Sharing SMB between FreeNAS-9.10.2-U3: Permission Denied

[ntejedor]

Hi there!
I'm struggling to get ready SMB Shares in this version of FreeNAS (9.10.2-U3).
I have been following all the steps described in this video: https://www.youtube.com/watch?v=RxggaE935PM, with no luck, in both VirtualBox environment and real server launch.
I am stuck, I have been reading all the entries of this forum looking for a solution, and no one works fine for my case.

Any help would be very welcome.

Thanks in advance.

 

[dlavigne]

Post your smb4.conf and any errors you are getting when trying to connect to the share.

 

[zoomzoom]

@ntejedor What exactly are you experiencing? Also, please list what VFS Objects you selected in the share properties on FN (WebGUI -> Sharing -> Windows (SMB) -> double click a share -> VFS Objects).

 

[ntejedor]

Firstly, I would like to thank you for your both quick responses ;)

@dlavigne

My smb4.conf is:

Code:

[global]
  server max protocol = SMB3
  interfaces = 127.0.0.1 192.168.2.63
  bind interfaces only = yes
  encrypt passwords = yes
  dns proxy = no
  strict locking = no
  oplocks = yes
  deadtime = 15
  max log size = 51200
  max open files = 117083
  logging = file
  load printers = no
  printing = bsd
  printcap name = /dev/null
  disable spoolss = yes
  getwd cache = yes
  guest account = nobody
  map to guest = Bad User
  obey pam restrictions = yes
  directory name cache size = 0
  kernel change notify = no
  panic action = /usr/local/libexec/samba/samba-backtrace
  nsupdate command = /usr/local/bin/samba-nsupdate -g
  server string = FreeNAS Server
  ea support = yes
  store dos attributes = yes
  lm announce = yes
  hostname lookups = yes
  time server = yes
  acl allow execute always = true
  dos filemode = yes
  multicast dns register = yes
  domain logons = no
  local master = yes
  idmap config *: backend = tdb
  idmap config *: range = 90000001-100000000
  server role = standalone
  netbios name = FREENAS
  workgroup = WORKGROUP
  security = user
  pid directory = /var/run/samba
  create mask = 0666
  directory mask = 0777
  client ntlmv2 auth = yes
  dos charset = CP437
  unix charset = UTF-8
  log level = 1


[CIFS]
  path = /mnt/Test/CIFS
  printable = no
  veto files = /.snapshot/.windows/.mac/.zfs/
  writeable = yes
  browseable = no
  vfs objects = zfs_space zfsacl streams_xattr aio_pthread
  hide dot files = yes
  guest ok = no
  nfs4:mode = special
  nfs4:acedup = merge
  nfs4:chown = true
  zfsacl:acesort = dontcare

When I try to access from Ubuntu:


sudo mount -t cifs -o user=smb,password=***,file_mode=0777,dir_mode=0777,noperm //192.168.2.63/CIFS /mnt/FreeNAS/CIFS
mount error(13): Permission denied
Refer to the mount.cifs(8) manual page (e.g. man mount.cifs)


@zoomzoom

These are the default VFS objects.

 

[zoomzoom]

It's likely related to a few things:

1. Make share browseable
2. Add VFS Object acl_xattr See this post by @anodos below

 

[ntejedor]

Unfortunately, it is still not working... I have checked those options with no luck :S
Same problems with permissions...

 

[zoomzoom]

Unfortunately, it is still not working... I have checked those options with no luck :S
Same problems with permissions...

Just to double check:

1. When you created the dataset that's being used for the SMB share, did you select Permission Type: Windows (or it could be Share Type: Windows)?
2. Is the smb user the owner, or apart of the owning group, for the dataset of the share?

Try a newer SMB max supported version in the SMB services config, as you're currently set to SMB3. SMB3_00 is what I currently use and can access the shares in Ubuntu, but other options are SMB3_02 & SMB3_11.

 

[ntejedor]

The dataset is set with this configuration:

And the information of both user and group is:

 

[zoomzoom]

I'm stumped, so I would try adding the two audit VFS objects and check the logs of both the client and server when you're trying to connect from Ubuntu.

• What happens if you utilize the GUI to access the share (i.e. smb://192.168.2.63/CIFS)?

 

[ntejedor]

I have been checking Windows access, with same problem... (it is written in Spanish, but I hope you find out it is a mistake also ;)

Thanks in advance, tomorrow I would continue with your proposal, now it is time to finish work ;) Tomorrow I'll check it again.

 

[zoomzoom]

I've received that specific Windows error under two three conditions:

1. If the user did not have ownership of the share/root share directory on FN, issue: chown -R krc:krc /mnt/FreeNAS/CIFS
2. If access permissions aren't set to at least 550 (mine are set to 750), issue: chmod -R 750 /mnt/FreeNAS/CIFS
3. If FN is not apart of the same workgroup as the Windows PC
   • FreeNAS: WebGUI -> Network -> Global Configuration -> Domain
   • Windows: Control Panel\System and Security\System -> Advanced system settings -> Computer Name -> Change... -> Workgroup

Try rebooting FN, as well as the devices running Windows and Ubuntu.

