SMB help with groups

kyp · Apr 16, 2017

hey guys, I haven't been able to find a definitive answer on if a same user and group name permission set-up for a cifs share is working?
i.e. in Windows, what I assume to be the primary group SID is not being resolved (it comes up as 'Account Unknown').

I've just rolled back to 9.10.2-U2 (from Corral).
It seems this was working in Corral / FreeBSD 11.
Note: Prior to my move to Corral, I was only using user/s, rather than groups in the smb share security permissions in Windows.

I'd appreciate some comments.

P.S: I cannot add groups that have the same name as a user (in Windows searching 'Group' object, fails to find it).
The unresolved SID is corresponding to 'net groupmap list'.

kyp · Apr 17, 2017

Might this be the cause?

 

[root@nas-1 ~]# net getdomainsid												

Environment LOGNAME is not defined. Trying anonymous access.					

SID for local machine NAS-1 is: S-1-5-21-495269793-4130344135-2154332175		

Could not fetch domain SID													

[root@nas-1 ~]#																

[root@nas-1 ~]#																

[root@nas-1 ~]# net groupmap list											

Environment LOGNAME is not defined. Trying anonymous access.					

xxxx (S-1-5-21-4272316903-4045912713-2756313090-1002) -> xxxx		

[root@nas-1 ~]#

I thought this sort of mismatch was resolved?
The strange thing is that I did a fresh install and re-created all my users and groups.

UPDATE: I managed to fix using 'net groupmap delete' and then 'net groupmap add' to re-create.

anodos · Apr 17, 2017

kyp said:
hey guys, I haven't been able to find a definitive answer on if a same user and group name permission set-up for a cifs share is working?

It works, but from an administrative standpoint it is bad practice to do things that way on a FreeNAS samba server (i.e. when you're using zfsacls). This is because you will typically administer permissions on your server via "File Explorer" on a Windows computer and it may not be immediately obvious whether you're dealing with a user or a group object when you are looking at the ACL. On the backend, the user and group should each have a different SID.

anodos · Apr 17, 2017

kyp said:
hey guys, I haven't been able to find a definitive answer on if a same user and group name permission set-up for a cifs share is working?
i.e. in Windows, what I assume to be the primary group SID is not being resolved (it comes up as 'Account Unknown').

I've just rolled back to 9.10.2-U2 (from Corral).
It seems this was working in Corral / FreeBSD 11.
Note: Prior to my move to Corral, I was only using user/s, rather than groups in the smb share security permissions in Windows.

I'd appreciate some comments.

P.S: I cannot add groups that have the same name as a user (in Windows searching 'Group' object, fails to find it).
The unresolved SID is corresponding to 'net groupmap list'.

@Ericloewe can you please move posts 9-12 to a new thread if it's possible?

@kyp What was the procedure you used to roll back to 9.10.2-U2. It looks like your freenas server generated a new domain SID, but retained the old GID/UID -> SID mappings. This is a rather tricky problem to work around, and it's been a year or more since I had to tackle it. There is a python script that is supposed to fix the problem, but it might not work on 9.10.2-U2. Please provide as much detail as possible how you rolled back. I assume at some point you applied an old config file?

kyp · Apr 17, 2017

Thanks for the reply anodos.
I did have old config files, but decided to re-configure everything from scratch so it's quite strange.

anodos said:
On the backend, the user and group should each have a different SID.

Yeah, this is something I already encountered as a problem.
I'm now thinking of creating a new user/group concept.
Sorry, mess up this thread - you can move this post as well.

anodos · Apr 17, 2017

kyp said:
Thanks for the reply anodos.
I did have old config files, but decided to re-configure everything from scratch so it's quite strange.

Yeah, this is something I already encountered as a problem.
I'm now thinking of creating a new user/group concept.
Sorry, mess up this thread - you can move this post as well.

No problem. To be clear, on the surface you actually do have a problem. It looks like the samba groupmap is in a broken state due to the downgrade from Corral. This is an issue that should probably reported as a bug so that a proper "fix" procedure can be put in place.

Note: the above comment was wrong. No problem with group map as far as I can tell. I'm leaving post intact to preserve context.

kyp · Apr 17, 2017

Aren't the group mappings done based on creation of users/groups and whether you define the user to be a Microsoft account?
i.e. nothing to do with the volume, that I imported into 9.10.2-U2 environment.

Atm, I'm having trouble adding a group to the share from Windows - trying to figure it out.

anodos · Apr 17, 2017

kyp said:
Aren't the group mappings done based on creation of users/groups and whether you define the user to be a Microsoft account?
i.e. nothing to do with the volume, that I imported into 9.10.2-U2 environment.

Atm, I'm having trouble adding a group to the share from Windows - trying to figure it out.

Well, the group mappings are stored in a tdb file that might have been preserved when you downgraded from 10 -> 9 (the tdb is stored in your zpool). Run the following command on your FreeNAS server: fixsid.py Post the output.

kyp · Apr 17, 2017

 

[root@nas-1 ~]# fixsid.py													 

Environment LOGNAME is not defined. Trying anonymous access.					

detected SID: S-1-5-21-495269793-4130344135-2154332175						

																				

database SID: None															

																				

Saving detected SID to the database											

Please either reboot the system or run the following commands as root:		

service samba_server stop													 

service ix-pre-samba start													

service samba_server start													

[root@nas-1 ~]#

I now stopped/started the samba service.

