SMB connection refused - "You do not have permission to access.."

[icdadmin]

I've done the following
created a dataset in a pool
created a group for users who will have access to the dataset (and added users to that group)
set permissions of the dataset to point to the group
created an SMB share
in Auxiliary Parameters, set "access based share enum=yes"
in Shell, set "sharesec "Media" -r S-1-1-0:ALLOWED/0x0/FULL" to remove full access for all users (so everyone doesn't see the share)
in Shell, set "sharesec "Media" -a S-1-5-21-3304246306-2936721670-1852261437-1020:ALLOWED/0/FULL" to add access for necessary users to see the share based on the group ID for the group created above

Users can authenticate to the server and everything works well (as far as the user only seeing shares that they should have access to), but when they try to open a share, they get a message "You do not have permission to access \\serveraddress\Media"

I'm stumped because they do have permission via membership in the group that does have access to the share(s).

Does anyone know if there is something else I should do after the sharesec commands?

(using FreeNAS-11.2-U3)

 

[seanm]

Did you use 'sharesec --view-all' to double check your settings? You can also use 'getfacl' to check the filesysetm ACL of your shares.

 

[icdadmin]

sharesec --view-all shows the following for one of the datasets. For ACL, the ID shown is correct for the group that should have access to this dataset. I'm not sure how to use getfacl though.

[Media]
REVISION:1
CONTROL:SR|DP
OWNER:
GROUP:
ACL:S-1-5-21-3304246306-2936721670-1852261437-1052:ALLOWED/0x0/FULL

 

[seanm]

getfacl /mnt/tank/Media, or whatever path exactly.

Have you read this? https://www.ixsystems.com/community/threads/methods-for-fine-tuning-samba-permissions.50739/

What OS is your client running?

 

[icdadmin]

Clients are running MacOS 10.14 and Windows 10 Professional.

The problem seems to occur with FreeNAS-11.2-U3 but not with FreeNAS-11.2-U2.1. However, I need to test it out more to be certain.

 

[seanm]

OK, so it's not a problem with one particular client or client OS type.

Maybe you're hitting a bug already fixed in 11.2U4?

 

[Sasquatch]

Make sure you don't have nested shares.
If you share, say dataset and then folder within that dataset then folder share will have same permission as dataset share regardless of folder share permissions settings.
Just wasted half a day trying to figure it out

edit,
Actually only permissions that are common to both shares will have access.
if user1,user2,user3, have rw access to dataset share
and user1, user4 have rw access to folder share
then only user1 can access folder share