Managing Usershares properly, under SAMBA (meaning, under the SMB emulation given by Linux).

Just to encapsulate the subject of this posting… ‘SMB’ is a file-sharing protocol which is really Windows-owned. Granted, ‘SMB1‘ cannot be fully Windows-owned, but, on the assumption that a ‘SAMBA’ server is being used to emulate ‘SMB2′ and ‘SMB3′ (under Linux), there are many ways in which the (root-owned) configuration file at ‘/etc/samba/smb.conf’ could be faulty, and could result in weird error messages. The fixes which are highlighted in this posting worked for me, but my reader could be suffering from mistakes of an entirely different nature. I am posting this, in case the reader happens to be suffering from the same configuration mistakes which I was.

Also, my configuration issues arose partially, because I’ve switched this configuration file from a configuration in which Home Directories are being shared out in their entirety, to a configuration in which individual users can decide to share out specific folders they own. This system is one of ‘Usershares’.

What I was eventually doing was, to give the command ‘net usershare add <Share-Name> "<Path-Name>" "<Comment>" Host\\user1:f,Host\\user2:f‘. The comma and the absence of spaces in the Access Control List are important. I was getting the error-message stating, that these user-names, part of the ACL, could not be converted into SIDs. What I found was, that I had the following error in my ‘smb.conf’ file:


map to guest = bad user
guest account = nobody

(...)

server max protocol = SMB3
server min protocol = SMB2




Amazingly, the error message went away, if I changed that last detail to:


client max protocol = SMB3
server min protocol = SMB2



But, there is more to be known about my configuration:


usershare allow guests = no
usershare max shares = 10
usershare owner only = false
usershare path = /var/lib/samba/usershares



What this last set of parameters actually requests is, that individual users should not be able to grant Guest Access – unauthenticated access – to any of their folders, but potentially, to grant access which is authenticated by another SAMBA username, with their enabled password, as existing on the server.

Again to my amazement, I found that, if the server is massaged adequately, it will implement the settings exactly as requested. But it will do so with a crucial limitation. Locally on the server, the non-owner username must already have access to the exact folder named in the usershare. What level of access that username has (to the named folder itself), will cap whatever level of control is granted by way of a SAMBA client.

This observation could also be rephrased as follows: Even though (Linux) SAMBA has an impressive-looking feature in “Usershares”, while that creates rule-files in the folder ‘/var/lib/samba/usershares’, which even possess Access-Control Lists, those ACLs finally disappoint, in NOT guaranteeing what the behaviour of the SAMBA server will be, once a usershare has finally granted access (to a folder, for the client). (:2)

Usually, in order to grant such access locally on the server, some strategy with group memberships and permission-bits gets used. Which exact arrangement of groups and permission-bits gets used, is not set in stone. Any arrangement will work that grants full access. But, because it’s usually unwieldy for users to set up such local sharing of their folders, they are also not likely to succeed – without compromising their security completely – unless they also have the help of someone with root access. Therefore, the ability to give this feature to users in user-space, is theoretical at best. (:1)  And, if the user wants to activate this extension, he or she must use the CLI, and cannot count on the GUI within ‘Dolphin’ to do so. But, the final command given via the CLI can be given as user.

By default,  declaring a usershare ‘the easy way, via the GUI’, remains owner-only.

There is one more caveat to mention. According to my recent experiences, if ‘Dolphin’ is being used as the SAMBA client, and if it’s to authenticate with the server, using any username other than the current username on the local client-computer, then the credentials need to be specified under ‘System settings -> Network -> Connectivity’ (where the Plasma 5.8 Desktop manager puts them). If there is a set of credentials there, they will not be stored encrypted, but only stored with casual obfuscation, and Dolphin will use them. If the user wants the credentials to be stored in the ‘kwallet’ (and thus encrypted), he needs to make his username, to log into the server with, identical to his username on the local client. Otherwise, illogical error messages will appear again, this time, from the Dolphin file-browser not being consistent, in whether to try to authenticate at all. And, if an attempt is made to access the share without authenticating, then Dolphin generates an illogical error message, which can be paraphrased as a ‘File Exists’ error message.