When I try to add the group from Windows, it adds it, then starts applying it recursively to files/folders, but then it disappears.

kyp · Apr 17, 2017

Refer to attachment.
'sysadmin' is the owner (user) and 'nogroup' is the owner (group) for dataset 'mediavault'.
I'm trying to add 'users' group to the share security from Windows.

anodos · Apr 17, 2017

kyp said:
Refer to attachment.
'sysadmin' is the owner (user) and 'nogroup' is the owner (group) for dataset 'mediavault'.
I'm trying to add 'users' group to the share security from Windows.

Upload a debug file "system" -> "advanced" -> "save debug". If you're concerned about private data, send me it in a PM.

anodos · Apr 17, 2017

It looks like you're trying to set permissions for the well-known group "Users" in the Windows world. S-1-5-32-545 This isn't generated in the default FreeNAS group mapping. Try creating a group in the FreeNAS UI and then assigning permissions to it.

kyp · Apr 17, 2017

Thanks anodos, I had created "users" via the FreeNAS GUI.
I notice that when you create this group, a groupmap is automatically added.
i.e. 'net groupmap list' - has ntgroup to unix group mapping, with an assigned SID that's different to the standard SID in the Windows world.

P.S: When I search for groups to add from Windows, I'm only searching for groups/users on freenas.

anodos · Apr 17, 2017

kyp said:
Thanks anodos, I had created "users" via the FreeNAS GUI.
I notice that when you create this group, a groupmap is automatically added.
i.e. 'net groupmap list' - has ntgroup to unix group mapping, with an assigned SID that's different to the standard SID in the Windows world.

P.S: When I search for groups to add from Windows, I'm only searching for groups/users on freenas.

Interesting. What happens if you use a group that isn't "users", I.e. " samba_users"?

kyp · Apr 18, 2017

hey anodos, that worked!
Thanks for your time and effort.

Lessons:

Do not set up user name = group name (and UID = GID) for a smb server, it seems Windows cannot distinguish b/w user and group. Do you know why this would be the case? I would expect SIDs to be different and this is all that Windows should be interested in.
Do not name your group "users" - Windows gets confused (even if you explicitly browse the freenas users/groups)

anodos · Apr 18, 2017

kyp said:
hey anodos, that worked!
Thanks for your time and effort.

Lessons:

Do not set up user name = group name (and UID = GID) for a smb server, it seems Windows cannot distinguish b/w user and group. Do you know why this would be the case? I would expect SIDs to be different and this is all that Windows should be interested in.

Do not name your group "users" - Windows gets confused (even if you explicitly browse the freenas users/groups)

I think (2) is most likely what really tripped you up.

To be a bit clearer. Windows has certain expectations regarding built-in groups such as S-1-5-32-545 [BUILTIN\users]. I.e., that it exists. Samba satisfies this by automatically generating a groupmap entry Users (S-1-5-32-545) -> BUILTIN\users. It also does the same for "Administrators".

Some group names to avoid using on samba shares are as follows

Access Control Assistance Operators
Administrators
Backup Operators
Cryptographic Operators
Distributed COM Users
Event Log Readers
Guests
Hyper-V Administrators
Network Configuration Operators
Power Users
Remote Desktop Users
Remote Management Users
Replicator
System Managed Accounts Group
Users

By no means is this complete. It's important to realize that you FreeNAS samba server is trying to be a Windows server. It's best to respect Windows expectations regarding group / user names.

kyp · Apr 18, 2017

Thanks anodos.
Do you have any further comments on (1)?

anodos · Apr 18, 2017

kyp said:
Thanks anodos.
Do you have any further comments on (1)?

I don't think it's an issue, but welcome someone to look through the freenas github repo to tell me otherwise. ;)
https://github.com/freenas/freenas

kyp · Apr 18, 2017

anodos said:
To be a bit clearer. Windows has certain expectations regarding built-in groups such as S-1-5-32-545 [BUILTIN\users]. I.e., that it exists. Samba satisfies this by automatically generating a groupmap entry Users (S-1-5-32-545) -> BUILTIN\users. It also does the same for "Administrators".

Thanks, that makes sense.

anodos said:
I don't think it's an issue

Hmm, how do you then explain the Windows confusion?
e.g. when attempting to add group "blah" to the share from Windows, it reverts to user "blah".

anodos · Apr 18, 2017

kyp said:
hey anodos, that worked!
Thanks for your time and effort.

Lessons:

Do not set up user name = group name (and UID = GID) for a smb server, it seems Windows cannot distinguish b/w user and group. Do you know why this would be the case? I would expect SIDs to be different and this is all that Windows should be interested in.

Do not name your group "users" - Windows gets confused (even if you explicitly browse the freenas users/groups)

One further comment regarding (2). I just created a group "Users" on my freenas server, and it appears as an available group. Unfortunately, there are two "Users" entries without an easy way to differentiate between them. You probably selected the first entry, which is BUILTIN\Users, rather than FREENAS\Users. Since windows looks primarily at SIDs, you're probably okay to use "users", but I still wouldn't trust it.

Important Announcement for the TrueNAS Community.

SMB help with groups

Explorer

Explorer

Sambassador

Sambassador

Explorer

Sambassador

Explorer

Sambassador

Explorer

Explorer

Attachments

Sambassador

Sambassador

Explorer

Sambassador

Explorer

Sambassador

Explorer

Sambassador

Explorer

Sambassador

Similar threads