and I can create a file but still not delete it.

If I manually connect to the Synology NAS with the script I described after logging in, all access operations to the shares work correctly. However, it is very impractical that the user has to first take care of the manual mounts of the user-specific shares after each login.

The following screenshots show the correctly mounted smb shares by manually calling the script mount_NAS_username.sh:

In my multi-user system, there are the users Supervisor, Urs and Beatrice, with Supervisor having administrator rights and Urs and Beatrice having standard user rights.

After logging in, the user-specific shares should be mounted automatically without the user having to re-enter their password because of the sudo mount used in the script.

If someone could show me how to run the script using autostart without the user having to re-enter their password, my problem would be solved.

To make sure that the problem is not due to incorrect settings on my Synology NAS DS214+, I checked all configuration settings related to SMB and the firewall. My (still) existing Windows clients have been working with these settings for 10 years.

Perhaps there is someone who has also successfully connected a Zorin client to a Synology NAS using the method recommended by Zorin OS. For this reason, I would like to show the settings used in my Synology NAS.

To rule out that the problem is with the Synology NAS DS214+, I set up a second identical Synology NAS DS214+ and compared its standard settings for the SMB configuration. I didn't notice any differences. I also switched off the firewall as a test. Unfortunately, the behavior described is the same for both shares, Diskstation and Diskstation1.

Since I don't have the necessary Linux knowledge, I'm at my wits' end, so I can only hope that someone from the Zorin forum can help me?

Many thanks in advance.

Best regards,
Kobi

I'm unfortunately all out of ideas for you, so I hope you can figure this out. Someone else on here can hopefully lead you in a correct direction to get this dealt with :slight_smile:

This might help: How can I run a python script at startup as root using Startup Applications? - #2 by zenzen

Hello @applecheeks37

Thank you for your time and kind support.

Kind regards,
Kobi

1 Like

@zenzen

I have adjusted the desktop file for autostart according to your instructions. Unfortunately, the script still does not start after the login process.

Is there a system LOG file somewhere where I can see what happens after logging in?

Are there certain requirements for the file attributes of the IgnorePassword file?

Am I right in assuming that the existing pwfeedback file has no negative influence and is allowed to be there?


Thank you for your reply.

Kind regards,
Kobi

I have done a search on the aspect of creation and deletion and NFS might solve this element:

Enabling File Creation on Synology NAS

To enable the creation and deletion of files on a Synology NAS under Ubuntu 22.04, you need to ensure proper network configuration and permissions are set up. Here are the steps to follow:

  1. Ensure Network Connectivity: Make sure your Ubuntu machine is connected to the same network as your Synology NAS. You can use a wired connection (Ethernet) or wireless (Wi-Fi) connection.
  2. Install NFS Utilities: On your Ubuntu machine, install the necessary NFS utilities if they are not already installed. Open a terminal and run:
sudo apt-get update
sudo apt-get install nfs-common
  1. Mount the NAS Share: Use the mount command to mount the Synology NAS share on your Ubuntu machine. Replace SynologyIP with your Synology NAS IP address and /path/to/share with the path to the share on your NAS. For example:
sudo mount -t nfs SynologyIP:/path/to/share /mnt/nas

If you encounter permission issues, you may need to adjust the NFS permissions on the Synology NAS.
4. Set NFS Permissions: On the Synology NAS, ensure that the NFS share is properly configured and that the necessary permissions are set. You can do this through the Synology Control Panel:

  • Go to Control Panel > File Services > NFS.
  • Add your Ubuntu machine’s IP address to the list of allowed clients.
  • Ensure that the share is mapped to the correct user or group and that the appropriate permissions are set.
  1. Verify Mounting: After mounting the share, you can verify that it is accessible by navigating to the mount point:
ls /mnt/nas
  1. Create and Delete Files: Once the share is mounted and accessible, you should be able to create and delete files within the mounted directory.

If you still encounter issues, you may need to check the firewall settings on both the Synology NAS and the Ubuntu machine to ensure that necessary ports are open. Additionally, you can refer to the Synology community forums or support for more detailed troubleshooting steps.

In terms of permissions, anything here help?

