Can't mount Samba share as a user

kekneus373 · July 16, 2024, 3:42pm

I’ve just experienced the issue that I can’t mount my file server as a user. Steps I’ve followed to make a mount point:

added required packages in configuration.nix:

environment.systemPackages = with pkgs; [ cifs-utils samba ];

confidured Samba to work with my old NAS in configuration.nix:

services.samba = {
    enable = true;
    securityType = "user";
  #  openFirewall = true;
    extraConfig = ''
      workgroup = WORKGROUP
      client min protocol = CORE
    '';
  };

added a remote filesystem to configuration.nix:

fileSystems."/mnt/smb0" = {
      device = "//10.138.72.12/backup";
      fsType = "cifs";
      options = [ "username=bogdan" "users" "noauto" ]; #not sure if I need commas or whitespaces here. Changinf back and forth doesn't help
  };

made network-discovery in Dolphin possible in configuration.nix:
networking.firewall.extraCommands = ''iptables -t raw -A OUTPUT -p udp -m udp --dport 137 -j CT --helper netbios-ns'';
created a mount folder:
sudo mkdir /mnt
sudo mkdir /mnt/smb0
nixos-rebuild switch

[wynz@nixos-hp:~]$ mount /mnt/smb0
This program is not installed setuid root -  "user" CIFS mounts not supported.

This was a trouble on Fedora too (where I came from). Invoking sudo chmod u+s /bin/mount /bin/umount /usr/sbin/mount.cifs (source) fixed the prob. But here I can’t do this/, 'cause the Nix store is read-only.
I’ve searched the web and found that the developers have already set +s bit to mount and 'umount`, but it was almost 10 years ago (and they didn’t touch mount.cifs):

(EDIT: previously, posted a wrong link)

What can I do now?

doronbehar · July 16, 2024, 4:29pm

Hmm, perhaps we should add the +s bit to the mount.cifs executable? Could you try this:

security.wrappers = {
  "mount.cifs".source = "${lib.getBin pkgs.cifs-utils}/bin/mount.cifs";
};

And try to nixos-rebuild switch and try to mount /mnt/smb0?

kekneus373 · July 16, 2024, 4:41pm

Theoretically, it should work, but the rebuild tells me that we forgot the “owner” parameter:
error: The option `security.wrappers."mount.cifs".owner' is used but not defined.
As I understand, it should be similar to this example:

kekneus373 · July 16, 2024, 6:06pm

Am I missing something?

  security.wrappers."mount.cifs" = {
    source = "${lib.getBin pkgs.cifs-utils}/bin/mount.cifs";
    owner = "root";
    group = "root";
  };

[wynz@nixos-hp:~]$ mount /mnt/smb1
This program is not installed setuid root -  "user" CIFS mounts not supported.

I’ve never used security wrappers before. The initial permissions of the executable seem to be correct, but +s bit still isn’t set:

[wynz@nixos-hp:~]$ ls -l /nix/store/z6v13363sv14734xysisq5ar1mw6f122-cifs-utils-7.0/bin/mount.cifs
-r-xr-xr-x 1 root root 54496 Jan  1  1970 /nix/store/z6v13363sv14734xysisq5ar1mw6f122-cifs-utils-7.0/bin/mount.cifs

doronbehar · July 16, 2024, 8:11pm

The security.wrappers API has changed a bit since 2020. Based on mount.davfs wrapper, try:

    security.wrappers."mount.cifs" = {
      program = "mount.cifs";
      source = "${lib.getBin pkgs.cifs-utils}/bin/mount.cifs";
      owner = "root";
      group = "root";
      setuid = true;
    };

Eventually we should add that wrapper somewhere in the samba NixOS module. If something doesn’t work for you, try to run readlink $(which mount.cifs) to see what exactly are you running.

kekneus373 · July 17, 2024, 10:49am

Woohoo, it’s working now!! Thank you so much. This was the biggest inconvinience for me.

doronbehar · July 17, 2024, 11:57am

I’m glad it worked for you, would you like to open a PR for this issue? If you think it is too hard for you, would you be able to review a PR?

jjpe · July 17, 2024, 12:55pm

doronbehar:

Based on mount.davfs wrapper, try:

    security.wrappers."mount.davfs" = {
      program = "mount.cifs";
      source = "${lib.getBin pkgs.cifs-utils}/bin/mount.cifs";
      owner = "root";
      group = "root";
      setuid = true;
    };

Should the attr name still be "mount.davfs" in this case? Intuitively "mount.cifs" seems more appropriate, but perhaps that would fail to use the wrapper?

doronbehar · July 17, 2024, 1:17pm

Yes of course, it was a typo:).

kekneus373 · July 21, 2024, 12:44pm

Sorry for the time spent to answer. I’ve already made changes to the nixos/modules/security/wrappers/default.nix to include the mount.cifs wrapper (is the location correct? I took it from your PR), and will figure out how to test it later. Will notify you when I’m done

github.com

kekneus373/sus-stuff/blob/c4be83f85e163431a30073dfa619842074936933/default.nix#L256C1-L256C84


      
          "mount.cifs" = mkSetuidRoot "${lib.getBin pkgs.cifs-utils}/bin/mount.cifs";

doronbehar · July 21, 2024, 12:59pm

My PR? Which one, I literally just a second ago opened this PR…

kekneus373 · July 21, 2024, 4:11pm

Ah, I see. You found a way to embed it in the samba service itself - it’s perfect!
Will it be OK if I test the changes on the next week? Currently, I don’t have access to my NixOS machine

jjpe · July 23, 2024, 1:02am

Just tried it out myself.
At some point my KIO SMB connection broke (as in KDE), and simply following along with OP fixed it.
Actually it’s better than before, since streaming from my NAS now works with e.g. VLC, something the latter flat-out refused to do earlier