Access Based Share Enum in samba on Macos

Question

I'm trying to set up a samba server on an M1 Mac. Have installed samba via homebrew. Users and groups have been added to the OS, and then users added to samba via smbpasswd.

Everything works as expected. Users are allowed into shares to which their groups have permissions (using groups on the directory) and denied when they don't. So far, so good.

Everything breaks when I try to hide shares the user doesn't have access to, by adding 'access based share enum = yes' to the global section in smb.conf. Then client returns an error saying "There are no shares available or you are not allowed to access them on the server."

The frustrating bit is that I have had it working, but I'm starting to lose the will!

Any suggestions?

smb.conf below

[global]
    workgroup = WORKGROUP
    security = user
    passdb backend = tdbsam
    inherit permissions = yes
    inherit owner = yes 
    ea support = yes
    min protocol = SMB2
    vfs objects = fruit streams_xattr  
    #fruit:metadata = stream
    #fruit:model = MacSamba
    #fruit:posix_rename = yes 
    #fruit:wipe_intentionally_left_blank_rfork = yes 
    #fruit:veto_appledouble = no
    #fruit:delete_empty_adfiles = yes 
    access based share enum = yes
    max log size = 100000

[IT_application]
    path = /Volumes/WORKFLOW/data/shares/IT
    valid users = @workflow_it
    force group = workflow_it
    read only = no
    browseable = yes
    public = no
    writeable = yes

Answer 1

There was a regression related to reading the share_info.tdb file. It was fixed a few weeks ago so it should show up in the 4.16.9 and 4.17.5 releases.

https://bugzilla.samba.org/show_bug.cgi?id=15265

While I wouldn't recommend it in a production system I can confirm that chmod 666 on share_info.tdb does in fact restore the expected behavior.

Answer 2

what happens when you remove the valid users = @workflow_it & force group = workflow_it option?