OOB Sharing / user auth in Windows Domain environment

[averyfreeman]

Dear moderators,

Would it be possible to move this post to this forum?

https://www.ixsystems.com/community/threads/for-those-who-love-zfs.60096/page-3#post-525542

@anodos can you help me with this issue in above post? #44 in "For those who love ZFS"

Issues with drop-in FreeNAS Windows domain file server / user auth, not sure what the problem is. Figured if I set up a fresh VM it would work OOB but not what I'm seeing.

wbinfo -u / -g; getent passwd / group shows domain users/groups; shares visible on network but experiencing the dreaded Samba "never-ending password prompt" issue

Hoping this might help dev out

Thank you
Avery

 

[anodos]

It might be a permissions issue or it may be related to guest access (which you have enabled). I made changes to how we're generating the smb4.conf by turning off 'map to guest' when shares are not configured for guest access. This is because I encountered issues with Server 2019 clients being able to access shares with their default configuration (they will drop the session after negotiation if the guest flag is set in an NTLM response IIRC). As far as permissions go, don't use chmod.

 

[averyfreeman]

Hi,

When you say "don't use chmod" there has to be some sort of -rwxr-xr-x permissions, doesn't there? How do I not use chmod?

I will try removing map to guest and report back.

Thanks!

 

[anodos]

Hi,

When you say "don't use chmod" there has to be some sort of -rwxr-xr-x permissions, doesn't there? How do I not use chmod?

I will try removing map to guest and report back.

Thanks!

Use the windows ACL editor or setfacl and winacl. In the latter case you can do something like:

Code:

setfacl -m g:"DOMAIN\domain admins":full_set:fd:allow,g:"DOMAIN\domain users":modify_set:fd:allow,owner@:full_set:fd:allow,group@:rxaRc:fd:allow,everyone@:rxaRc:fd:allow /mnt/dozer/SHARE
winacl -a clone -rv -p /mnt/dozer/SHARE

The above grants domain admins "full control", domain users "read,write,modify", user "full control", group "read only", and other "read only". The inheritance flags are set so that all newly created files under /mnt/dozer/SHARE receive the same permission and the winacl command recursively sets the ACL on all files and folders in /mnt/dozer/SHARE.

 

[averyfreeman]

Use the windows ACL editor or setfacl and winacl. In the latter case you can do something like:

Code:

setfacl -m g:"DOMAIN\domain admins":full_set:fd:allow,g:"DOMAIN\domain users":modify_set:fd:allow,owner@:full_set:fd:allow,group@:rxaRc:fd:allow,everyone@:rxaRc:fd:allow /mnt/dozer/SHARE
winacl -a clone -rv -p /mnt/dozer/SHARE

The above grants domain admins "full control", domain users "read,write,modify", user "full control", group "read only", and other "read only". The inheritance flags are set so that all newly created files under /mnt/dozer/SHARE receive the same permission and the winacl command recursively sets the ACL on all files and folders in /mnt/dozer/SHARE.

Perfect, thanks for the explanation and great example.

Does this mean underlying unix perms should be drwxrwxrwx to avoid interaction?

 

[anodos]

Perfect, thanks for the explanation and great example.

Does this mean underlying unix perms should be drwxrwxrwx to avoid interaction?

ZFS on FreeBSD always has NFS4 ACLs. It's perhaps better not to think of the Unix mode bits and the NFS4 ACL as separate things. "chmod" will only affect the rwx bits of the nfs4 ACL owner@, group@, everyone@ entries (depending on how the ZFS aclmode is configured). The permissions you see in 'ls -l' output will have a + next to it when the ACL is non-trivial (i.e. if it cannot be represented as a posix mode without losing information). Therefore, you see this "+" in your ls output, you should interpret it as a sign to not trust the permissions representation you see there and instead use getfacl.

 

[averyfreeman]

Thank you, that is extremely helpful. Must educate myself further before being able to positively contribute to discourse.

$ man getfacl

An aside - how hard do you think it would be to port the in-kernel CIFS from OpenSolaris to FreeBSD?