Side note: I used NFS successfully while trying to backup my good lady's data over the network to my machine but struggled copying large amounts of data which led me removing her drive, putting it in my machine to transfer and reverse when installing new GNU/Linux on her machine.

Yes, you can read the file /var/log/auth/log to check for, among other things, all interactions with the sudo utility. Each command should create a line that looks like this:

Jan 14 03:59:16 zenzen sudo: zenzen : TTY=pts/0 ; PWD=/home/zenzen ; USER=root ; COMMAND=/home/zenzen/test.sh

But looking now at the script (I assume is the one in this post?) I've noticed something.
Since you're running this using sudo, the variable $USER expands to "root" as that is the acting user. What sudo does is temporarily changes the user to run as the super user, or root. Likewise, the shortcut ~ expands to /root which is the home directory for the root user, instead of the expected /home/urs.

When writing scripts, it's best to use absolute paths because of this. So, try again but replacing:

- $USER
+ $SUDO_USER
- ~
+ /home/$SUDO_USER

For the uid and gid, you can also user $USER and that should work, but it's probably best to use the numeric form. You can use $SUDO_UID and $SUDO_GID, instead.

@zenzen

The problem was actually due to the $USER variable in the mount_NAS_urs.sh script, as you correctly identified!

That's why I removed all $USER used in the file and only used the specific user name. This way, the automatic call after the login process works perfectly.

Thank you again for the location where to find the authentication LOGs (/var/log.log.log). If you know where this LOG file is located, you can always locate the problem if you have any authentication problems! :+1:

Since I have no experience with Linux (yet), I would be very happy if you, as an experienced Zorin-OS user, could answer the following questions for me:

1. Connect Zorin client to local network via SMB protocol
As far as I have read, GVfs/GIO does not support the full functionality and the total number of options of the respective protocol. This applies, for example, to the cifs UNIX extensions (currently only SMBv1), since SMBv2 also to the support of Windows ACLs and since SMBv3 to the encryption of data and to the POSIX extensions. With GVfs it is therefore not possible to synchronize the file attributes such as users and access rights between the server and the client. Only the CIFS-VFS offers full support for all currently available options.

Is that the reason why I had to carry out the workaround with the script for the explicit cifs mount? If so, is it already known when a full-fledged implementation of SMBv4 will be published in GVfs?

2. Network browsing
I have read that network browsing via GVfs or GIO is currently only possible with the SMBv1 protocol (cifs, NT1), but not with the more modern SMBv2 and SMBv3 protocols.

Is there a plan to implement SMBv4 to remedy this deficit? If so, is it already known when this can be expected?

3. Activating Zorin's internal firewall
What is the official recommendation to enable the Zorin internal firewall?

4. Antivirus protection under Zorin OS
What is the official recommendation for using antivirus software under Zorin OS? If it is absolutely necessary, which antivirus software is recommended under Zorin OS?

5. Automatically activate num lock key after system start
Is there an easy way to activate the Num Lock Key for the numeric keypad via the GUI in Zorin OS? If not, how can this be automated at system startup?

I am convinced that I am not the only one who can benefit from your answers.

Thank you in advance for your support.

Best regards,
Kobi

Please correct me if I'm wrong, but I understood that you're using a multi-user system. The script currently will mount the network share under the same user, urs. I thought I should mention in case you prefer to have the same behavior for any other user to use the variables, in order to make it more flexible (i.e.: $SUDO_USER instead of hard-coding urs, etc.).


I'm not all that experienced to be honest... but I'll try answer some of your questions :smiley:

The built-in file manager that comes with the Gnome desktop environment, Nautilus, has its own implementation of various network protocols (GVfs — GNOME Virtual file system). That's why you can use it without any additional dependencies to connect to the network drive or server.

However, those dependencies are not transferable, if you will, to the rest of the system. That's why you need to install additional packages, cifs-utils in this case, to instruct to perform actions that aren't specific to any of the GNOME applications. From there, it's a matter of understanding what this package provides and how it works. As per the documentation:

File And Directory Ownership And Permissions

The core CIFS protocol does not provide unix ownership information or mode for files and directories. Because of this, files and directories will generally appear to be owned by whatever values the uid= or gid= options are set, and will have permissions set to the default file_mode and dir_mode for the mount.

