I’m trying to debug a problem with Nextcloud, which uses “External storage” setups pointing to Samba shares on another server. I tried using dietpi-drivemanager to setup the share (and then use NC with a local external storage config), but that runs into permission errors (NC is not running as dietpi but as www-data).
Here are the first few error lines:
/var/www/nextcloud# sudo -u www-data php occ files:scan --all
Starting scan for user 1 out of 5 (admin)
Error during scan: Undefined array key "attributes"
Exception during scan: Malformed state response from server
#0 /var/www/nextcloud/apps/files_external/3rdparty/icewind/smb/src/Wrapped/Share.php(216): Icewind\SMB\Wrapped\Parser->parseStat()
[...]
The suggestion is to install via “pecl”. I’m not very familiar with PHP, I did install php-pear, but DietPi has no php-dev package for php8.2, apparently. It’s needed for phpize:
# pecl install smbclient
downloading smbclient-1.2.0dev.tgz ...
Starting to download smbclient-1.2.0dev.tgz (35,344 bytes)
.........done: 35,344 bytes
7 source files, building
running: phpize
sh: 1: phpize: not found
I don’t know what to try next. I’d rather not mess with NC or PHP. My goal is to keep the Nextcloud areas working for my family’s user accounts, which are “attached” to remote SMB folders. As alternative for SMB mounts inside NC, is there perhaps some way for dietpi-drivemanager to mount SMB with mode 0755 so that the NC process can access these folders?
I don’t see what’s wrong with mounting remote SMB inside NC. The SMB shares are on a private NAS behind a firewall, with a large RAID disk set (a huge collection of professional photos).
NC is on a simple RasPi4 w/ DietPi and reachable from the internet. This has been working splendidly for many years.
I’ll look into the /etc/fstab suggestion you made, but that’s brittle since DietPi adjusts that file.
As alternative to mounting the Samba share as webserver user, it should work to add the webserver user to the DietPi group:
sudo usermod -aG dietpi www-data
Of course this grants it respective access to all files owned by that group, i.e. potentially more stuff in /mnt/dietpi_userdata, depending on the software you use.
On Debian Bookworm running PHP 8.2 there is php8.2-dev and on Trixie running PHP 8.4 there is php8.4-dev. So as long as the project you want to use or compile supports the PHP version which runs your Nextcloud, there should not be a problem.
Hehe no, this is the default priority of packages, so all as expected. Hence it was only an apt update missing to fetch current lists. Maybe you moved your lists to RAM via dietpi-config or cleared them at some point.
Great, I can confirm that pecl install smbclient now completes without errors:
[...]
Build process completed successfully
Installing '/usr/lib/php/20220829/smbclient.so'
install ok: channel://pecl.php.net/smbclient-1.2.0dev
configuration option "php_ini" is not set to php.ini location
You should add "extension=smbclient.so" to php.ini
The original exception during occ files:scan still happens, is this the proper file to add the suggested line: /etc/php/8.2/fpm/php.ini ? (Again, total PHP noob here, sorry)
You might want to enable the APT cache and/or disable list compression. Both (disabled cache and enabled compression) reduces disk writes significantly on apt update, but slows down all APT actions which include parsing list contents likewise.
You would need to add it to /etc/php/8.2/cli/php.ini as well to be active for the occ (or on DietPi the ncc shorthand) to have it active. Or better make it a drop-in config/mod:
Bingo, I was halfway: figured out the ini module iso an edit, but didn’t know the phpenmodcmd!
Another little detail is that I had to add a cache dir (uid/git www-data):
gencache_init: Failed to create directory: /var/www/.cache/samba - Permission denied
After re-running the scan, success at last:
root@houtje:/var/www/nextcloud# sudo -u www-data php occ files:scan --all
Starting scan for user 1 out of 5 (admin)
Another process is already scanning '/admin'
[...]
Starting scan for user 5 out of 5 (samuel)
+---------+-------+-----+---------+---------+--------+--------------+
| Folders | Files | New | Updated | Removed | Errors | Elapsed time |
+---------+-------+-----+---------+---------+--------+--------------+
| 1441 | 53002 | 0 | 0 | 0 | 0 | 00:02:58 |
+---------+-------+-----+---------+---------+--------+--------------+
As I understand it, this solves the NC + SMB error caused by icewind relying on an outdated SMB client, by building and adding the latest php-smbclient extension to bypass the smbclient cmdline utility.
I guess the Samba cache dir does not need to be in the public /var/www, i.e. looks more like a potential security issue. Maybe there is a way to change that directory to e.g. /run/php or something like that. Funnily first search machine finds are in Nextcloud context, even that it is stated there to be a general smbclient issue:
Seems to have been solved in recent Samba, so probably Debian Trixie solves it. … the other reports indicate that cache dir is created in the user’s home, so looks like no way to change it. And I would probably ignore it unless there are actual issues with the mounts. Else, assure to deny public access to this directory in webserver config. Seems to be a common issue with services (and related service users) using libsmbclient, which often have no write access to their home directory, or no home dir at all. some /run sub directory does then often exist, so making that cache dir adjustable would then be a sane solution, probably implemented in recent versions already. … though checking the patch https://launchpadlibrarian.net/586046474/add_dir_create_or_exists_recursive.patch there the solution was to recursively create parent directories if missing. So in our case with www-data that wouldn’t help.
So if you want to mute that error:
cat << '_EOF_' > /etc/apache2/conf-available/samba-cache.conf
<Directory /var/www/.cache>
Require all denied
</Directory>
_EOF_
a2enconf samba-cache
apachectl -t # verify it returns OK
systemctl restart apache2
mkdir -p /var/www/.cache/samba
chown www-data /var/www/.cache/samba
And then it would be interesting to see what is inside, once you did some SMB mounts. There seem to be credentials caches for two backends in smbclient, likely it’s that.
Btw, Icewind is the nickname of a developer from Nextcloud, not the name of the PHP extension .
Oops, a security hole is bad. I’m using nginx, btw. I’ll look into it, it’ll be easy to fix. There’s one 524 KB file inside that samba subdir in the cache, a .tdb file. It compresses to under 2 KB, so essentially empty (looks like connection credentials, not great that it’s world-readable).
.