I've been having this issue for about a week on a new install and I've run out of ideas on what to check or where to look, hoping someone here could point me in the right direction. Started having this issue after updating to FreeNAS-9.3-STABLE-201510290351.
I have share authentication tied to Active Directory, and it's binded fine without any issues, as far as I can tell. I have set it as the Default Domain so I don't have to type "\\DOMAIN" or "@domain.tld" every time.
I can recreate the issue every time, so I'm starting from the very top:
1) Create new ZFS dataset, named "testing" with "Windows" as the share type and set it as case-insensitive. Left all other settings as default.
2) Create CIFS share with path "/mnt/zpool/testing" and name it "testing". Everything else is left as-is.
3) From a Windows Server (2008 R2), while logged in as the domain administrator, open Computer Management, click on Action -> Connect to Another computer, open System Tools -> Shared Folder -> Shares, right-click on "testing" share and click on Properties.
4) Click on Security tab, and get error "You do not have permission to view or edit this object's permission settings." Clicking on Advanced and clicking the Owner tab shows "Unable to display current owner." The "Share Permissions" tab works as expected and lets me add/remove users and groups without any issue.
5) Trying to open the share (still using the domain administrator account) doesn't work, giving a permissions error: "You do not have permission to access \\FREENAS\testing. Contact your network administrator to request access." Turning the CIFS service off and on using the web client didn't help.
Now, here's what things look like from the terminal:
[root@freenas] ~# cat /usr/local/etc/smb4.conf
[root@freenas] ~# cd /mnt/zpool/testing/
[root@freenas] /mnt/zpool/testing# ls -la
total 13
drwxrwxr-x+ 2 root wheel 3 Nov 3 10:57 ./
drwxrwx--- 9 root wheel 9 Nov 3 10:57 ../
-rw-r--r-- 1 root wheel 0 Nov 3 10:57 .windows
[root@freenas] /mnt/zpool/testing# getfacl .
# file: .
# owner: root
# group: wheel
owner@:rwxpDdaARWcCos:fd----:allow
group@:rwxpDdaARWcCos:fd----:allow
everyone@:r-x---a-R-c---:fd----:allow
[root@freenas] /mnt/zpool/testing# smbcacls \\\\FREENAS\\testing / -U \\\\DOMAIN\\Administrator
Enter \\DOMAIN\Administrator's password:
cli_full_connection failed! (NT_STATUS_ACCESS_DENIED)
[root@freenas] /mnt/zpool/testing# smbcacls \\\\FREENAS\\testing / -U Administrator
Enter Administrator's password:
Failed to open \: NT_STATUS_ACCESS_DENIED
[root@freenas] /mnt/zpool/testing# smbcacls \\\\FREENAS\\testing /
Enter root's password:
cli_full_connection failed! (NT_STATUS_ACCESS_DENIED)
[root@freenas] /mnt/zpool/testing# smbclient -U Administrator \\\\FREENAS\\testing
Enter Administrator's password:
Domain=[DOMAIN] OS=[Unix] Server=[Samba 4.1.18]
smb: \> ls
NT_STATUS_ACCESS_DENIED listing \*
[root@freenas] /mnt/zpool/testing# smbclient -U Administrator@domain.tld \\\\FREENAS\\testing
Enter Administrator@domain.tld's password:
Domain=[DOMAIN] OS=[Unix] Server=[Samba 4.1.18]
smb: \> ls
NT_STATUS_ACCESS_DENIED listing \*
smb: \>
[root@freenas] /mnt/zpool/testing# smbclient -U \\\\DOMAIN\\Administrator \\\\FREENAS\\testing
Enter \\DOMAIN\Administrator's password:
Domain=[DOMAIN] OS=[Unix] Server=[Samba 4.1.18]
tree connect failed: NT_STATUS_ACCESS_DENIED
I also tried...
[root@freenas] /mnt/zpool/testing# setfacl -m everyone@:full_set:allow .
[root@freenas] /mnt/zpool/testing# chown administrator:'domain admins' .
[root@freenas] /mnt/zpool/testing# getfacl .
# file: .
# owner: administrator
# group: domain admins
owner@:rwxpDdaARWcCos:fd----:allow
group@:rwxpDdaARWcCos:fd----:allow
everyone@:rwxpDdaARWcCos:------:allow
and am still getting the same 'NT_STATUS_ACCESS_DENIED' errors with smbclient and smbcacls.
All of that being said, I did find something interesting. It's not quite a workaround, but hopefully points to the right direction for fixing this. Adding 'admin users = administrator' to the CIFS Auxiliary Parameters section allows me to use the share normally, as the administrator, from the terminal and also from the Windows server.
