SOLVED CIFS - Adding specific group resolves to root

[NamoMitK]

I have a standalone Samba server with Windows ACLs.

During share creation: owner is myself and the group is cifsusers. Running getfacl shows everything as correct.

I fired up my Windows client computer and logged in as myself. I've opened the share and; right-click-properties-Security.

Under the group or usernames field I see:
myserver\root
myserver\myself
Everyone

I've removed everyone and it all works fine. But I'm trying to figure out why cifsusers is resolving to root. I've confirmed that this is the case by selecting; Edit-Add-Advanced -- Selecting Find Now-Select cifsusers-OK.

It immediately resolves to myserver\root. I have another group called cifsadmins. If I follow the above steps it adds cifsadmins correctly. On another share the owner is myself and group is cifsadmins. This all works and looks as expected. I get the same behavior if I try to add cifsusers to this share (resolves to myserver\root).

The GID for cifsusers is 1001 and cifsadmins is 1002. These are the only two groups I've created.

I have several users who belong to cifsadmins and several that belong to cifsusers. When files are created by them, the permissions show up correctly with 'ls' on the server and the fact that they can even write to this share via Windows makes me think it is simply a SID/GID mapping type issue. (I'm still learning)

I'm guessing I might fix this by deleting cifsusers and creating it with another GID. Somehow it's clashing with the root GID/SID which is 0??

Any thoughts? Things I should clarify (I can be a bit scattered when I write)?

 

[anodos]

Post following enclosed in code tags:

• /etc/local/smb4.conf
• getfacl output for the shared directory
• output of 'net groupmap list'
• output of 'net usersidlist'
• output of 'net status sessions'
• output of 'getent group'
• output of 'pdbedit -L'

 

[NamoMitK]

Snippets attached below. Looks like the SID for cifsusers matches root? Not sure what to do with this information. Thanks for taking a look.

Code:

[global]
  username map = /usr/local/etc/smbusers
  server max protocol = SMB3
  encrypt passwords = yes
  dns proxy = no
  strict locking = no
  oplocks = yes
  deadtime = 15
  max log size = 51200
  max open files = 942167
  load printers = no
  printing = bsd
  printcap name = /dev/null
  disable spoolss = yes
  getwd cache = yes
  guest account = nobody
  map to guest = Bad User
  obey pam restrictions = yes
  directory name cache size = 0
  kernel change notify = no
  panic action = /usr/local/libexec/samba/samba-backtrace
  nsupdate command = /usr/local/bin/samba-nsupdate -g
  server string = FreeNAS Server
  ea support = yes
  store dos attributes = yes
  lm announce = yes
  time server = yes
  acl allow execute always = true
  acl check permissions = true
  dos filemode = yes
  multicast dns register = yes
  domain logons = no
  local master = yes
  idmap config *: backend = tdb
  idmap config *: range = 90000001-100000000
  server role = standalone
  netbios name = ORTHANC
  workgroup = WORKGROUP
  security = user
  pid directory = /var/run/samba
  create mask = 0666
  directory mask = 0777
  client ntlmv2 auth = yes
  dos charset = CP437
  unix charset = UTF-8
  log level = 1


[Deimosian]
  path = /mnt/Array32TB/Deimosian
  printable = no
  veto files = /.snapshot/.windows/.mac/.zfs/
  writeable = yes
  browseable = yes
  vfs objects = zfs_space zfsacl aio_pthread streams_xattr
  hide dot files = yes
  guest ok = no
  nfs4:mode = special
  nfs4:acedup = merge
  nfs4:chown = true
  zfsacl:acesort = dontcare


[Media]
  path = /mnt/Array32TB/Media
  printable = no
  veto files = /.snapshot/.windows/.mac/.zfs/
  writeable = yes
  browseable = yes
  vfs objects = zfs_space zfsacl aio_pthread streams_xattr
  hide dot files = yes
  guest ok = no
  nfs4:mode = special
  nfs4:acedup = merge
  nfs4:chown = true
  zfsacl:acesort = dontcare

Code:

/mnt/Array32TB/Deimosian % getfacl ./
# file: ./
# owner: namomitk
# group: cifsusers
  owner@:rwxpDdaARWcCos:fd----:allow
  group@:rwxpDdaARWcCos:fd----:allow
  everyone@:r-x---a-R-c---:fd----:allow