With enough effort, and, sacrificing some security, it can all be done.

(Updated 3/29/2021, 15h10… )

Kernel Update today, Downtime, Multiple Reboot-Attempts

Today, the PC which is hosting my site and blog, which I name ‘Phoenix’, received a kernel update.

Debian Team has not been following standard guidelines in their propagation of kernel updates, as the last 3 updates produced the same kernel-version number:


3.16.0-6-amd64



Because even Linux computers require a reboot after a kernel-update, this blog was temporarily off-line from about 13h05 until 13h25. I apologize for any inconvenience to my readers.

There is a fact about the build of Linux on this computer which I should bring up. I have the following on-board graphics-chip:


GeForce 6150SE nForce 430/integrated/SSE2



And this proprietary graphics driver is the only one, capable of working with the said graphics-chip:


NVIDIA 304.137



The graphics driver is installed from standard Debian repositories.

Somewhere between these software-packages there is a problem, which Debian Team has never been aware of, but which has existed ever since I installed Debian / Jessie on this computer. Directly after a reboot, the ability of the X-server to start, is not reliable. Sometimes, the X-server starts on the first try, but on other occasions I need to make 7 reboot attempts, before the X-server will start, and from one reboot-attempt to the next, I change nothing.

Once the X-server has started successfully, this graphics-chip will work 100% for 30 days !

I have been reluctant to point this out for the past few years, because if a Debian developer finds out about it, he will try to fix this problem. And when he does, he will brick my computer.

This afternoon, 7 reboots were in fact required, before the X-server started. That is why the reboot-procedure took 20 minutes of time.

(Updated 07/14/2018, 16h45 … )

A First, Complicated Project at Circuit Design with NG-SPICE

One subject which I wrote about in an earlier posting, was that software exists by the name of ‘SPICE’, which stands for “Simulation Program with Integrated Circuit Emphasis”. There are several variants of this software in existence, but the version which I am focusing on for now is the Open-Source ‘NG-SPICE’ system, which needs to be bundled with numerous other packages under Linux, really to be useful. One important package is ‘ngspice-doc’, but there is a whole suite of Linux packages referred to as ‘gEDA’.

Simply having tested a few demo-projects, is not the same thing as actually having designed a circuit, and having witnessed that project ‘work’, at least according to the simulation. Just last night, I did the latter, in order to get a better, working grasp of how to use the software, and also, some idea of the sort of error messages and problems which invariably occur on a first-time basis. What this means is that I actually designed a circuit using the ‘gEDA Schemtic Editor’, which is also known as ‘gschem’, and then ran multiple simulations of the circuit, discovering at first that it had performance issues as I had imagined it, modifying it numerous times, and ending up with a version of the circuit, which I could be satisfied with for now.

The circuit which I was designing, actually involved MOSFETs, because those are the most important components in circuit-design today, and surely enough, I did run into initial problems. One of the tasks which we must complete, when using active components in SPICE, is to define the component, which is as fundamental as the fact that we also don’t just put a resistor, but must also specify what the Value of the resistor is in Ohms. Well with active components, we must do something similar, which also goes under the GUI heading of the Value attribute for the component. Therefore, MOSFETs, be they NMOS or PMOS, also have values, and by default, those values are defined by a Model Card, from which the computer can predict such physical properties about the NMOS or the PMOS transistor, as what its gate-capacitance is, how well it conducts when switched to conductive, conversely when the gate-voltage is zero, etc., etc., etc..

But, because NG-SPICE (v26) is advanced software – though still not the latest version – it may not require that the user defined all these parameters each time he or she considers designing a circuit, because standard component specifications exist.

By default, our MOSFETs have Reference Descriptors that begin with the letter “M”, and not with the letter “Q”, which would stand for a Bipolar Transistor, but which the GUI of ‘gschem’ suggests for the user when he first clicks a MOSFET into his circuit. So we override that, by editing the RefDes into a text-string that has the letter “M” followed without spaces by a number.