[root@freenas] /mnt/zpool/testing# smbcacls \\\\FREENAS\\testing / -U Administrator
Enter Administrator's password:
REVISION:1
CONTROL:SR|DP
OWNER:DOMAIN\administrator
GROUP:DOMAIN\domain admins
ACL:DOMAIN\administrator:ALLOWED/OI|CI/FULL
ACL:DOMAIN\domain admins:ALLOWED/OI|CI/FULL
ACL:Everyone:ALLOWED/0x0/FULL
In Windows, it then correctly shows 'administrator (DOMAIN\administrator)' as the owner and lets me add/remove folder permissions. However, the permissions don't actually do anything and only the Administrator account can actually use the CIFS share, even after giving the "Everyone" group full permissions to the root directory. Connecting as another user in the domain fails due to permissions.
Has anyone seen something like this before?
I have share authentication tied to Active Directory, and it's binded fine without any issues, as far as I can tell. I have set it as the Default Domain so I don't have to type "\\DOMAIN" or "@domain.tld" every time.
I can recreate the issue every time, so I'm starting from the very top:
1) Create new ZFS dataset, named "testing" with "Windows" as the share type and set it as case-insensitive. Left all other settings as default.
2) Create CIFS share with path "/mnt/zpool/testing" and name it "testing". Everything else is left as-is.
3) From a Windows Server (2008 R2), while logged in as the domain administrator, open Computer Management, click on Action -> Connect to Another computer, open System Tools -> Shared Folder -> Shares, right-click on "testing" share and click on Properties.
4) Click on Security tab, and get error "You do not have permission to view or edit this object's permission settings." Clicking on Advanced and clicking the Owner tab shows "Unable to display current owner." The "Share Permissions" tab works as expected and lets me add/remove users and groups without any issue.
5) Trying to open the share (still using the domain administrator account) doesn't work, giving a permissions error: "You do not have permission to access \\FREENAS\testing. Contact your network administrator to request access." Turning the CIFS service off and on using the web client didn't help.
Now, here's what things look like from the terminal:
[root@freenas] ~# cat /usr/local/etc/smb4.conf
[global]
server max protocol = SMB2
interfaces = 127.0.0.1 10.10.1.30
bind interfaces only = yes
encrypt passwords = yes
dns proxy = no
strict locking = no
oplocks = yes
deadtime = 15
max log size = 51200
max open files = 942167
syslog only = yes
syslog = 1
load printers = no
printing = bsd
printcap name = /dev/null
disable spoolss = yes
getwd cache = yes
guest account = nobody
map to guest = Bad User
obey pam restrictions = no
directory name cache size = 0
kernel change notify = no
panic action = /usr/local/libexec/samba/samba-backtrace
nsupdate command = /usr/local/bin/samba-nsupdate -g
server string = FreeNAS Server
ea support = yes
store dos attributes = yes
lm announce = yes
unix extensions = no
acl allow execute always = true
acl check permissions = true
dos filemode = yes
multicast dns register = yes
domain logons = no
idmap config *: backend = tdb
idmap config *: range = 90000001-100000000
server role = member server
netbios name = FREENAS
workgroup = DOMAIN
realm = DOMAIN.TLD
security = ADS
client use spnego = yes
cache directory = /var/tmp/.cache/.samba
local master = no
domain master = no
preferred master = no
winbind cache time = 7200
winbind offline logon = yes
winbind enum users = yes
winbind enum groups = yes
winbind nested groups = yes
winbind use default domain = yes
winbind refresh tickets = yes
idmap config DOMAIN: backend = rid
idmap config DOMAIN: range = 20000-90000000
allow trusted domains = no
client ldap sasl wrapping = seal
template shell = /bin/sh
template homedir = /home/%U
pid directory = /var/run/samba
create mask = 0666
directory mask = 0777
client ntlmv2 auth = yes
dos charset = CP437
unix charset = UTF-8
log level = 10
[testing]
path = /mnt/zpool/testing
printable = no
veto files = /.snapshot/.windows/.mac/.zfs/
writeable = yes
browseable = yes
vfs objects = zfs_space zfsacl aio_pthread streams_xattr
hide dot files = yes
guest ok = no
nfs4:mode = special
nfs4:acedup = merge
nfs4:chown = true
zfsacl:acesort = dontcare
server max protocol = SMB2
interfaces = 127.0.0.1 10.10.1.30
bind interfaces only = yes
encrypt passwords = yes
dns proxy = no
strict locking = no
oplocks = yes
deadtime = 15
max log size = 51200
max open files = 942167
syslog only = yes
syslog = 1
load printers = no
printing = bsd
printcap name = /dev/null
disable spoolss = yes
getwd cache = yes
guest account = nobody
map to guest = Bad User
obey pam restrictions = no
directory name cache size = 0
kernel change notify = no
panic action = /usr/local/libexec/samba/samba-backtrace
nsupdate command = /usr/local/bin/samba-nsupdate -g
server string = FreeNAS Server
ea support = yes
store dos attributes = yes
lm announce = yes
unix extensions = no
acl allow execute always = true
acl check permissions = true
dos filemode = yes
multicast dns register = yes
domain logons = no
idmap config *: backend = tdb
idmap config *: range = 90000001-100000000
server role = member server
netbios name = FREENAS
workgroup = DOMAIN
realm = DOMAIN.TLD
security = ADS
client use spnego = yes
cache directory = /var/tmp/.cache/.samba
local master = no
domain master = no
preferred master = no
winbind cache time = 7200
winbind offline logon = yes
winbind enum users = yes
winbind enum groups = yes
winbind nested groups = yes
winbind use default domain = yes
winbind refresh tickets = yes
idmap config DOMAIN: backend = rid
idmap config DOMAIN: range = 20000-90000000
allow trusted domains = no
client ldap sasl wrapping = seal
template shell = /bin/sh
template homedir = /home/%U
pid directory = /var/run/samba
create mask = 0666
directory mask = 0777
client ntlmv2 auth = yes
dos charset = CP437
unix charset = UTF-8
log level = 10
[testing]
path = /mnt/zpool/testing
printable = no
veto files = /.snapshot/.windows/.mac/.zfs/
writeable = yes
browseable = yes
vfs objects = zfs_space zfsacl aio_pthread streams_xattr
hide dot files = yes
guest ok = no
nfs4:mode = special
nfs4:acedup = merge
nfs4:chown = true
zfsacl:acesort = dontcare
[root@freenas] ~# cd /mnt/zpool/testing/
[root@freenas] /mnt/zpool/testing# ls -la
total 13
drwxrwxr-x+ 2 root wheel 3 Nov 3 10:57 ./
drwxrwx--- 9 root wheel 9 Nov 3 10:57 ../
-rw-r--r-- 1 root wheel 0 Nov 3 10:57 .windows
[root@freenas] /mnt/zpool/testing# getfacl .