Code:

cifsusers (S-1-5-21-3894996100-499006208-105999453-1000) -> cifsusers
cifsadmins (S-1-5-21-3894996100-499006208-105999453-1003) -> cifsadmins

Code:

ORTHANC\root
S-1-5-21-3894996100-499006208-105999453-1000
S-1-1-0
S-1-5-2
S-1-5-11
ORTHANC\deimosian
S-1-5-21-3894996100-499006208-105999453-1001
S-1-1-0
S-1-5-2
S-1-5-11
ORTHANC\namomitk
S-1-5-21-3894996100-499006208-105999453-3002
S-1-1-0
S-1-5-2
S-1-5-11
ORTHANC\media
S-1-5-21-3894996100-499006208-105999453-2632
S-1-1-0
S-1-5-2
S-1-5-11
ORTHANC\plex
S-1-5-21-3894996100-499006208-105999453-2944
S-1-1-0
S-1-5-2
S-1-5-11
ORTHANC\xbmc
S-1-5-21-3894996100-499006208-105999453-3004
S-1-1-0
S-1-5-2
S-1-5-11
ORTHANC\transmission
S-1-5-21-3894996100-499006208-105999453-2842
S-1-1-0
S-1-5-2
S-1-5-11

Code:

PID  Username  Group  Machine
-------------------------------------------------------------------
  88269  namomitk  cifsadmins  192.168.4.3  (ipv4:192.168.4.3:64610)
  95411  namomitk  cifsadmins  192.168.4.5  (ipv4:192.168.4.5:50113)
  88798  nobody  nobody  192.168.4.3  (ipv4:192.168.4.3:65279)
  88798  namomitk  cifsadmins  192.168.4.3  (ipv4:192.168.4.3:65279)
  88798  nobody  nobody  192.168.4.3  (ipv4:192.168.4.3:65279)

Code:

wheel:*:0
daemon:*:1
kmem:*:2
sys:*:3
tty:*:4
operator:*:5:uucp
mail:*:6
bin:*:7
news:*:8
man:*:9
games:*:13
ftp:*:14
staff:*:20
sshd:*:22
smmsp:*:25
mailnull:*:26
guest:*:31
bind:*:53
proxy:*:62
authpf:*:63
_pflogd:*:64
_dhcp:*:65
uucp:*:66
dialer:*:68
network:*:69
audit:*:77
www:*:80
nogroup:*:65533
nobody:*:65534
avahi:*:200
messagebus:*:201
hast:*:845
ladvd:*:78
webdav:*:666
cifsusers:*:1001:namomitk,transmission
cifsadmins:*:1002

Code:

root:0:root
deimosian:1003:Deimosian
namomitk:1001:NamoMitK
media:816:media
plex:972:plex
xbmc:1002:XBMC
transmission:921:transmission

 

[anodos]

Wow. That's fascinating. Somehow 'root' and 'cifsusers' ended up with the same SID. Let's try nuking your SID mappings and regenerating them, and see if it fixes the problem.

Code:

service samba_server stop
net groupmap cleanup
service ix-pre-samba start
service samba_server start

edit: removed some commands pending further investigation

 

[NamoMitK]

Didn't have a /var/etc/private nor even a /var/etc
(Running FreeNAS-9.3-STABLE-201511280648)

Looks like I need to run back over everything and do a bit of configuring. I can see both my shares but not access them.

Code:

Failed to open /var/db/samba4/private/secrets.tdb
Failed to open /var/db/samba4/private/secrets.tdb
Can't store domain SID as a pdc/bdc.
cp: /var/db/samba4/private/secrets.tdb: No such file or directory
mv: /root/secrets.tdb: No such file or directory

 

[anodos]

Didn't have a /var/etc/private nor even a /var/etc
(Running FreeNAS-9.3-STABLE-201511280648)

Looks like I need to run back over everything and do a bit of configuring. I can see both my shares but not access them.

Code:

Failed to open /var/db/samba4/private/secrets.tdb
Failed to open /var/db/samba4/private/secrets.tdb
Can't store domain SID as a pdc/bdc.
cp: /var/db/samba4/private/secrets.tdb: No such file or directory
mv: /root/secrets.tdb: No such file or directory

Looks like the directory structure of those things changed since the last time group mappings were screwed up. ix-pre-samba also looks like it changed. Save your config through the webgui, reboot your server, and see if the problem resolves itself. It should regenerate the tdb files on boot.

