Error changing AD permissions: NT_STATUS_INVALID_PARAMETER

Status
Not open for further replies.
SteveBallantyne

SteveBallantyne

Cadet
Joined
Jul 18, 2017
Messages
6
Hello all,

I have a FreeNAS box that I recently had to "rebuild". That is, I tried to run an update, ended up in a boot loop, and ended up having to boot to a CD and install a new boot environment. My data was in tact (many, many terabytes of backups). But my AD permissions are all missing/broken.

I have since deleted the computer object from my AD for the FreeNAS server, and re-initialized the computer account. It appears that AD is functional. I can do a kinit, log in with a username/password, and then pull user and group lists without a problem.

When I right click on a directory or a file from one of the shares and try to alter the AD permissions, I am getting this error from the MS Windows side, "Unable to save permission changes on ______. The parameter is incorrect". On the FreeNAS side, I am seeing this error message pop up in /var/log/samba4/log.smbd ... "[NT_STATUS_INVALID_PARAMETER] || at ../source3/smbd/smb2_setinfo.c:132".

I have spent a couple of hours reading through semi-related threads and Samba bug reports - to no avail! Anyone have any ideas for me?

Here is some basic info:
Build FreeNAS-11.0-U4 (54848d13b)

Platform Intel(R) Core(TM) i7-4790K CPU @ 4.00GHz

Memory 16129MB

Log snippet from log.smbd (this is when I am trying to change file permissions) ...
Code:
[2017/12/01 08:49:02.852857,  3] ../source3/smbd/dir.c:656(dptr_create)
  creating new dirptr 0 for path ., expect_close = 0
[2017/12/01 08:49:02.852977,  3] ../source3/smbd/dir.c:1227(smbd_dirptr_get_entry)
  smbd_dirptr_get_entry mask=[readme.txt] found readme.txt fname=readme.txt (readme.txt)
[2017/12/01 08:49:02.856572,  3] ../source3/smbd/trans2.c:3427(smbd_do_qfsinfo)
  smbd_do_qfsinfo: level = 1001
[2017/12/01 08:49:02.856654,  3] ../source3/smbd/trans2.c:3427(smbd_do_qfsinfo)
  smbd_do_qfsinfo: level = 1005
[2017/12/01 08:49:02.863014,  2] ../source3/smbd/open.c:1362(open_file)
  root opened file readme.txt read=Yes write=No (numopen=2)
[2017/12/01 08:49:02.866014,  3] ../source3/smbd/smb2_read.c:413(smb2_read_complete)
  smbd_smb2_read: fnum 2618575286, file readme.txt, length=76 offset=0 read=76
[2017/12/01 08:49:02.869174,  2] ../source3/smbd/open.c:1362(open_file)
  root opened file readme.txt read=Yes write=No (numopen=3)
[2017/12/01 08:49:02.873481,  2] ../source3/smbd/open.c:1362(open_file)
  root opened file readme.txt read=Yes write=No (numopen=4)
[2017/12/01 08:49:02.880005,  2] ../source3/smbd/open.c:1362(open_file)
  root opened file readme.txt read=No write=No (numopen=5)
[2017/12/01 08:49:02.885177,  3] ../lib/util/access.c:361(allow_access)
  Allowed connection from 10.10.10.9 (10.10.10.9)
[2017/12/01 08:49:02.885254,  3] ../source3/smbd/service.c:576(make_connection_snum)
  Connect path is '/tmp' for service [IPC$]
[2017/12/01 08:49:02.885281,  3] ../source3/smbd/vfs.c:113(vfs_init_default)
  Initialising default vfs hooks
[2017/12/01 08:49:02.885356,  3] ../source3/smbd/vfs.c:139(vfs_init_custom)
  Initialising custom vfs hooks from [/[Default VFS]/]
[2017/12/01 08:49:02.885534,  3] ../source3/smbd/service.c:822(make_connection_snum)
  dt-914t4v1 (ipv4:10.10.10.9:53070) connect to service IPC$ initially as user root (uid=0, gid=0) (pid 95832)
[2017/12/01 08:49:02.892092,  3] ../source3/rpc_server/srv_pipe.c:732(api_pipe_bind_req)
  api_pipe_bind_req: dssetup -> dssetup rpc service
[2017/12/01 08:49:02.892121,  3] ../source3/rpc_server/srv_pipe.c:355(check_bind_req)
  check_bind_req for dssetup context_id=0
[2017/12/01 08:49:02.892150,  3] ../source3/rpc_server/srv_pipe.c:398(check_bind_req)
  check_bind_req: dssetup -> dssetup rpc service
[2017/12/01 08:49:02.895503,  3] ../source3/rpc_server/srv_pipe.c:1455(api_rpcTNP)
  api_rpcTNP: rpc command: DSSETUP_DSROLEGETPRIMARYDOMAININFORMATION
[2017/12/01 08:49:02.911586,  3] ../source3/rpc_server/srv_pipe.c:732(api_pipe_bind_req)
  api_pipe_bind_req: dssetup -> dssetup rpc service
[2017/12/01 08:49:02.911627,  3] ../source3/rpc_server/srv_pipe.c:355(check_bind_req)
  check_bind_req for dssetup context_id=0
[2017/12/01 08:49:02.911643,  3] ../source3/rpc_server/srv_pipe.c:398(check_bind_req)
  check_bind_req: dssetup -> dssetup rpc service
[2017/12/01 08:49:02.915186,  3] ../source3/rpc_server/srv_pipe.c:1455(api_rpcTNP)
  api_rpcTNP: rpc command: DSSETUP_DSROLEGETPRIMARYDOMAININFORMATION
[2017/12/01 08:49:02.961737,  2] ../source3/smbd/open.c:1362(open_file)
  root opened file readme.txt read=No write=No (numopen=6)
[2017/12/01 08:49:02.963561,  2] ../source3/smbd/close.c:798(close_normal_file)
  root closed file readme.txt (numopen=5) NT_STATUS_OK
[2017/12/01 08:49:02.971440,  3] ../source3/smbd/smb2_server.c:3097(smbd_smb2_request_error_ex)
  smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1] status[NT_STATUS_OBJECT_NAME_NOT_FOUND] || at ../source3/smbd/smb2_create.c:293