In regards to if and when will GVfs make any updates (I'm also addressing point #2): I have no idea. You may ask in the Gnome forums about this.
Please also note that Zorin OS 17 uses Gnome at version 43, whereas the latest at the moment is 47, which has significant changes. Some of them are in the network department, but I'm not sure if they are quality of life or something behind the scenes.

I couldn't find any official help page on this regard, but it's not too difficult. Zorin OS ships with UFW — Uncomplicated Firewall. You will find it listed in the applications menu as "Firewall Configuration". Enabling it's just a click away, and setting up rules is quite straight forward using the graphical interface, at least for the most common use cases.

The help page regarding anti-virus are very short: Is an Antivirus Necessary? - Zorin Help. This has been discussed many times before, and everyone has a somewhat different take on this.

In my opinion, the best anti-virus is your common sense: don't download random files from the internet and avoid installing software from untrusted sources. What a "virus" is has changed a lot in the last decade. What used to pass for a virus 10 years ago is today considered an essential feature...

Here are a few threads to go over some more opinions:

I have no idea about this. I'm sure there must be a way, but I'd recommend starting a new thread for this, to keep things organize and address one issue at the time. This makes it easier to later search for specific issues, including those making online searches that are lead here.


By the way, just to be clear since you are asking about "official recommendations", these are my own opinions and not necessarily the official stance of the Zorin OS developers.

@zenzen

First of all, I would like to thank you very much for the informative and prepared answers.

To your question:
Yes, I use the Zorin client as a multiple user system, with the purpose of having a system administrator (Supervisor) and two normal users (Beatrice and Urs) with standard rights.

For the automated start of the scripts after the login process, I placed the three users in the IgnorePassword file to suppress the password query as follows:

To my first question 1. Connect Zorin client to local network via SMB protocol:
Basically, I always want to use a computer system with its on-board resources if possible. I can basically live with the workaround described for integrating the SMB shares in this topic.

However, my Synology NAS DS214+ supports the NFS protocol in addition to the SMB protocol.

At the moment I am still experimenting with the Zorin client connection via the NFS protocol and will decide on a specific transfer protocol depending on the tests carried out.

Regarding my question 2. Network browsing, I found the following statement in the gnome forum.

Thanks to your recommendation, I will be happy to consult the gnome forum regarding the development status of GVfs.

I have just activated Zorin's internal firewall, although I am aware that my local network is behind a router with an integrated hardware firewall.

Regarding antivirus protection, I have the same opinion as your statement. :+1:

With that in mind, it was an honor to talk to you about using Zorin OS and I thank you very much.

Best regards,
Kobi

1 Like

In terms of malware protection, Anti-virus protection is more about scanning emails before forwarding to friends and family. Two items you should install are chkrootkit and rkhunter. These are command line applications to check for rootkits. Be aware when running these for the first time, they record what is on the system as a baseline. If you install additional apps afterwards you nay get false positives. In terms of Spam, I think Evolution comes with Bogofilter or SpamAssassin extensions. As with all Anti-Spam applications they need to learn and you may need to correct wrongly identified Spam.

In terms of the Firewall, I covered this in the Unofficial Manual for Zorin 17:

In terms of your NAS, Remmina, which comes with Zorin might be an alternative for you (or not):

(Remmina is cross-platform)

@swarfendor437

Thanks for the tip about connecting the Zorin client using the NFS protocol instead of using the SMB protocol.

In the meantime, I have also tried this connection method and tested it successfully. In principle, the connection using the NFS protocol also works. Since the individual clients to be used have to be explicitly configured on the NAS, I decided to stick with the more flexible SMB variant.

The necessary workaround for connecting the SMB network shares to bypass the GNOME Virtual File System (GVfs) used internally by Zorin using cifs-utils was able to solve my problem.

Additionally, I would like to thank you for the tip on email security. Since I use gmail for my email traffic web-based, I assume that at least the technical part of email security is Google's responsibility.

Herzliche Grüsse,
Kobi

Guten Tag! I had forgotten about cifs-utils, my bad. Have posted about the need for cifs-utils in the past. Glad to hear you are making progress.