I have a working Samba setup that I am trying to move from an older linux server to a FreeNAS.
Currently I am using the latest beta of FreeNAS 8.0.4 after initially trying 8.0.3. I have OpenLDAP and NSS properly configured, and I can see my users and groups via getent, and ssh into the machine as a LDAP user. My goal is simple, have a set of directories only accessible by members of the group owning the share.
Samba configuration is where things are weird.
I have a pair of ZFS datasets, Dev and Test, both mount points owned by root and each has its own Dev and Test group, mount point permissions are 770. If I create a local users and groups, turn off the LDAP service, and access CIFS shares configured to use the datasets, everything works fine. If the user or groups are in LDAP, and the ldap service is turned on, nothing can be accessed unless the directory permissions are 775 and guest access turned on. It seems like I might be missing something between NSS and Samba, but I'm not sure. Any ideas?
Here are the permissions, smb.conf, and output from smbclient -d 3
[root@nas] /mnt/PrimaryVolume# ls -l
total 7
drwxr-xr-x 5 root wheel 5 Feb 23 12:10 ./
drwxr-xr-x 4 root wheel 512 Feb 22 22:25 ../
drwxr-xr-x 2 www www 2 Feb 22 16:02 .freenas/
drwxrwx--- 2 root Dev 3 Feb 22 21:04 Dev/
drwxrwx---+ 2 root MyUsers 4 Feb 22 22:41 Test/
========== smb.conf =====================
[global]
encrypt passwords = yes
dns proxy = no
strict locking = no
read raw = yes
write raw = yes
oplocks = yes
max xmit = 65535
deadtime = 15
display charset = LOCALE
max log size = 10
syslog only = yes
syslog = yes
load printers = no
printing = bsd
printcap name = /dev/null
disable spoolss = yes
smb passwd file = /var/etc/private/smbpasswd
private dir = /var/etc/private
getwd cache = yes
guest account = nobody
map to guest = Bad Password
obey pam restrictions = Yes
guest ok = yes
netbios name = NAS
workgroup = WORKGROUP
server string = FreeNAS Server
use sendfile = yes
large readwrite = no
security = user
passdb backend = ldapsam:ldap://10.9.1.5
ldap admin dn = blanked_for_paranoia
ldap suffix = blanked_for_paranoia
ldap user suffix = ou=People
ldap group suffix = ou=Groups
ldap machine suffix = ou=Computers
ldap ssl = off
ldap replication sleep = 1000
ldap passwd sync = yes
#ldap debug level = 1
#ldap debug threshold = 1
ldapsam:trusted = yes
idmap uid = 10000-39999
idmap gid = 10000-39999
create mask = 0660
directory mask = 0770
client ntlmv2 auth = yes
dos charset = CP437
unix charset = UTF-8
log level = 2
aio read size = 4096
aio write size = 4096
[Dev]
path = /mnt/PrimaryVolume/Dev
printable = no
veto files = /.snap/.windows/
writeable = yes
browseable = yes
inherit owner = no
inherit permissions = yes
vfs objects = zfsacl
guest ok = no
inherit acls = Yes
map archive = No
map readonly = no
nfs4:mode = special
nfs4:acedup = merge
nfs4:chown = yes
[TestShare]
path = /mnt/PrimaryVolume/Test
printable = no
veto files = /.snap/.windows/
writeable = yes
browseable = yes
inherit owner = no
inherit permissions = yes
vfs objects = zfsacl
guest ok = no
inherit acls = Yes
map archive = No
map readonly = no
nfs4:mode = special
nfs4:acedup = merge
nfs4:chown = yes
==== smbclient ======
[root@nas] /mnt/PrimaryVolume# smbclient -d 3 -U jhiggins \\\\10.9.1.10\\Dev
lp_load_ex: refreshing parameters
Initialising global parameters
max_open_files: increasing sysctl_max (11095) to minimum Windows limit (16384)
rlimit_max: increasing rlimit_max (11095) to minimum Windows limit (16384)
params.c:pm_process() - Processing configuration file "/usr/local/etc/smb.conf"
Processing section "[global]"
WARNING: The "idmap uid" option is deprecated
WARNING: The "idmap gid" option is deprecated
added interface bce0 ip=fe80:1::baac:6fff:fe16:29db bcast=fe80:1::ffff:ffff:ffff:ffff netmask=ffff:ffff:ffff:ffff::
added interface bce1 ip=fe80:2::baac:6fff:fe16:29dd bcast=fe80:2::ffff:ffff:ffff:ffff netmask=ffff:ffff:ffff:ffff::
added interface bce0 ip=10.9.1.10 bcast=10.9.1.255 netmask=255.255.255.0
added interface bce1 ip=10.9.2.10 bcast=10.9.2.255 netmask=255.255.255.0
Client started (version 3.6.3).
Enter jhiggins's password:
Connecting to 10.9.1.10 at port 445
Doing spnego session setup (blob length=58)
got OID=1.3.6.1.4.1.311.2.2.10
got principal=NONE
Got challenge flags:
Got NTLMSSP neg_flags=0x608a8215
NTLMSSP: Set final flags:
Got NTLMSSP neg_flags=0x60088215
NTLMSSP Sign/Seal - Initialising with flags:
Got NTLMSSP neg_flags=0x60088215
SPNEGO login failed: Undetermined error
session setup failed: NT_STATUS_UNSUCCESSFUL
Currently I am using the latest beta of FreeNAS 8.0.4 after initially trying 8.0.3. I have OpenLDAP and NSS properly configured, and I can see my users and groups via getent, and ssh into the machine as a LDAP user. My goal is simple, have a set of directories only accessible by members of the group owning the share.