[2017/12/01 08:49:04.098483,  3] ../source3/rpc_server/srv_pipe.c:732(api_pipe_bind_req)
  api_pipe_bind_req: dssetup -> dssetup rpc service
[2017/12/01 08:49:04.098527,  3] ../source3/rpc_server/srv_pipe.c:355(check_bind_req)
  check_bind_req for dssetup context_id=0
[2017/12/01 08:49:04.098539,  3] ../source3/rpc_server/srv_pipe.c:398(check_bind_req)
  check_bind_req: dssetup -> dssetup rpc service
[2017/12/01 08:49:04.107217,  3] ../source3/rpc_server/srv_pipe.c:1455(api_rpcTNP)
  api_rpcTNP: rpc command: DSSETUP_DSROLEGETPRIMARYDOMAININFORMATION
[2017/12/01 08:49:04.128253,  2] ../source3/smbd/open.c:1362(open_file)
  root opened file readme.txt read=No write=No (numopen=6)
[2017/12/01 08:49:04.130282,  3] ../source3/smbd/nttrans.c:2034(smbd_do_query_security_desc)
  smbd_do_query_security_desc: sd_size = 120.
[2017/12/01 08:49:05.308425,  3] ../source3/smbd/nttrans.c:2034(smbd_do_query_security_desc)
  smbd_do_query_security_desc: sd_size = 120.
[2017/12/01 08:49:07.677598,  3] ../source3/rpc_server/srv_pipe.c:732(api_pipe_bind_req)
  api_pipe_bind_req: dssetup -> dssetup rpc service
[2017/12/01 08:49:07.677640,  3] ../source3/rpc_server/srv_pipe.c:355(check_bind_req)
  check_bind_req for dssetup context_id=0
[2017/12/01 08:49:07.677653,  3] ../source3/rpc_server/srv_pipe.c:398(check_bind_req)
  check_bind_req: dssetup -> dssetup rpc service
[2017/12/01 08:49:07.680918,  3] ../source3/rpc_server/srv_pipe.c:1455(api_rpcTNP)
  api_rpcTNP: rpc command: DSSETUP_DSROLEGETPRIMARYDOMAININFORMATION
[2017/12/01 08:49:07.696307,  3] ../source3/rpc_server/srv_pipe.c:732(api_pipe_bind_req)
  api_pipe_bind_req: wkssvc -> wkssvc rpc service
[2017/12/01 08:49:07.696348,  3] ../source3/rpc_server/srv_pipe.c:355(check_bind_req)
  check_bind_req for wkssvc context_id=0
[2017/12/01 08:49:07.696360,  3] ../source3/rpc_server/srv_pipe.c:398(check_bind_req)
  check_bind_req: wkssvc -> wkssvc rpc service
[2017/12/01 08:49:07.700801,  3] ../source3/rpc_server/srv_pipe.c:1455(api_rpcTNP)
  api_rpcTNP: rpc command: WKSSVC_NETWKSTAGETINFO
[2017/12/01 08:49:07.709814,  3] ../source3/rpc_server/srv_pipe.c:732(api_pipe_bind_req)
  api_pipe_bind_req: netlogon -> netlogon rpc service
[2017/12/01 08:49:07.709837,  3] ../source3/rpc_server/srv_pipe.c:355(check_bind_req)
  check_bind_req for netlogon context_id=0
[2017/12/01 08:49:07.709858,  3] ../source3/rpc_server/srv_pipe.c:398(check_bind_req)
  check_bind_req: netlogon -> netlogon rpc service
[2017/12/01 08:49:07.717733,  3] ../source3/rpc_server/srv_pipe.c:1455(api_rpcTNP)
  api_rpcTNP: rpc command: NETR_DSRGETDCNAMEEX2
[2017/12/01 08:49:14.584288,  2] ../source3/smbd/open.c:1362(open_file)
  root opened file readme.txt read=No write=No (numopen=7)
[2017/12/01 08:49:14.587323,  3] ../source3/smbd/nttrans.c:2034(smbd_do_query_security_desc)
  smbd_do_query_security_desc: sd_size = 176.
[2017/12/01 08:49:14.591311,  2] ../source3/smbd/posix_acls.c:3004(set_canon_ace_list)
  set_canon_ace_list: sys_acl_set_file type file failed for file readme.txt (Invalid argument).
[2017/12/01 08:49:14.591349,  3] ../source3/smbd/posix_acls.c:3888(set_nt_acl)
  set_nt_acl: failed to set file acl on file readme.txt (Invalid argument).
[2017/12/01 08:49:14.591366,  3] ../source3/smbd/smb2_server.c:3097(smbd_smb2_request_error_ex)
  smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1] status[NT_STATUS_INVALID_PARAMETER] || at ../source3/smbd/smb2_setinfo.c:132
[2017/12/01 08:49:15.462046,  3] ../lib/util/access.c:361(allow_access)
  Allowed connection from 10.30.10.96 (10.30.10.96)
[2017/12/01 08:49:15.462129,  3] ../source3/smbd/oplock.c:1328(init_oplocks)
  init_oplocks: initializing messages.
[2017/12/01 08:49:15.462179,  3] ../source3/smbd/process.c:1957(process_smb)
  Transaction 0 of length 159 (0 toread)
[2017/12/01 08:49:15.462196,  3] ../source3/smbd/process.c:1538(switch_message)
  switch message SMBnegprot (pid 97655) conn 0x0
[2017/12/01 08:49:15.462747,  3] ../source3/smbd/negprot.c:603(reply_negprot)
  Requested protocol [PC NETWORK PROGRAM 1.0]
[2017/12/01 08:49:15.462765,  3] ../source3/smbd/negprot.c:603(reply_negprot)
  Requested protocol [LANMAN1.0]
[2017/12/01 08:49:15.462782,  3] ../source3/smbd/negprot.c:603(reply_negprot)
  Requested protocol [Windows for Workgroups 3.1a]
[2017/12/01 08:49:15.462889,  3] ../source3/smbd/negprot.c:603(reply_negprot)
  Requested protocol [LM1.2X002]
[2017/12/01 08:49:15.463046,  3] ../source3/smbd/negprot.c:603(reply_negprot)
  Requested protocol [LANMAN2.1]
[2017/12/01 08:49:15.463136,  3] ../source3/smbd/negprot.c:603(reply_negprot)
  Requested protocol [NT LM 0.12]
[2017/12/01 08:49:15.463156,  3] ../source3/smbd/negprot.c:603(reply_negprot)
  Requested protocol [SMB 2.002]
[2017/12/01 08:49:15.463170,  3] ../source3/smbd/negprot.c:603(reply_negprot)
  Requested protocol [SMB 2.???]