# file: .
# owner: root
# group: wheel
owner@:rwxpDdaARWcCos:fd----:allow
group@:rwxpDdaARWcCos:fd----:allow
everyone@:r-x---a-R-c---:fd----:allow
[root@freenas] /mnt/zpool/testing# smbcacls \\\\FREENAS\\testing / -U \\\\DOMAIN\\Administrator
Enter \\DOMAIN\Administrator's password:
cli_full_connection failed! (NT_STATUS_ACCESS_DENIED)
[root@freenas] /mnt/zpool/testing# smbcacls \\\\FREENAS\\testing / -U Administrator
Enter Administrator's password:
Failed to open \: NT_STATUS_ACCESS_DENIED
[root@freenas] /mnt/zpool/testing# smbcacls \\\\FREENAS\\testing /
Enter root's password:
cli_full_connection failed! (NT_STATUS_ACCESS_DENIED)
[root@freenas] /mnt/zpool/testing# smbclient -U Administrator \\\\FREENAS\\testing
Enter Administrator's password:
Domain=[DOMAIN] OS=[Unix] Server=[Samba 4.1.18]
smb: \> ls
NT_STATUS_ACCESS_DENIED listing \*
[root@freenas] /mnt/zpool/testing# smbclient -U Administrator@domain.tld \\\\FREENAS\\testing
Enter Administrator@domain.tld's password:
Domain=[DOMAIN] OS=[Unix] Server=[Samba 4.1.18]
smb: \> ls
NT_STATUS_ACCESS_DENIED listing \*
smb: \>
[root@freenas] /mnt/zpool/testing# smbclient -U \\\\DOMAIN\\Administrator \\\\FREENAS\\testing
Enter \\DOMAIN\Administrator's password:
Domain=[DOMAIN] OS=[Unix] Server=[Samba 4.1.18]
tree connect failed: NT_STATUS_ACCESS_DENIED
I also tried...
[root@freenas] /mnt/zpool/testing# setfacl -m everyone@:full_set:allow .
[root@freenas] /mnt/zpool/testing# chown administrator:'domain admins' .
[root@freenas] /mnt/zpool/testing# getfacl .
# file: .
# owner: administrator
# group: domain admins
owner@:rwxpDdaARWcCos:fd----:allow
group@:rwxpDdaARWcCos:fd----:allow
everyone@:rwxpDdaARWcCos:------:allow
and am still getting the same 'NT_STATUS_ACCESS_DENIED' errors with smbclient and smbcacls.
All of that being said, I did find something interesting. It's not quite a workaround, but hopefully points to the right direction for fixing this. Adding 'admin users = administrator' to the CIFS Auxiliary Parameters section allows me to use the share normally, as the administrator, from the terminal and also from the Windows server.
[root@freenas] /mnt/zpool/testing# smbcacls \\\\FREENAS\\testing / -U Administrator
Enter Administrator's password:
REVISION:1
CONTROL:SR|DP
OWNER:DOMAIN\administrator
GROUP:DOMAIN\domain admins
ACL:DOMAIN\administrator:ALLOWED/OI|CI/FULL
ACL:DOMAIN\domain admins:ALLOWED/OI|CI/FULL
ACL:Everyone:ALLOWED/0x0/FULL
In Windows, it then correctly shows 'administrator (DOMAIN\administrator)' as the owner and lets me add/remove folder permissions. However, the permissions don't actually do anything and only the Administrator account can actually use the CIFS share, even after giving the "Everyone" group full permissions to the root directory. Connecting as another user in the domain fails due to permissions.
Has anyone seen something like this before?