Samba configuration is where things are weird.
I have a pair of ZFS datasets, Dev and Test, both mount points owned by root and each has its own Dev and Test group, mount point permissions are 770. If I create a local users and groups, turn off the LDAP service, and access CIFS shares configured to use the datasets, everything works fine. If the user or groups are in LDAP, and the ldap service is turned on, nothing can be accessed unless the directory permissions are 775 and guest access turned on. It seems like I might be missing something between NSS and Samba, but I'm not sure. Any ideas?
Here are the permissions, smb.conf, and output from smbclient -d 3
[root@nas] /mnt/PrimaryVolume# ls -l
total 7
drwxr-xr-x 5 root wheel 5 Feb 23 12:10 ./
drwxr-xr-x 4 root wheel 512 Feb 22 22:25 ../
drwxr-xr-x 2 www www 2 Feb 22 16:02 .freenas/
drwxrwx--- 2 root Dev 3 Feb 22 21:04 Dev/
drwxrwx---+ 2 root MyUsers 4 Feb 22 22:41 Test/
========== smb.conf =====================
[global]
encrypt passwords = yes
dns proxy = no
strict locking = no
read raw = yes
write raw = yes
oplocks = yes
max xmit = 65535
deadtime = 15
display charset = LOCALE
max log size = 10
syslog only = yes
syslog = yes
load printers = no
printing = bsd
printcap name = /dev/null
disable spoolss = yes
smb passwd file = /var/etc/private/smbpasswd
private dir = /var/etc/private
getwd cache = yes
guest account = nobody
map to guest = Bad Password
obey pam restrictions = Yes
guest ok = yes
netbios name = NAS
workgroup = WORKGROUP
server string = FreeNAS Server
use sendfile = yes
large readwrite = no
security = user
passdb backend = ldapsam:ldap://10.9.1.5
ldap admin dn = blanked_for_paranoia
ldap suffix = blanked_for_paranoia
ldap user suffix = ou=People
ldap group suffix = ou=Groups
ldap machine suffix = ou=Computers
ldap ssl = off
ldap replication sleep = 1000
ldap passwd sync = yes
#ldap debug level = 1
#ldap debug threshold = 1
ldapsam:trusted = yes
idmap uid = 10000-39999
idmap gid = 10000-39999
create mask = 0660
directory mask = 0770
client ntlmv2 auth = yes
dos charset = CP437
unix charset = UTF-8
log level = 2
aio read size = 4096
aio write size = 4096
[Dev]
path = /mnt/PrimaryVolume/Dev
printable = no
veto files = /.snap/.windows/
writeable = yes
browseable = yes
inherit owner = no
inherit permissions = yes
vfs objects = zfsacl
guest ok = no
inherit acls = Yes
map archive = No
map readonly = no
nfs4:mode = special
nfs4:acedup = merge
nfs4:chown = yes
[TestShare]
path = /mnt/PrimaryVolume/Test
printable = no
veto files = /.snap/.windows/
writeable = yes
browseable = yes
inherit owner = no
inherit permissions = yes
vfs objects = zfsacl
guest ok = no
inherit acls = Yes
map archive = No
map readonly = no
nfs4:mode = special
nfs4:acedup = merge
nfs4:chown = yes
==== smbclient ======
[root@nas] /mnt/PrimaryVolume# smbclient -d 3 -U jhiggins \\\\10.9.1.10\\Dev
lp_load_ex: refreshing parameters
Initialising global parameters
max_open_files: increasing sysctl_max (11095) to minimum Windows limit (16384)
rlimit_max: increasing rlimit_max (11095) to minimum Windows limit (16384)
params.c:pm_process() - Processing configuration file "/usr/local/etc/smb.conf"
Processing section "[global]"
WARNING: The "idmap uid" option is deprecated
WARNING: The "idmap gid" option is deprecated
added interface bce0 ip=fe80:1::baac:6fff:fe16:29db bcast=fe80:1::ffff:ffff:ffff:ffff netmask=ffff:ffff:ffff:ffff::
added interface bce1 ip=fe80:2::baac:6fff:fe16:29dd bcast=fe80:2::ffff:ffff:ffff:ffff netmask=ffff:ffff:ffff:ffff::
added interface bce0 ip=10.9.1.10 bcast=10.9.1.255 netmask=255.255.255.0
added interface bce1 ip=10.9.2.10 bcast=10.9.2.255 netmask=255.255.255.0
Client started (version 3.6.3).
Enter jhiggins's password:
Connecting to 10.9.1.10 at port 445
Doing spnego session setup (blob length=58)
got OID=1.3.6.1.4.1.311.2.2.10
got principal=NONE
Got challenge flags:
Got NTLMSSP neg_flags=0x608a8215
NTLMSSP: Set final flags:
Got NTLMSSP neg_flags=0x60088215
NTLMSSP Sign/Seal - Initialising with flags:
Got NTLMSSP neg_flags=0x60088215
SPNEGO login failed: Undetermined error
session setup failed: NT_STATUS_UNSUCCESSFUL