 

[NamoMitK]

Rather then reboot (I have someone streaming on Plex at the moment haha); I re-ran your first two steps and the stopped and restarted CIFS via the GUI. Everything looks to have gone perfectly and the problem is gone. Not sure if there is anything to be concerned about in the syslog. But the SIDs don't match anymore and my Windows client shows what it is supposed to. I'm curious as to why one of my shares thinks it has inheritance and the other doesn't ... but I just did a remove all and re-added the ones I wanted.

Code:

Dec 10 21:35:06 orthanc notifier: winbindd not running? (check /var/run/samba/winbindd.pid).
Dec 10 21:35:06 orthanc notifier: smbd not running? (check /var/run/samba/smbd.pid).
Dec 10 21:35:06 orthanc notifier: nmbd not running? (check /var/run/samba/nmbd.pid).
Dec 10 21:35:12 orthanc notifier: Failed to open /var/db/samba4/private/secrets.tdb
Dec 10 21:35:12 orthanc notifier: Failed to open /var/db/samba4/private/secrets.tdb
Dec 10 21:35:12 orthanc notifier: Can't store domain SID as a pdc/bdc.
Dec 10 21:35:12 orthanc notifier: cp: /var/db/samba4/private/secrets.tdb: No such file or directory
Dec 10 21:35:16 orthanc generate_smb4_conf.py: [common.pipesubr:71] Popen()ing: /usr/local/bin/net -d 0 getlocalsid
Dec 10 21:35:16 orthanc generate_smb4_conf.py: [common.pipesubr:71] Popen()ing: /usr/local/bin/net -d 0 setlocalsid S-1-5-21-3894996100-499006208-105999453
Dec 10 21:35:16 orthanc generate_smb4_conf.py: [common.pipesubr:71] Popen()ing: /sbin/sysctl -n 'kern.maxfilesperproc'
Dec 10 21:35:16 orthanc generate_smb4_conf.py: [common.pipesubr:71] Popen()ing: zfs list -H -o mountpoint
Dec 10 21:35:16 orthanc generate_smb4_conf.py: [common.pipesubr:71] Popen()ing: zfs list -H -o mountpoint
Dec 10 21:35:16 orthanc generate_smb4_conf.py: [common.pipesubr:71] Popen()ing: /usr/local/bin/net -d 0 getlocalsid
Dec 10 21:35:17 orthanc generate_smb4_conf.py: [common.pipesubr:71] Popen()ing: /usr/local/bin/pdbedit -d 0 -i smbpasswd:/tmp/tmpfuVlad -s /usr/local/etc/smb4.conf -e tdbsam:/var/db/samba4/private/passdb.tdb
Dec 10 21:35:18 orthanc generate_smb4_conf.py: [common.pipesubr:71] Popen()ing: /usr/local/bin/smbpasswd -e 'deimosian'
Dec 10 21:35:20 orthanc generate_smb4_conf.py: [common.pipesubr:71] Popen()ing: /usr/local/bin/smbpasswd -d 'media'
Dec 10 21:35:20 orthanc generate_smb4_conf.py: [common.pipesubr:71] Popen()ing: /usr/local/bin/smbpasswd -e 'namomitk'
Dec 10 21:35:20 orthanc generate_smb4_conf.py: [common.pipesubr:71] Popen()ing: /usr/local/bin/smbpasswd -d 'plex'
Dec 10 21:35:21 orthanc generate_smb4_conf.py: [common.pipesubr:71] Popen()ing: /usr/local/bin/smbpasswd -d 'transmission'
Dec 10 21:35:21 orthanc generate_smb4_conf.py: [common.pipesubr:71] Popen()ing: /usr/local/bin/smbpasswd -e 'xbmc'
Dec 10 21:35:21 orthanc generate_smb4_conf.py: [common.pipesubr:71] Popen()ing: /usr/local/bin/smbpasswd -e 'root'
Dec 10 21:35:21 orthanc generate_smb4_conf.py: [common.pipesubr:71] Popen()ing: /usr/bin/getent passwd 'cifsusers'
Dec 10 21:35:21 orthanc generate_smb4_conf.py: [common.pipesubr:71] Popen()ing: /usr/bin/getent passwd 'cifsadmins'
Dec 10 21:35:22 orthanc generate_smb4_conf.py: [common.pipesubr:71] Popen()ing: /usr/local/bin/pdbedit -d 0 -L
Dec 10 21:35:22 orthanc generate_smb4_conf.py: [common.pipesubr:71] Popen()ing: /usr/local/bin/net -d 0 sam rights grant root SeTakeOwnershipPrivilege SeBackupPrivilege SeRestorePrivilege
Dec 10 21:35:22 orthanc generate_smb4_conf.py: [common.pipesubr:71] Popen()ing: /usr/local/bin/net -d 0 sam rights grant namomitk SeTakeOwnershipPrivilege SeBackupPrivilege SeRestorePrivilege
Dec 10 21:35:22 orthanc generate_smb4_conf.py: [common.pipesubr:71] Popen()ing: /usr/local/bin/net -d 0 sam rights grant media SeTakeOwnershipPrivilege SeBackupPrivilege SeRestorePrivilege
Dec 10 21:35:22 orthanc generate_smb4_conf.py: [common.pipesubr:71] Popen()ing: /usr/local/bin/net -d 0 sam rights grant plex SeTakeOwnershipPrivilege SeBackupPrivilege SeRestorePrivilege
Dec 10 21:35:22 orthanc generate_smb4_conf.py: [common.pipesubr:71] Popen()ing: /usr/local/bin/net -d 0 sam rights grant xbmc SeTakeOwnershipPrivilege SeBackupPrivilege SeRestorePrivilege
Dec 10 21:35:22 orthanc generate_smb4_conf.py: [common.pipesubr:71] Popen()ing: /usr/local/bin/net -d 0 sam rights grant deimosian SeTakeOwnershipPrivilege SeBackupPrivilege SeRestorePrivilege
