Project

General

Profile

Bug #27410

SMB Windows ACLs users/group names mismatched

Added by Mike L over 2 years ago. Updated over 2 years ago.

Status:
Closed: User Config Issue
Priority:
Important
Assignee:
Timur Bakeyev
Category:
OS
Target version:
Seen in:
Severity:
New
Reason for Closing:
Reason for Blocked:
Needs QA:
Yes
Needs Doc:
Yes
Needs Merging:
Yes
Needs Automation:
No
Support Suite Ticket:
n/a
Hardware Configuration:
ChangeLog Required:
No

Description

I'm getting some mismatched names with SMB shares with ACLs.

This is what I see in Windows:

This is what things actually are setup as:

[omsion@freenas /mnt/sixfour/nasode]$ getfacl service_data/
# file: service_data/
# owner: omsion
# group: admin_omsion
            group@:rwxpDdaARWcCo-:fd-----:allow
            owner@:rwxpDdaARWcCo-:fd-----:allow
    group:services:rwxp-daARWc---:fd-----:allow

Interestingly enough, when trying to "check names" via the Windows GUI, i.e.

This will fail with an error. However, if we used the advanced button and do a search, we are able to get this into the box

However, once actually accepting it, it shows up incorrectly (i.e. as 'NASODE\tomato')

This is my /usr/local/etc/smb4.conf

[omsion@freenas /mnt/sixfour/nasode]$ cat /usr/local/etc/smb4.conf
[global]
    encrypt passwords = yes
    dns proxy = no
    strict locking = no
    oplocks = yes
    deadtime = 15
    max log size = 51200
    max open files = 468920
    logging = syslog:1
    load printers = no
    printing = bsd
    printcap name = /dev/null
    disable spoolss = yes
    getwd cache = yes
    guest account = guest
    map to guest = Bad User
    obey pam restrictions = yes
    ntlm auth = no
    directory name cache size = 0
    kernel change notify = no
    panic action = /usr/local/libexec/samba/samba-backtrace
    nsupdate command = /usr/local/bin/samba-nsupdate -g
    server string = FreeNAS Server
    ea support = yes
    store dos attributes = yes
    lm announce = yes
    time server = yes
    acl allow execute always = true
    dos filemode = yes
    multicast dns register = yes
    domain logons = no
    local master = yes
    idmap config *: backend = tdb
    idmap config *: range = 90000001-100000000
    server role = standalone
    netbios name = NASODE
    workgroup = WORKGROUP
    security = user
    create mask = 0666
    directory mask = 0777
    client ntlmv2 auth = yes
    dos charset = CP437
    unix charset = UTF-8
    log level = 1
    map to guest = Bad User
    server max protocol = SMB2
    raw NTLMv2 auth = yes

[nasode]
    path = "/mnt/sixfour/nasode" 
    printable = no
    veto files = /.snapshot/.windows/.mac/.zfs/
    writeable = yes
    browseable = yes
    access based share enum = no
    shadow:snapdir = .zfs/snapshot
    shadow:sort = desc
    shadow:localtime = yes
    shadow:format = auto-%Y%m%d.%H%M-3d
    shadow:snapdirseverywhere = yes
    vfs objects = shadow_copy2 zfs_space zfsacl streams_xattr aio_pthread
    hide dot files = yes
    guest ok = yes
    nfs4:mode = special
    nfs4:acedup = merge
    nfs4:chown = true
    zfsacl:acesort = dontcare

What other logs/config files should I attach?

1.png (15.1 KB) 1.png service_data security tab from Windows Mike L, 12/23/2017 10:16 PM
2.png (7.12 KB) 2.png check names from Windows will error Mike L, 12/23/2017 10:28 PM
3.png (7.36 KB) 3.png can get the correct entry from advanced, but it will show incorrectly once accepted Mike L, 12/23/2017 10:28 PM
13578
13580
13581

History

#1 Avatar?id=14398&size=24x24 Updated by Kris Moore over 2 years ago

  • Assignee changed from Release Council to Timur Bakeyev
  • Priority changed from No priority to Important
  • Target version set to 11.3

#2 Updated by Timur Bakeyev over 2 years ago

  • Status changed from Unscreened to 15

Hi, Mike!

Can you, please, provide full debug output for your system? You can grab it in the legacy UI via System->Advanced->save debug.

for me it looks like somehow the same SID is mapped to UID and GID, but we'll see.

Also, maybe getfacl -n on that directory in question could be useful.

#3 Updated by Mike L over 2 years ago

  • File debug-freenas-20180101172804.tgz added

Attached debug and getfacl -n

[omsion@freenas /mnt/sixfour/nasode]$ getfacl -n service_data/
# file: service_data/
# owner: omsion
# group: admin_omsion
            group@:rwxpDdaARWcCo-:fd-----:allow
            owner@:rwxpDdaARWcCo-:fd-----:allow
        group:1003:rwxp-daARWc---:fd-----:allow

#4 Updated by Timur Bakeyev over 2 years ago

  • Private changed from No to Yes

#5 Updated by Timur Bakeyev over 2 years ago

Hi, Mike!

Thanks for the debug info. It shows the immediate reason why this issue occurred:

NASODE\tomato S-1-5-21-2291531225-4099479014-4152198739-1005
services (S-1-5-21-2291531225-4099479014-4152198739-1005) -> services

The same SID is used for both tomato(uid=1204) user and services(gid=1003) group. User tomato is a member of a services group.

#6 Updated by Timur Bakeyev over 2 years ago

Try to run following sequence and preserve the output:

# pdbedit -v -u tomato
# pdbedit -u tomato -r -U S-1-5-21-2291531225-4099479014-4152198739-3406
# pdbedit -v -u tomato

That, presumably, should fix your issue. The reasons, why such mis-configuration occurred are more interesting, but seems untraceable now...

In particular, I couldn't find when services group was created. Could it be that you created it manually, form the command line?

#7 Updated by Mike L over 2 years ago

This was an upgraded server that originally was created in 9.3 two(?) years back, the services group (and users excepting duplicacy and tomato) was made from the GUI back then as far as I can remember.

The tomato (and duplicacy) user was created in 11.0(-U4? 4ee20c34fd84cd863cc7642519a68e5f is the hash on my boot list).

#8 Updated by Timur Bakeyev over 2 years ago

That explains, why there are no traces of services. The history starts on:

2015-09-02 23:09:23 [root:groupadd] cyrus(60)
...
2017-12-10 23:41:15 [unknown:useradd] duplicacy(1203):services(1003):duplicacy:/nonexistent:/bin/csh
2017-12-10 23:41:41 [unknown:useradd] tomato(1204):services(1003):tomato:/nonexistent:/bin/csh

Please, try pdbedit to fix the SID mapping.

#9 Updated by Mike L over 2 years ago

Yes, pdbedit did correct things.

#10 Updated by Timur Bakeyev over 2 years ago

  • Status changed from 15 to Closed: User Config Issue
  • Target version changed from 11.3 to N/A
  • Private changed from Yes to No

Great to know that it worked. Seems, such a huge leap from 9.3 to 11.1 get some artifacts in data structures, we'll keep an eye if the problem reoccur.

#11 Updated by Timur Bakeyev over 2 years ago

  • File deleted (debug-freenas-20180101172804.tgz)

#12 Updated by Dru Lavigne over 2 years ago

  • Seen in changed from 11.1-U1 to 11.1-U1

Also available in: Atom PDF