SMB Windows ACLs users/group names mismatched
I'm getting some mismatched names with SMB shares with ACLs.
This is what I see in Windows:
This is what things actually are setup as:
[omsion@freenas /mnt/sixfour/nasode]$ getfacl service_data/ # file: service_data/ # owner: omsion # group: admin_omsion group@:rwxpDdaARWcCo-:fd-----:allow owner@:rwxpDdaARWcCo-:fd-----:allow group:services:rwxp-daARWc---:fd-----:allow
Interestingly enough, when trying to "check names" via the Windows GUI, i.e.
This will fail with an error. However, if we used the advanced button and do a search, we are able to get this into the box
However, once actually accepting it, it shows up incorrectly (i.e. as 'NASODE\tomato')
This is my
[omsion@freenas /mnt/sixfour/nasode]$ cat /usr/local/etc/smb4.conf [global] encrypt passwords = yes dns proxy = no strict locking = no oplocks = yes deadtime = 15 max log size = 51200 max open files = 468920 logging = syslog:1 load printers = no printing = bsd printcap name = /dev/null disable spoolss = yes getwd cache = yes guest account = guest map to guest = Bad User obey pam restrictions = yes ntlm auth = no directory name cache size = 0 kernel change notify = no panic action = /usr/local/libexec/samba/samba-backtrace nsupdate command = /usr/local/bin/samba-nsupdate -g server string = FreeNAS Server ea support = yes store dos attributes = yes lm announce = yes time server = yes acl allow execute always = true dos filemode = yes multicast dns register = yes domain logons = no local master = yes idmap config *: backend = tdb idmap config *: range = 90000001-100000000 server role = standalone netbios name = NASODE workgroup = WORKGROUP security = user create mask = 0666 directory mask = 0777 client ntlmv2 auth = yes dos charset = CP437 unix charset = UTF-8 log level = 1 map to guest = Bad User server max protocol = SMB2 raw NTLMv2 auth = yes [nasode] path = "/mnt/sixfour/nasode" printable = no veto files = /.snapshot/.windows/.mac/.zfs/ writeable = yes browseable = yes access based share enum = no shadow:snapdir = .zfs/snapshot shadow:sort = desc shadow:localtime = yes shadow:format = auto-%Y%m%d.%H%M-3d shadow:snapdirseverywhere = yes vfs objects = shadow_copy2 zfs_space zfsacl streams_xattr aio_pthread hide dot files = yes guest ok = yes nfs4:mode = special nfs4:acedup = merge nfs4:chown = true zfsacl:acesort = dontcare
What other logs/config files should I attach?
#2 Updated by Timur Bakeyev over 2 years ago
- Status changed from Unscreened to 15
Can you, please, provide full debug output for your system? You can grab it in the legacy UI via
for me it looks like somehow the same SID is mapped to UID and GID, but we'll see.
getfacl -n on that directory in question could be useful.
#3 Updated by Mike L over 2 years ago
- File debug-freenas-20180101172804.tgz added
Attached debug and getfacl -n
[omsion@freenas /mnt/sixfour/nasode]$ getfacl -n service_data/ # file: service_data/ # owner: omsion # group: admin_omsion group@:rwxpDdaARWcCo-:fd-----:allow owner@:rwxpDdaARWcCo-:fd-----:allow group:1003:rwxp-daARWc---:fd-----:allow
#5 Updated by Timur Bakeyev over 2 years ago
Thanks for the debug info. It shows the immediate reason why this issue occurred:
NASODE\tomato S-1-5-21-2291531225-4099479014-4152198739-1005 services (S-1-5-21-2291531225-4099479014-4152198739-1005) -> services
The same SID is used for both
tomato(uid=1204) user and
services(gid=1003) group. User
tomato is a member of a
#6 Updated by Timur Bakeyev over 2 years ago
Try to run following sequence and preserve the output:
# pdbedit -v -u tomato # pdbedit -u tomato -r -U S-1-5-21-2291531225-4099479014-4152198739-3406 # pdbedit -v -u tomato
That, presumably, should fix your issue. The reasons, why such mis-configuration occurred are more interesting, but seems untraceable now...
In particular, I couldn't find when
services group was created. Could it be that you created it manually, form the command line?
#7 Updated by Mike L over 2 years ago
This was an upgraded server that originally was created in 9.3 two(?) years back, the
services group (and users excepting
tomato) was made from the GUI back then as far as I can remember.
duplicacy) user was created in 11.0(-U4? 4ee20c34fd84cd863cc7642519a68e5f is the hash on my boot list).
#8 Updated by Timur Bakeyev over 2 years ago
That explains, why there are no traces of
services. The history starts on:
2015-09-02 23:09:23 [root:groupadd] cyrus(60) ... 2017-12-10 23:41:15 [unknown:useradd] duplicacy(1203):services(1003):duplicacy:/nonexistent:/bin/csh 2017-12-10 23:41:41 [unknown:useradd] tomato(1204):services(1003):tomato:/nonexistent:/bin/csh
pdbedit to fix the SID mapping.
#10 Updated by Timur Bakeyev over 2 years ago
- Status changed from 15 to Closed: User Config Issue
- Target version changed from 11.3 to N/A
- Private changed from Yes to No
Great to know that it worked. Seems, such a huge leap from 9.3 to 11.1 get some artifacts in data structures, we'll keep an eye if the problem reoccur.