Dec 10 21:35:22 orthanc generate_smb4_conf.py: [common.pipesubr:71] Popen()ing: /usr/local/bin/net -d 0 sam rights grant transmission SeTakeOwnershipPrivilege SeBackupPrivilege SeRestorePrivilege
Dec 10 21:35:22 orthanc notifier: Importing account for deimosian...ok
Dec 10 21:35:22 orthanc notifier: Importing account for media...ok
Dec 10 21:35:22 orthanc notifier: Importing account for namomitk...ok
Dec 10 21:35:22 orthanc notifier: Importing account for plex...ok
Dec 10 21:35:22 orthanc notifier: Importing account for transmission...ok
Dec 10 21:35:22 orthanc notifier: Importing account for xbmc...ok
Dec 10 21:35:22 orthanc notifier: Importing account for root...ok
Dec 10 21:35:22 orthanc notifier: Enabled user deimosian.
Dec 10 21:35:22 orthanc notifier: Disabled user media.
Dec 10 21:35:22 orthanc notifier: Enabled user namomitk.
Dec 10 21:35:22 orthanc notifier: Disabled user plex.
Dec 10 21:35:22 orthanc notifier: Disabled user transmission.
Dec 10 21:35:22 orthanc notifier: Enabled user xbmc.
Dec 10 21:35:22 orthanc notifier: Enabled user root.
Dec 10 21:35:22 orthanc notifier: Granted SeTakeOwnershipPrivilege to ORTHANC\root
Dec 10 21:35:22 orthanc notifier: Granted SeBackupPrivilege to ORTHANC\root
Dec 10 21:35:22 orthanc notifier: Granted SeRestorePrivilege to ORTHANC\root
Dec 10 21:35:22 orthanc notifier: Granted SeTakeOwnershipPrivilege to ORTHANC\namomitk
Dec 10 21:35:22 orthanc notifier: Granted SeBackupPrivilege to ORTHANC\namomitk
Dec 10 21:35:22 orthanc notifier: Granted SeRestorePrivilege to ORTHANC\namomitk
Dec 10 21:35:22 orthanc notifier: Granted SeTakeOwnershipPrivilege to ORTHANC\media
Dec 10 21:35:22 orthanc notifier: Granted SeBackupPrivilege to ORTHANC\media
Dec 10 21:35:22 orthanc notifier: Granted SeRestorePrivilege to ORTHANC\media
Dec 10 21:35:22 orthanc notifier: Granted SeTakeOwnershipPrivilege to ORTHANC\plex
Dec 10 21:35:22 orthanc notifier: Granted SeBackupPrivilege to ORTHANC\plex
Dec 10 21:35:22 orthanc notifier: Granted SeRestorePrivilege to ORTHANC\plex
Dec 10 21:35:22 orthanc notifier: Granted SeTakeOwnershipPrivilege to ORTHANC\xbmc
Dec 10 21:35:22 orthanc notifier: Granted SeBackupPrivilege to ORTHANC\xbmc
Dec 10 21:35:22 orthanc notifier: Granted SeRestorePrivilege to ORTHANC\xbmc
Dec 10 21:35:22 orthanc notifier: Granted SeTakeOwnershipPrivilege to ORTHANC\deimosian
Dec 10 21:35:22 orthanc notifier: Granted SeBackupPrivilege to ORTHANC\deimosian
Dec 10 21:35:22 orthanc notifier: Granted SeRestorePrivilege to ORTHANC\deimosian
Dec 10 21:35:22 orthanc notifier: Granted SeTakeOwnershipPrivilege to ORTHANC\transmission
Dec 10 21:35:22 orthanc notifier: Granted SeBackupPrivilege to ORTHANC\transmission
Dec 10 21:35:22 orthanc notifier: Granted SeRestorePrivilege to ORTHANC\transmission
Dec 10 21:35:22 orthanc notifier: mv: /root/secrets.tdb: No such file or directory
Dec 10 21:35:23 orthanc notifier: Performing sanity check on Samba configuration: OK
Dec 10 21:35:23 orthanc notifier: Starting nmbd.
Dec 10 21:35:23 orthanc notifier: Starting smbd.
Dec 10 21:35:23 orthanc nmbd[5656]: [2015/12/10 21:35:23.317933, 0] ../lib/util/become_daemon.c:136(daemon_ready)
Dec 10 21:35:23 orthanc notifier: Starting winbindd.
Dec 10 21:35:23 orthanc winbindd[5664]: [2015/12/10 21:35:23.437049, 0] ../source3/winbindd/winbindd_cache.c:3196(initialize_winbindd_cache)
Dec 10 21:35:23 orthanc winbindd[5664]: initialize_winbindd_cache: clearing cache and re-creating with version number 2
Dec 10 21:35:23 orthanc winbindd[5664]: [2015/12/10 21:35:23.442850, 0] ../lib/util/become_daemon.c:136(daemon_ready)
Dec 10 21:35:23 orthanc smbd[5660]: [2015/12/10 21:35:23.908151, 0] ../lib/util/become_daemon.c:136(daemon_ready)
Dec 10 21:35:46 orthanc nmbd[5656]: STATUS=daemon 'nmbd' finished starting up and ready to serve connections*****
Dec 10 21:35:46 orthanc nmbd[5656]:
Dec 10 21:35:46 orthanc nmbd[5656]: Samba name server ORTHANC is now a local master browser for workgroup WORKGROUP on subnet 192.168.4.7
Dec 10 21:35:46 orthanc nmbd[5656]:
Dec 10 21:35:46 orthanc nmbd[5656]: *****
Dec 10 21:37:23 orthanc smbd[5857]: STATUS=daemon 'smbd' finished starting up and ready to serve connectionsFailed to fetch record!

