How to Resolve Samba Symlink Issues: allow insecure wide links vs unix extensions Configuration


2 views

When configuring Samba shares that need to follow symbolic links outside the share path, administrators often encounter unexpected behavior despite setting wide links = yes. The interaction between allow insecure wide links and unix extensions creates a security boundary that's frequently misunderstood.

Here's what each parameter actually controls:

# Security triad in Samba symlink handling
unix extensions = yes/no        # Enables UNIX-specific features
wide links = yes/no            # Allows following symlinks outside share
allow insecure wide links = yes/no # Decouples the above two parameters

Scenario 1: Maximum compatibility (insecure)

[global]
    unix extensions = no
    wide links = yes
    # allow insecure wide links not needed in this case

Scenario 2: Secure but limited

[global]
    unix extensions = yes
    wide links = no
    # Symlinks outside share won't work

Scenario 3: Partial security with flexibility

[global]
    unix extensions = yes
    wide links = yes
    allow insecure wide links = yes
    # Required for both parameters to work together

When testparm doesn't show your allow insecure wide links setting:

  1. Verify the parameter is in the correct section ([global])
  2. Check for typos (dashes vs underscores)
  3. Ensure you're running testparm -v to see all parameters

Before enabling wide links with unix extensions:

  • Audit all symlink destinations
  • Implement filesystem ACLs
  • Consider using bind mounts instead of symlinks
  • Monitor audit logs for symlink access attempts

When configuring Samba shares with symlinks, administrators often encounter a puzzling behavior where symlinks outside the share path refuse to work despite having wide links = yes set. The root cause lies in the interaction between two critical parameters:

# Security-conscious default behavior
unix extensions = yes   # Automatically disables wide links functionality
wide links = yes        # Requires unix extensions to be disabled

As shown in the testparm output, the configuration parser doesn't even display the allow insecure wide links parameter by default. This silent behavior often leads to confusion. To verify your actual runtime configuration:

# Check effective parameters including defaults
testparm -v | grep -E 'wide links|unix extensions|allow insecure'

Here are three valid approaches to enable cross-share symlinks:

# Option 1: Disable UNIX extensions completely (most compatible)
[global]
    unix extensions = no
    wide links = yes

# Option 2: Use allow insecure wide links (security trade-off)
[global]
    unix extensions = yes
    allow insecure wide links = yes
    wide links = yes

# Option 3: Per-share configuration (recommended)
[SpecialShare]
    path = /srv/special
    wide links = yes
    unix extensions = no
    allow insecure wide links = yes

Before implementing these changes, understand that allowing wide links with UNIX extensions enabled creates potential security risks:

  • Malicious users could create symlinks to sensitive system files
  • UID/GID mapping becomes critical for proper access control
  • Consider combining with veto files to block specific paths

After configuration changes:

# Restart Samba services
systemctl restart smbd nmbd

# Test symlink functionality
smbclient //localhost/share -U user
ls linked_directory

For persistent issues, check logs with tail -f /var/log/samba/log.smbd and verify filesystem permissions on both the link and target.