Unable to write to a cifs guest only share

[Danic]

I recently switch from nas4free to Freenas 9.2.1.8, and having issues with guest only shares (which is all shares at the moment). I can't write to them. All my zfs datasets are windows permission type, Owner nobody, group wheel. I verified guest account in CIFS settings is 'nobody', guest only is checked on the share.

I have found 2 workarounds
1. remove 'zfsacl' from 'vfs objects' in each share manually from the smb4.conf and then restarting samba. This will be lost if I do anything CIFS related via webui OR
2. Setting the 'everyone' can do everything permission via ' setfacl -m everyone@:rwxpDdaARWcCos:fd----:allow' to all directories in the share.

Why would I have to use setfacl for everyone group if folder the owner is nobody?

getfacl of a share that isn't writable

Code:

[root@nas] /mnt# getfacl /mnt/tank3/backup/
# file: /mnt/tank3/backup/
# owner: nobody
# group: wheel
            owner@:rwxpDdaARWcCos:fd----:allow
            group@:rwxpDdaARWcCos:fd----:allow
         everyone@:r-x---a-R-c---:fd----:allow

getfacl of share that is writable

Code:

[root@nas] /mnt# getfacl /mnt/tank3/BigShare/
# file: /mnt/tank3/BigShare/
# owner: nobody
# group: wheel
            owner@:rwxpDdaARWcCos:fd----:allow
            group@:rwxpDdaARWcCos:fd----:allow
         everyone@:rwxpDdaARWcCos:fd----:allow

testparm

Code:

[root@nas] /mnt# testparm
Load smb config files from /usr/local/etc/smb4.conf
max_open_files: increasing sysctl_max (11095) to minimum Windows limit (16384)
rlimit_max: increasing rlimit_max (11095) to minimum Windows limit (16384)
Processing section "[Backup]"
Processing section "[BigShare]"
Processing section "[ExtraStorage]"
Loaded services file OK.
Server role: ROLE_STANDALONE
Press enter to see a dump of your service definitions

[global]
    dos charset = CP437
    workgroup = SUPERHOME
    server string = FreeNAS Server
    server role = standalone server
    map to guest = Bad User
    obey pam restrictions = Yes
    smb passwd file = /var/etc/private/smbpasswd
    private dir = /var/etc/private
    max log size = 51200
    server max protocol = SMB2
    time server = Yes
    deadtime = 15
    max open files = 11070
    load printers = No
    printcap name = /dev/null
    disable spoolss = Yes
    dns proxy = No
    pid directory = /var/run/samba
    panic action = /usr/local/libexec/samba/samba-backtrace
    idmap config *:range = 90000000-100000000
    idmap config * : backend = tdb
    acl allow execute always = Yes
    create mask = 0777
    directory mask = 0777
    ea support = Yes
    directory name cache size = 0
    kernel change notify = No
    store dos attributes = Yes
    strict locking = No

[Backup]
    path = /mnt/tank3/backup
    read only = No
    guest only = Yes
    guest ok = Yes
    veto files = /.snap/.windows/.zfs/
    vfs objects = zfsacl, streams_xattr, aio_pthread
    zfsacl:acesort = dontcare
    nfs4:chown = yes
    nfs4:acedup = merge
    nfs4:mode = special
    recycle:subdir_mode = 0700
    recycle:directory_mode = 0777
    recycle:touch = yes
    recycle:versions = yes
    recycle:keeptree = yes
    recycle:repository = .recycle/%U

[BigShare]
    path = /mnt/tank3/BigShare
    read only = No
    guest only = Yes
    guest ok = Yes
    veto files = /.snap/.windows/.zfs/
    vfs objects = zfsacl, streams_xattr, aio_pthread
    zfsacl:acesort = dontcare
    nfs4:chown = yes
    nfs4:acedup = merge
    nfs4:mode = special
    recycle:subdir_mode = 0700
    recycle:directory_mode = 0777
    recycle:touch = yes
    recycle:versions = yes
    recycle:keeptree = yes
    recycle:repository = .recycle/%U

[ExtraStorage]
    path = /mnt/gamebackup
    read only = No
    guest ok = Yes
    veto files = /.snap/.windows/.zfs/
    vfs objects = zfsacl, streams_xattr, aio_pthread
    zfsacl:acesort = dontcare
    nfs4:chown = yes
    nfs4:acedup = merge
    nfs4:mode = special
    recycle:subdir_mode = 0700
    recycle:directory_mode = 0777
    recycle:touch = yes
    recycle:versions = yes
    recycle:keeptree = yes
    recycle:repository = .recycle/%U

Is there some bug in guest only shares?

 

[anodos]

Samba documentation states for the "guest account" parameter

This user must exist in the password file, but does not require a valid login. The user account "ftp" is often a good choice for this parameter.

It could be that the user "nobody" doesn't exist in the password file. It's not shown if I enter "pdbedit -L". Try changing your guest account to a different one (i.e. "guest" instead of "nobody") rather than fiddling around with your password file.

 

[Danic]

The user account "ftp" is often a good choice for this parameter.

Funny thing is when I switched from nas4free to freenas I had guest account set as ftp. Has some issues I don't remember then switched to nobody.
But your suggestion of making a 'guest' user account worked. Thanks for the tip!