Project

General

Profile

Bug #3396

guest account CIFS permission problems

Added by Dan Raymond almost 7 years ago. Updated about 3 years ago.

Status:
Resolved
Priority:
Nice to have
Assignee:
-
Category:
OS
Target version:
Severity:
New
Reason for Closing:
Reason for Blocked:
Needs QA:
Yes
Needs Doc:
Yes
Needs Merging:
Yes
Needs Automation:
No
Support Suite Ticket:
n/a
Hardware Configuration:
ChangeLog Required:
No

Description

I am running FreeNAS-9.1.1-RELEASE-x64 (a752d35).

Booting from a fresh image I performed the following steps to import an existing ZFS volume and enable anonymous CIFS access:

1) Network->Interfaces->Add Interface

Interface name = freenas
IPv4 Address = 192.168.1.7
IPv4 Netmask = 255.255.255.0

2) Network->Global Configuration

IPv4 Default Gateway = 192.168.1.1
Nameserver 1 = 192.168.1.1

3) Storage->Volumes->Auto Import Volume

4) Account->Users->Add User

Username = guest
Create a new primary group for the user = unchecked
Primary Group = wheel
Full Name = anonymous access
Disable password login = checked

5) Storage->Volumes->/mnt/WD20EARX-RAIDZ->Change Permissions

Owner (user) = guest

6) Services->Control Services->CIFS Settings (wrench icon)

Authentication Model = Anonymous
Guest account = guest
Allow Empty Password = checked

7) Services->Control Services->CIFS (turn on)

8) Sharing->Windows (CIFS) Shares->Add Windows (CIFS) Share

Name = share
Path = /mnt/WD20EARX-RAIDZ
Allow Guest Access = checked
Only Allow Guest Access = checked

After performing these steps I am able to read the CIFS share but I cannot write to it. I get strange permission problems. For example, if the directory has 755 permissions with owner "guest" and group "wheel" then I can create a file in that directory but I cannot rename it. When I try to rename the file I get the following error:

"You require permission from FREENASguest to make changes to this file"

If the directory permissions are 777 then the behavior is very strange. I can create a file and delete it but when I try to edit it with gvim and then save it gvim will leave an empty temporary file called 4913 in the directory. The Read-Only attribute is then set on both files (the original file and the temporary file). If I try to delete either file I get the following error:

"This action can't be completed because the file is open in another program"

If I try to remove the Read-Only attribute I get the following error:

"An error occurred applying attributes to the file: \freenasshare4913 Access is denied."

I can delete both files only by logging into an SSH session as root.

If I go into the guest account settings and uncheck "Disable password login" and reboot then I can create/rename/modify/delete files. However, I start seeing these errors in the console when I access the share:

Nov 9 12:54:48 freenas smdb3282: [2013/11/09 12:54:48.237419, 0] ../libcli/auth/ntlm_check.c:54(smb_pwd_check_ntlmv1)
Nov 9 12:54:48 freenas smdb3282: smb_pwd_check_ntlmv1: incorrect password length (74)
Nov 9 12:54:48 freenas smdb3282: [2013/11/09 12:54:48.237938, 0] ../libcli/auth/ntlm_check.c:54(smb_pwd_check_ntlmv1)
Nov 9 12:54:48 freenas smdb3282: smb_pwd_check_ntlmv1: incorrect password length (74)

Checking "Disable password login" and rebooting reverts back to the previous behavior (no errors in the console but I cannot rename/modify/delete files).


Related issues

Related to FreeNAS - Bug #4132: GUI puts invalid setting into smb4.confClosed2014-02-06

History

#1 Updated by Dusan Lacko almost 7 years ago

Switching Authentication model to Local user helped (http://forums.freenas.org/threads/bizarre-symptoms-using-guest-account-on-cifs-share.16352/#post-83926).
I noticed that ix-samba puts this into smb.conf when Authentication model is Anonymous:

security = share
force user = ${guest}
force group = ${guest}
passdb backend = tdbsam:/var/etc/private/passdb.tdb
Samba documentation contains a warning regarding security = share: "This option is deprecated as it is incompatible with SMB2" (http://www.freebsd.org/cgi/man.cgi?query=smb.conf&manpath=FreeBSD+9.0-RELEASE+and+Ports).
Also, the code assumes that the guest account has it's own guest group named the same. This may not be always true (e.g. the scenario above).

#2 Updated by Jordan Hubbard almost 7 years ago

  • Category set to 39
  • Assignee set to Josh Paetzel
  • Target version set to 61

Interesting. Is that a fix we can incorporate?

#3 Updated by Josh Paetzel almost 7 years ago

Hrmm, is there a fix we need to incorporate?

It looks like the fix was use local user in the samba service config. I'm not sure if there are scenarios where anonymous is needed, however I bet if we remove it we'll find out!

#4 Updated by Dusan Lacko almost 7 years ago

No fix, I was also thinking that the Anonymous mode could be removed completely (as it is apparently not compatible with SMB2 anyway). But I'm far from a Samba expert :).

#5 Updated by Dan Raymond almost 7 years ago

If you remove the Anonymous option then the following needs to be updated (this is where I got the instructions to use Anonymous):

http://doc.freenas.org/index.php/Windows_(CIFS)_Shares#Configuring_Anonymous_Access

#6 Updated by Josh Paetzel almost 7 years ago

  • Description updated (diff)

Regardless of whether we remove it or not, thedocs are kinda wrong and need to get updated regardless.

#7 Updated by Josh Paetzel almost 7 years ago

  • Status changed from Unscreened to Closed: Behaves correctly

Documentation needs improvement, and perhaps the default settings.

#8 Updated by Dru Lavigne over 6 years ago

  • Status changed from Closed: Behaves correctly to Screened
  • Assignee changed from Josh Paetzel to Anonymous
  • Target version changed from 61 to 79

Changing ownership as a reminder that docs need updating for 9.2.2.

#9 Updated by Jordan Hubbard over 6 years ago

  • Target version changed from 79 to 103

#10 Updated by Jordan Hubbard about 6 years ago

  • Target version changed from 103 to 9.3-BETA

#11 Updated by Jordan Hubbard almost 6 years ago

Is this documented now?

#12 Updated by Dru Lavigne almost 6 years ago

Still in the queue to check this section of the docs.

#13 Updated by Jordan Hubbard almost 6 years ago

  • Target version changed from 9.3-BETA to 49

Moving doc bugs out to future since they can be addressed "whenever" on the doc web site.

#14 Updated by Dru Lavigne over 5 years ago

  • Status changed from Screened to Resolved

This section of the docs has been rewritten for 9.3.

#15 Avatar?id=14398&size=24x24 Updated by Kris Moore about 3 years ago

  • Target version changed from 49 to N/A

Also available in: Atom PDF