What I next proceeded to do, was to put MOSFET-transistors into my circuit, which from the GUI, only had 3 pins. This is a common way in which MOSFETs are often diagrammed, and looked something like this:

Believing that I could just accept what the GUI had constructed, I next tried to simulate the circuit, and received the error, which roughly stated “Unable to find Definition of Model.” This error-message wasted much of my time trying to solve, because I had in fact created a Model Card for the transistors which I was going to use, and at first, I despaired that NG-SPICE might not be as good as paid-for software. But I soon learned that indeed, the following example is a sufficient Model Card for an arbitrary NMOS transistor, with which circuits can be designed:

http://dirkmittler.homeip.net/text/NMOS1.mod.txt

Similarly, we can conjure a default PMOS transistor like so:

http://dirkmittler.homeip.net/text/PMOS1.mod.txt

In actual circuit-design, we’d drop the .TXT Filename-Extension, that makes the above examples readable in a Web-browser. Not only that, but we can also use the ‘gschem’ GUI, to embed such definitions directly into the Netlist, by giving them as a ‘Model’ attribute. So what was causing this error message, in my example? The fact is that MOSFETs are 4-pin components by nature. They have a hypothetical Source, a hypothetical Drain, a Substrate Electrode, and a Gate. It’s the voltage between the Gate and the Substrate Electrode, that finally determines how conductive the MOSFET is to become. By convention, many practical MOSFET-packages tie the Substrate Electrode together with the Source lead, which also happens to make the Source different from the Drain.

By telling NG-SPICE that we’re including a ‘MOSFET_TRANSISTOR‘ in our circuit, we’re telling this program to read 4 Nodes from the Netlist, to parse what the transistor is to be connected to. But, when the GUI only provides 3 arguments, an error ensues, that garbles the attempt of NG-SPICE to parse the Netlist. That’s all. Curiously, the reverse error does not happen. If I conjure a 4-lead MOSFET-symbol from the GUI, but specify a 3-lead MOSFET (more on that below), then I obtain a well-managed error message, that tells me what the problem is.

(Updated 06/14/2018 … )

Actually, the symbols above are also different in another way. In theory, one stands for an enhancement-mode, and the other, for a depletion-mode transistor. But, because under Linux, ‘this software is divided into two departments’, effectively, this does not matter.

The GUI allows schematics to be drawn in such a way, that Netlists result, while the actual NG-SPICE software emulates what these Netlists define. It’s in the emulation of the Netlists, that the decision is also made, as to whether a component is an enhancement-mode or a depletion-mode, or a subcircuit component… ( :1 )

(Updated 06/16/2018 : )

Finding Out, How Many GPU Cores we have, Under Linux

One question which I see written about often on the Web, is how to find out certain stats about our GPU, under Linux. Under Windows, we had GUI-based programs such as ‘GPU-Z’, etc., but under Linux, the information can be just a bit harder to find.

I think that one tool which helps, is to have ‘OpenCL’ installed, as well as the command-line utility ‘clinfo’, which exists as one out of several packages, and as an actual, resulting command-name.

If we’re serious about programming our GPU, then having a GUI won’t help us much. We’d need to get dirty with code in that case, and then to have text-based solutions is suitable. But, if we’re just spectators in this sport, then two stats we may nevertheless want to know are:

1. How many GPU-Core-Groups do we have – since GPU-Cores are organized as Groups, and
2. How many actual Shader-Cores do we have in each Group?

Interestingly, the grouping of shader-cores, also represents how many vector-processors such GPU-computing tools as OpenCL see. And so, on the computer which I name ‘Klystron’, which is running Debian / Jessie, when typing in these commands as user, I get the following results:


dirk@Klystron:~$clinfo | grep units Max compute units: 4 Max compute units: 6 dirk@Klystron:~$ clinfo | grep multiple
Kernel Preferred work group size multiple:     1
Kernel Preferred work group size multiple:     64
dirk@Klystron:~\$



This needs some explaining. On ‘Klystron’, I have the proprietary, AMD packages for OpenCL installed, since that computer has both an AMD CPU and a Radeon GPU. And this means that the OpenCL version will be able to carry out computing on both. And so I have the stats for both.

In this case, the second entries reveal that I have 6×64 cores on the GPU.