Project

General

Profile

Bug #19486

Unable to manage AD ACLs from SMB folder share

Added by Joe Maloney almost 4 years ago. Updated about 3 years ago.

Status:
Closed: User Config Issue
Priority:
No priority
Assignee:
John Hixson
Category:
OS
Target version:
Seen in:
Severity:
New
Reason for Closing:
Reason for Blocked:
Needs QA:
Yes
Needs Doc:
Yes
Needs Merging:
Yes
Needs Automation:
No
Support Suite Ticket:
n/a
Hardware Configuration:
ChangeLog Required:
No

Description

I have reproduced an issue by creating a folder share in the FreeNAS webui. You can see how I accomplished creating a folder share in the attached screenshots as well as what ACL's look like from Windows.

After joining an AD I have assigned the group owner of the folder to be Domain Admins using chown -R root:AD01\\Domain\ \Admins /mnt/tank/foldershare. The resulting unix permissions look like this...

drwxrwxr-x+ 2 root AD01\domain admins 3 Dec 9 09:55 datasetshare/
drwxr-xr-x 2 root AD01\domain admins 2 Dec 9 09:53 foldershare/

Due to folder share permissions I cannot write files as Administrator (Domain Admins member), or manage ACL's from Windows as Administrator.

create smb folder share.png (113 KB) create smb folder share.png Joe Maloney, 12/09/2016 07:06 AM
manage folder share acls.png (222 KB) manage folder share acls.png Joe Maloney, 12/09/2016 07:06 AM
8047
8048

History

#1 Avatar?id=14398&size=24x24 Updated by Kris Moore almost 4 years ago

  • Assignee set to Erin Clark
  • Target version set to 9.10.2-U1

#2 Updated by Erin Clark almost 4 years ago

  • Status changed from Unscreened to Screened

#3 Avatar?id=14398&size=24x24 Updated by Kris Moore over 3 years ago

  • Target version changed from 9.10.2-U1 to 9.10.2-U3

#4 Avatar?id=14398&size=24x24 Updated by Kris Moore over 3 years ago

  • Target version changed from 9.10.2-U3 to 9.10.4

#5 Avatar?id=14398&size=24x24 Updated by Kris Moore over 3 years ago

  • Target version changed from 9.10.4 to 11.1

#6 Updated by Erin Clark about 3 years ago

  • Assignee changed from Erin Clark to John Hixson

I haven't worked on the middleware AD stuff for a while so I don't know if this issue still exists, passing to John

#7 Updated by an odos about 3 years ago

Erin Clark wrote:

I haven't worked on the middleware AD stuff for a while so I don't know if this issue still exists, passing to John

I tested this on a FreeNAS system. There is no difference in behavior between folders / datasets. Winacl reset is still triggered and permissions are set to

owner@:full_set:fd:allow
group@:full_set:fd:allow
everyone@:read_set:fd:allow

If the original setup only involved swapping out paths on samba shares, it's possible that "apply default permissions" wasn't getting triggered with the share config change. It would only be triggered if "apply default permissions" was unchecked when the path was changed. Then the share config would need to be opened again and "apply default permissions" checked again.

#8 Updated by John Hixson about 3 years ago

  • Status changed from Screened to Closed: User Config Issue

Here are the permissions in the debug:

------------------------------------------------------------------------------
+ foldershare:/mnt/tank/foldershare @1481295632
------------------------------------------------------------------------------+
drwxr-xr-x 2 root AD01\domain admins 2 Dec 9 09:53 /mnt/tank/foldershare

  1. file: /mnt/tank/foldershare
  2. owner: root
  3. group: AD01\domain admins
    owner@:rwxp--aARWcCos:-------:allow
    group@:r-x---a-R-c--s:-------:allow
    everyone@:r-x---a-R-c--s:-------:allow

group@ has very limited permissions here, so, there will be no managing permissions as a domain admin here ;-)

#9 Updated by Dru Lavigne about 3 years ago

  • Target version changed from 11.1 to N/A

#10 Updated by Dru Lavigne almost 3 years ago

  • File deleted (debug-ixsouthmini-20161209100321.tgz)

Also available in: Atom PDF