SOLVED Updating to RC1 AD problem

Elo

Contributor
Joined
Mar 11, 2012
Messages
122
These are the permissions for the directory tree up to the share VIDEO. I can not get this to correspond to the ACLs set as only he owner has read
access? But stil the owner should be able to access the share and the files in it...

Perms.PNG
 

Elo

Contributor
Joined
Mar 11, 2012
Messages
122
TRAVERSE = permission to click through a directory
READ = TRAVERSE + permissions to read data, xattrs, etc
MODIFY = READ + permissions to write data, xattrs, etc (excluding change owner and write ACL)
FULL_CONTROL = MODIFY + permission to change owner and write ACL.

Post output of "getfacl /mnt/Pool_2", "getfacl /mnt/Pool_2/VIDEO", and "testparm -s".
root@OB-NAS-MAIN:/mnt/Pool_2/VIDEO # getfacl /mnt/Pool_2
# file: /mnt/Pool_2
# owner: root
# group: wheel
owner@:rwxp--aARWcCos:-------:allow
group@:rwxp--a-R-c--s:-------:allow
everyone@:rwxp--a-R-c--s:-------:allow
root@OB-NAS-MAIN:/mnt/Pool_2/VIDEO # getfacl /mnt/Pool_2/VIDEO
# file: /mnt/Pool_2/VIDEO
# owner: HJEMME\ole_berg
# group: HJEMME\domain users
everyone@:--x---a-R-c---:fd-----:allow
owner@:rwxpDdaARWcCos:fdi----:allow
group:HJEMME\ftpgroup:r-x---a-R-c---:fd-----:allow
group:HJEMME\trustedfriends:r-x---a-R-c---:fd-----:allow
group:HJEMME\vpnuser:r-x---a-R-c---:fd-----:allow
user:HJEMME\ole_berg:rwxpDdaARWcCos:fd-----:allow
everyone@:--------------:fd-----:allow


---------------------------------------------------------------------------------------------------------

root@OB-NAS-MAIN:/mnt/Pool_2/VIDEO # testparm -s
Load smb config files from /usr/local/etc/smb4.conf
Loaded services file OK.
WARNING: socket options = SO_RCVBUF=131072 SO_SNDBUF=131072 TCP_NODELAY
This warning is printed because you set one of the
following options: SO_SNDBUF, SO_RCVBUF, SO_SNDLOWAT,
SO_RCVLOWAT
Modern server operating systems are tuned for
high network performance in the majority of situations;
when you set 'socket options' you are overriding those
settings.
Linux in particular has an auto-tuning mechanism for
buffer sizes (SO_SNDBUF, SO_RCVBUF) that will be
disabled if you specify a socket buffer size. This can
potentially cripple your TCP/IP stack.

Getting the 'socket options' correct can make a big
difference to your performance, but getting them wrong
can degrade it by just as much. As with any other low
level setting, if you must make changes to it, make
small changes and test the effect before making any
large changes.

Server role: ROLE_DOMAIN_MEMBER

# Global parameters
[global]
aio max threads = 2
allow trusted domains = No
bind interfaces only = Yes
client ldap sasl wrapping = plain
deadtime = 15
disable spoolss = Yes
dns proxy = No
domain master = No
enable web service discovery = Yes
interfaces = 192.168.111.6
kerberos method = secrets and keytab
kernel change notify = No
load printers = No
local master = No
logging = file
map to guest = Bad User
max log size = 51200
min receivefile size = 16384
nsupdate command = /usr/local/bin/samba-nsupdate -g
os level = 255
preferred master = Yes
realm = HJEMME.VABRAATEN95.COM
security = ADS
server min protocol = SMB2_02
server role = member server
server string = FreeNAS Main Server
socket options = SO_RCVBUF=131072 SO_SNDBUF=131072 TCP_NODELAY
template shell = /bin/sh
unix extensions = No
username map = /usr/local/etc/smbusername.map
username map cache time = 60
winbind cache time = 7200
winbind enum groups = Yes
winbind enum users = Yes
winbind max domain connections = 10
wins support = Yes
workgroup = HJEMME
idmap config *: range = 90000001-100000000
idmap config hjemme: range = 20000-90000000
idmap config hjemme: backend = rid
idmap config * : backend = tdb
allocation roundup size = 0
directory name cache size = 0
dos filemode = Yes
include = /usr/local/etc/smb4_share.conf