[2017/12/01 08:49:15.463290,  3] ../source3/smbd/smb2_negprot.c:290(smbd_smb2_request_process_negprot)
  Selected protocol SMB2_FF
[2017/12/01 08:49:15.463684,  3] ../auth/gensec/gensec_start.c:918(gensec_register)
  GENSEC backend 'gssapi_spnego' registered
[2017/12/01 08:49:15.463701,  3] ../auth/gensec/gensec_start.c:918(gensec_register)
  GENSEC backend 'gssapi_krb5' registered
[2017/12/01 08:49:15.463721,  3] ../auth/gensec/gensec_start.c:918(gensec_register)
  GENSEC backend 'gssapi_krb5_sasl' registered
[2017/12/01 08:49:15.463736,  3] ../auth/gensec/gensec_start.c:918(gensec_register)
  GENSEC backend 'spnego' registered
[2017/12/01 08:49:15.463753,  3] ../auth/gensec/gensec_start.c:918(gensec_register)
  GENSEC backend 'schannel' registered
[2017/12/01 08:49:15.463766,  3] ../auth/gensec/gensec_start.c:918(gensec_register)
  GENSEC backend 'naclrpc_as_system' registered
[2017/12/01 08:49:15.463782,  3] ../auth/gensec/gensec_start.c:918(gensec_register)
  GENSEC backend 'sasl-EXTERNAL' registered
[2017/12/01 08:49:15.463795,  3] ../auth/gensec/gensec_start.c:918(gensec_register)
  GENSEC backend 'ntlmssp' registered
[2017/12/01 08:49:15.463811,  3] ../auth/gensec/gensec_start.c:918(gensec_register)
  GENSEC backend 'ntlmssp_resume_ccache' registered
[2017/12/01 08:49:15.463823,  3] ../auth/gensec/gensec_start.c:918(gensec_register)
  GENSEC backend 'http_basic' registered
[2017/12/01 08:49:15.463840,  3] ../auth/gensec/gensec_start.c:918(gensec_register)
  GENSEC backend 'http_ntlm' registered
[2017/12/01 08:49:15.463853,  3] ../auth/gensec/gensec_start.c:918(gensec_register)
  GENSEC backend 'krb5' registered
[2017/12/01 08:49:15.463869,  3] ../auth/gensec/gensec_start.c:918(gensec_register)
  GENSEC backend 'fake_gssapi_krb5' registered
[2017/12/01 08:49:15.791372,  3] ../source3/smbd/negprot.c:744(reply_negprot)
  Selected protocol SMB 2.???
[2017/12/01 08:49:15.794254,  3] ../source3/smbd/smb2_negprot.c:290(smbd_smb2_request_process_negprot)
  Selected protocol SMB2_10
[2017/12/01 08:49:16.377209,  3] ../source3/smbd/nttrans.c:2034(smbd_do_query_security_desc)
  smbd_do_query_security_desc: sd_size = 120.
[2017/12/01 08:49:16.469665,  3] ../auth/kerberos/kerberos_pac.c:409(kerberos_decode_pac)
  Found account name from PAC: priestdd [Priest, Debra D.]
[2017/12/01 08:49:16.469708,  3] ../source3/auth/user_krb5.c:51(get_user_from_kerberos_info)
  Kerberos ticket principal name is [priestdd@KCH.LOCAL]
[2017/12/01 08:49:16.469919,  3] ../source3/auth/user_krb5.c:164(get_user_from_kerberos_info)
  get_user_from_kerberos_info: Username KCHDOM\priestdd is invalid on this system
[2017/12/01 08:49:16.469944,  3] ../source3/auth/auth_generic.c:145(auth3_generate_session_info_pac)
  auth3_generate_session_info_pac: Failed to map kerberos principal to system user (NT_STATUS_LOGON_FAILURE)
[2017/12/01 08:49:16.469998,  3] ../source3/smbd/smb2_server.c:3097(smbd_smb2_request_error_ex)
  smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1] status[NT_STATUS_ACCESS_DENIED] || at ../source3/smbd/smb2_sesssetup.c:134
[2017/12/01 08:49:16.471588,  3] ../source3/smbd/server_exit.c:246(exit_server_common)
  Server exit (NT_STATUS_CONNECTION_RESET)
[2017/12/01 08:49:16.471895,  3] ../source3/smbd/server_exit.c:246(exit_server_common)
  Server exit (termination signal)
[2017/12/01 08:49:16.472228,  2] ../source3/smbd/service.c:1098(close_cnum)
  10.2.19.102 (ipv4:10.2.19.102:51285) closed connection to service BIGDATA
[2017/12/01 08:49:16.472266,  2] ../source3/smbd/close.c:798(close_normal_file)
  root closed file readme.txt (numopen=6) NT_STATUS_OK
[2017/12/01 08:49:16.472324,  3] ../source3/smbd/service.c:1098(close_cnum)
  10.2.19.102 (ipv4:10.2.19.102:51285) closed connection to service IPC$
[2017/12/01 08:49:16.472360,  2] ../source3/smbd/close.c:798(close_normal_file)
  root closed file readme.txt (numopen=5) NT_STATUS_OK
[2017/12/01 08:49:16.472425,  2] ../source3/smbd/close.c:798(close_normal_file)
  root closed file readme.txt (numopen=4) NT_STATUS_OK
[2017/12/01 08:49:16.472494,  2] ../source3/smbd/close.c:798(close_normal_file)
  root closed file readme.txt (numopen=3) NT_STATUS_OK
[2017/12/01 08:49:16.472556,  2] ../source3/smbd/close.c:798(close_normal_file)
  root closed file readme.txt (numopen=2) NT_STATUS_OK
[2017/12/01 08:49:16.472640,  2] ../source3/smbd/close.c:798(close_normal_file)
  root closed file readme.txt (numopen=1) NT_STATUS_OK
[2017/12/01 08:49:16.472705,  2] ../source3/smbd/service.c:1098(close_cnum)
  dt-914t4v1 (ipv4:10.10.10.9:53070) closed connection to service Paragon
[2017/12/01 08:49:16.472774,  3] ../source3/smbd/service.c:1098(close_cnum)
  dt-914t4v1 (ipv4:10.10.10.9:53070) closed connection to service IPC$
[2017/12/01 08:49:16.474906,  3] ../source3/smbd/server_exit.c:246(exit_server_common)
  Server exit (termination signal)
[2017/12/01 08:49:16.475170,  3] ../source3/smbd/server_exit.c:246(exit_server_common)
  Server exit (termination signal)