Code:

 net usersidlist
ORTHANC\root
 S-1-5-21-3894996100-499006208-105999453-1000
 S-1-1-0
 S-1-5-2
 S-1-5-11
ORTHANC\namomitk
 S-1-5-21-3894996100-499006208-105999453-3002
 S-1-1-0
 S-1-5-2
 S-1-5-11
ORTHANC\media
 S-1-5-21-3894996100-499006208-105999453-2632
 S-1-1-0
 S-1-5-2
 S-1-5-11
ORTHANC\plex
 S-1-5-21-3894996100-499006208-105999453-2944
 S-1-1-0
 S-1-5-2
 S-1-5-11
ORTHANC\xbmc
 S-1-5-21-3894996100-499006208-105999453-3004
 S-1-1-0
 S-1-5-2
 S-1-5-11
ORTHANC\deimosian
 S-1-5-21-3894996100-499006208-105999453-3006
 S-1-1-0
 S-1-5-2
 S-1-5-11
ORTHANC\transmission
 S-1-5-21-3894996100-499006208-105999453-2842
 S-1-1-0
 S-1-5-2
 S-1-5-11
[root@orthanc] /var/db/system/samba4# net groupmap list
cifsadmins (S-1-5-21-3894996100-499006208-105999453-1002) -> cifsadmins
cifsusers (S-1-5-21-3894996100-499006208-105999453-1001) -> cifsusers

 

[anodos]

Good! I think you're out of the woods.

 

[NamoMitK]

Thanks for the help. Without that string of commands I would've been completely at a loss. I don't see a method for KUDOS on this board -- so I'll give a like to the last post and mark this as SOLVED.