I've migrated my storage from samba 3.6.10 (Debian Wheezy 32 bit) to 4.1.17 (Debian Jessie 64 bit) and i've faced a regression regarding symlinks and ntbackup. I'm aware of that: https://www.samba.org/samba/news/symlink_attack.html So i have a global: unix extensions = no wide links = no And a "publix" share with "wide links = yes", that contains only symlink to directories like that: link_1 -> ../dir1 link_2 -> ../dir2 I'm able to follow the above symlinks, both from explorer and smbclient. The problem is only with ntbackup, that cannot enter inside them: they looks empty (tested with Win2000 and WinServer2003). But they worked with 3.6.10. The configuration was mostly kept the same in the migration process, except for switching from "security=domain" to "security=ads", and changing some other parameters to follow this. And note that i've switched from 32 to 64 bit. I've also set up a test PC based on Archlinux (64 bit) and samba 4.2, where i've fully reproduced the problem. Here are the steps to reproduce yourself. ---------------------------------------------------- First create the folder tree: mkdir /smbshare mkdir /smbshare/ced/ mkdir /smbshare/publix/ chown -R root:root /smbshare chmod -R 771 /smbshare Put some contents inside shares: echo "ced" > /smbshare/ced/ced.txt echo "publix" > /smbshare/publix/publix.txt chmod 664 /smbshare/ced/ced.txt chmod 664 /smbshare/publix/publix.txt Create a symlink in publix: cd /smbshare/publix ln -s ../ced ced Create smb.conf, using the attached "smb.berni.conf" as template and restart smbd service. Now from a Windows PC, first try to access the symlink folder with explorer: it might work. Then follow these steps with ntbackup (i'm using italian localized Windows, so i rougly try to translate the menu entries): - Login as domain administrator - Open ntbackup - Click on the "Backup" tab - Network neighborhood -> Entire network -> Windows network - Expand your samba server and enter inside the share with symlinks - Click on every symlink. Every symlinks looks empty, with no errors from ntbackup. ---------------------------------------------------- I was unable to workaround the problem and to understand the root cause of it. To me the most suspect messages from the samba logs are reported in the attached "smbd.log", that was obtained setting "log level = vfs:2". Why those "Bad access attempt: ced is a symlink outside the share path"? Like there was no "wide links = yes" for the publix share. And why those messages don't appear if i follow symlinks with Explorer? Cesare.
Created attachment 10956 [details] Samba configuration template
Created attachment 10957 [details] log.smbd with messages with vfs:2