/usr/local/etc/smb4.conf:
Code:
[global]
	server min protocol = NT1
	server max protocol = SMB3
	interfaces = 127.0.0.1 10.200.200.72
	bind interfaces only = yes
	encrypt passwords = yes
	dns proxy = no
	strict locking = no
	oplocks = yes
	deadtime = 15
	max log size = 51200
	max open files = 464492
	logging = file
	load printers = no
	printing = bsd
	printcap name = /dev/null
	disable spoolss = yes
	getwd cache = yes
	guest account = nobody
	map to guest = Bad User
	obey pam restrictions = yes
	ntlm auth = yes
	directory name cache size = 0
	kernel change notify = no
	panic action = /usr/local/libexec/samba/samba-backtrace
	nsupdate command = /usr/local/bin/samba-nsupdate -g
	server string = FreeNAS Server
	ea support = yes
	store dos attributes = yes
	lm announce = yes
	acl allow execute always = true
	dos filemode = yes
	multicast dns register = yes
	domain logons = no
	idmap config *: backend = tdb
	idmap config *: range = 90000001-100000000
	server role = member server
	workgroup = KCHDOM
	realm = KCH.LOCAL
	security = ADS
	client use spnego = yes
	local master = no
	domain master = no
	preferred master = no
	ads dns update = yes
	winbind cache time = 7200
	winbind offline logon = yes
	winbind enum users = yes
	winbind enum groups = yes
	winbind nested groups = yes
	winbind use default domain = yes
	winbind refresh tickets = yes
	idmap config KCHDOM: backend = rid
	idmap config KCHDOM: range = 20000-90000000
	allow trusted domains = no
	client ldap sasl wrapping = seal
	template shell = /bin/sh
	template homedir = /home/%D/%U
	netbios name = BIGNAS
	pid directory = /var/run/samba
	create mask = 0666
	directory mask = 0777
	client ntlmv2 auth = no
	dos charset = CP437
	unix charset = UTF-8
	log level = 3