• If none of the above works, you'll need to scour the samba logs of client and server, as well as the firewall logs of the router and PCs to determine where and why authentication and/or traffic is being rejected.

 

[ntejedor]

@zoomzoom Thanks for your answer, once again! The first thing I tried is these steps you recommend from Ubuntu, but I am still not lucky...

Everything done after rebooting FreeNAS and Ubuntu. Later I would try from Windows. I am going to reinstall FreeNAS in a dedicated server, and I'll let you know if everything goes fine ;)

 

[zoomzoom]

Yeah, you're going to have to go through the samba and firewall logs on the client, server, and router [firewall], as either something in Samba is misconfigured on FreeNAS, or one of the three's firewall is blocking traffic.

 

[ntejedor]

Hi! I deleted everything in this FreeNAS where I had all the troubles, and I started to follow all the steps I followed (this ones from this video https://www.youtube.com/watch?v=RxggaE935PM) and... surprise, surprise, it works! I feel a fool right now... :S
Anyway, I am going to post the right Samba configuration, in case it could be any help to someone who faces the same problem:

Code:

[global]
  server max protocol = SMB3
  encrypt passwords = yes
  dns proxy = no
  strict locking = no
  oplocks = yes
  deadtime = 15
  max log size = 51200
  max open files = 117083
  logging = file
  load printers = no
  printing = bsd
  printcap name = /dev/null
  disable spoolss = yes
  getwd cache = yes
  guest account = nobody
  map to guest = Bad User
  obey pam restrictions = yes
  directory name cache size = 0
  kernel change notify = no
  panic action = /usr/local/libexec/samba/samba-backtrace
  nsupdate command = /usr/local/bin/samba-nsupdate -g
  server string = FreeNAS Server
  ea support = yes
  store dos attributes = yes
  lm announce = yes
  hostname lookups = yes
  time server = yes
  acl allow execute always = true
  dos filemode = yes
  multicast dns register = yes
  domain logons = no
  local master = yes
  idmap config *: backend = tdb
  idmap config *: range = 90000001-100000000
  server role = standalone
  netbios name = FREENAS
  workgroup = WORKGROUP
  security = user
  pid directory = /var/run/samba
  create mask = 0666
  directory mask = 0777
  client ntlmv2 auth = yes
  dos charset = CP437
  unix charset = UTF-8
  log level = 1

[cifs]
  path = /mnt/Test/CIFS
  printable = no
  veto files = /.snapshot/.windows/.mac/.zfs/
  writeable = yes
  browseable = yes
  vfs objects = zfs_space zfsacl streams_xattr aio_pthread
  hide dot files = yes
  guest ok = no
  nfs4:mode = special
  nfs4:acedup = merge
  nfs4:chown = true
  zfsacl:acesort = dontcare

I find some differences between this and the old one, but I think no one is really meaningful...

 

[anodos]

Hi! I deleted everything in this FreeNAS where I had all the troubles, and I started to follow all the steps I followed (this ones from this video https://www.youtube.com/watch?v=RxggaE935PM) and... surprise, surprise, it works! I feel a fool right now... :S
Anyway, I am going to post the right Samba configuration, in case it could be any help to someone who faces the same problem:

Code:

[global]
  server max protocol = SMB3
  encrypt passwords = yes
  dns proxy = no
  strict locking = no
  oplocks = yes
  deadtime = 15
  max log size = 51200
  max open files = 117083
  logging = file
  load printers = no
  printing = bsd
  printcap name = /dev/null
  disable spoolss = yes
  getwd cache = yes
  guest account = nobody
  map to guest = Bad User
  obey pam restrictions = yes
  directory name cache size = 0
  kernel change notify = no
  panic action = /usr/local/libexec/samba/samba-backtrace
  nsupdate command = /usr/local/bin/samba-nsupdate -g
  server string = FreeNAS Server
  ea support = yes
  store dos attributes = yes
  lm announce = yes
  hostname lookups = yes
  time server = yes
  acl allow execute always = true
  dos filemode = yes
  multicast dns register = yes
  domain logons = no
  local master = yes
  idmap config *: backend = tdb
  idmap config *: range = 90000001-100000000
  server role = standalone
  netbios name = FREENAS
  workgroup = WORKGROUP
  security = user
  pid directory = /var/run/samba
  create mask = 0666
  directory mask = 0777
  client ntlmv2 auth = yes
  dos charset = CP437
  unix charset = UTF-8
  log level = 1

[cifs]
  path = /mnt/Test/CIFS
  printable = no
  veto files = /.snapshot/.windows/.mac/.zfs/
  writeable = yes
  browseable = yes
  vfs objects = zfs_space zfsacl streams_xattr aio_pthread
  hide dot files = yes
  guest ok = no
  nfs4:mode = special
  nfs4:acedup = merge
  nfs4:chown = true
  zfsacl:acesort = dontcare

I find some differences between this and the old one, but I think no one is really meaningful...

Yeah, that looks like the default smb4.conf file. :) Glad it's working for you.

 

[anodos]

Add VFS Object acl_xattr

For future reference - don't do that. ACLs in FreeNAS are handled by "zfsacl". There are some situations where moving ACLs into extended attributes may be warranted, but in general adding extra layers of ACLs is not a good troubleshooting step.