10

allow insecure wide links:

In normal operation the option wide links which allows the server to follow symlinks outside of a share path is automatically disabled when unix extensions are enabled on a Samba server. This is done for security purposes to prevent UNIX clients creating symlinks to areas of the server file system that the administrator does not wish to export.

Setting allow insecure wide links to true disables the link between these two parameters, removing this protection and allowing a site to configure the server to follow symlinks (by setting wide links to "true") even when unix extensions is turned on.

According to manual setting allow insecure wide links = yes should be enough to allow symlinks outside the shared path however it's not working for me unless I set unix extensions = no.

testparm is not even showing this variable?!

# testparm -s Load smb config files from /etc/samba/smb.conf rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384) Processing section "[Public]" Loaded services file OK. Server role: ROLE_STANDALONE [global] workgroup = test server string = SambaBox syslog = 0 log file = /var/log/samba/smb.log max log size = 50 smb ports = 139 socket options = TCP_NODELAY IPTOS_LOWDELAY SO_RCVBUF=65536 SO_SNDBUF=65536 load printers = No printcap name = /dev/null disable spoolss = Yes show add printer wizard = No idmap config * : backend = tdb [Public] comment = Public path = /data/Public valid users = smbguest create mask = 0644 force create mode = 0644 force directory mode = 0755 map archive = No wide links = Yes
Improve this question
2
  • 1
    If testparm doesn't show a variable, then it is set to the default value. Commented Apr 22, 2015 at 9:40
  • 2
    If pointing to the directory proves unworkable, perhaps a bind mount would work (something like mount -o bind /a_dir /here_also). Commented Apr 22, 2015 at 9:43

2 Answers 2

Reset to default
1

If you enabled wide link support but it does not work, SELINUX is probably blocking you.

Try to issue setenforce 0 and to retest your configuration. If it works, then you found your problem's source.

If this does not work, in [global] section add:

  • wide links = yes
  • allow insecure wide links = yes
  • unix extensions = no

Than restart samba and re-try your test case.

Improve this answer
4
  • Unfortunately it's not SELinux, I've disabled it in order to test this. Commented Apr 19, 2015 at 14:55
  • I've edited my answer, give it a look. Commented Apr 19, 2015 at 15:29
  • Yes, that works however I don't want to disable unix extensions and if I understand manual correctly allow insecure wide links = yes should help but it doesn't work for me. Commented Apr 19, 2015 at 20:54
  • 3
    From my experience I found every second paragraph in the samba man pages to provide unclear or inconsistent information. The only way to achieve what you want is by setting this variables mentioned by @shodanshok. This is what I did and it works like a charm. Make sure you understand what the 'unix extensions' are how they can help. But honestly speaking they tend to cause issues with permissions. Plus they make no difference to the Windows clients, so why keep it on? Commented Apr 24, 2015 at 13:06
1

I think I know what you problem was.

allow insecure wide links is a global setting, not per share. It allows you to use wide links = yes per share (which is otherwise ignored while unix extensions = yes).

So your mistake was, probably, that you were trying to set allow insecure wide links = yes in a share, hence you didn't see it in testparm output, it was ignored.

Put allow insecure wide links = yes under [global] and set wide links = yes in your share section.

Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.