[BIGDATA]
	path = "/mnt/BIGDATA"
	printable = no
	veto files = /.snapshot/.windows/.mac/.zfs/
	writeable = yes
	browseable = yes
	hide dot files = yes
	guest ok = no
	nfs4:mode = special
	nfs4:acedup = merge
	nfs4:chown = true
	zfsacl:acesort = dontcare


[Paragon]
	path = "/mnt/PARAGON"
	printable = no
	veto files = /.snapshot/.windows/.mac/.zfs/
	writeable = yes
	browseable = yes
	hide dot files = yes
	guest ok = no
	nfs4:mode = special
	nfs4:acedup = merge
	nfs4:chown = true
	zfsacl:acesort = dontcare
 
Status
Not open for further replies.

Similar threads

E
Intermittent FreeNAS/Samba/Windows domain permissions issues
Replies
4
Views
5K
Jonathan Correa Paiva
J
A
SOLVED Can't connect to samba from android (kodi and total commander)
Replies
3
Views
5K
sweetsrishtimathur6
S
A
  • Locked
FreeNAS CIFS with HYPER-V CORE
Replies
5
Views
2K
Alexandre Trevizoli
A
B
Samba username mapping
Replies
13
Views
9K
anodos
anodos
S
  • Locked
SOLVED Never managed to get "Network Places" to work with my build - help please to troubleshoot?
Replies
3
Views
3K
Stilez
S
Top