[Arbeid]
aio write size = 0
mangled names = illegal
path = /mnt/Pool_1/arbeid
read only = No
vfs objects = zfs_space zfsacl streams_xattr
nfs4:acedup = merge
nfs4:chown = true


[BILDER]
aio write size = 0
guest ok = Yes
mangled names = illegal
path = /mnt/Pool_2/BILDER
read only = No
vfs objects = zfs_space zfsacl streams_xattr
nfs4:acedup = merge
nfs4:chown = true


[DOKUMENTER]
aio write size = 0
guest ok = Yes
mangled names = illegal
path = /mnt/Pool_1/dokumenter
read only = No
vfs objects = zfs_space zfsacl streams_xattr
nfs4:acedup = merge
nfs4:chown = true


[FtpGjestMappe]
aio write size = 0
guest ok = Yes
mangled names = illegal
path = /mnt/Pool_1/ftpgjest
read only = No
vfs objects = zfs_space zfsacl streams_xattr
nfs4:acedup = merge
nfs4:chown = true


[LITTERATUR]
aio write size = 0
guest ok = Yes
mangled names = illegal
path = /mnt/Pool_1/litteratur
read only = No
vfs objects = zfs_space zfsacl streams_xattr
nfs4:acedup = merge
nfs4:chown = true


[MUSIKK]
aio write size = 0
guest ok = Yes
mangled names = illegal
path = /mnt/Pool_1/musikk
read only = No
vfs objects = zfs_space zfsacl streams_xattr
nfs4:acedup = merge
nfs4:chown = true


[Manualer og Guider]
aio write size = 0
guest ok = Yes
mangled names = illegal
path = /mnt/OB-NAS-JAILS/owncloudjail/usr/local/www/owncloud/data/oleberg/files/Manualer Notater Guider
vfs objects = zfs_space zfsacl streams_xattr
nfs4:acedup = merge
nfs4:chown = true


[NBZdownloads]
aio write size = 0
guest ok = Yes
mangled names = illegal
path = /mnt/Pool_1/media/downloads
read only = No
vfs objects = zfs_space zfsacl streams_xattr
nfs4:acedup = merge
nfs4:chown = true


[Pool_3]
aio write size = 0
guest ok = Yes
mangled names = illegal
path = /mnt/Pool_3
read only = No
vfs objects = zfs_space zfsacl streams_xattr
nfs4:acedup = merge
nfs4:chown = true


[TestCIF]
aio write size = 0
guest ok = Yes
mangled names = illegal
path = /mnt/Pool_1/TestCIF
read only = No
vfs objects = zfs_space zfsacl streams_xattr
nfs4:acedup = merge
nfs4:chown = true


[VIDEO]
aio write size = 0
guest ok = Yes
mangled names = illegal
path = /mnt/Pool_2/VIDEO
read only = No
vfs objects = zfs_space zfsacl streams_xattr
nfs4:acedup = merge
nfs4:chown = true


[owncloud_julie]
aio write size = 0
guest ok = Yes
mangled names = illegal
path = /mnt/Pool_1/files/julie
read only = No
vfs objects = zfs_space zfsacl streams_xattr
nfs4:acedup = merge
nfs4:chown = true


[temp]
aio write size = 0
guest ok = Yes
mangled names = illegal
path = /mnt/Pool_1/temp
read only = No
vfs objects = zfs_space zfsacl streams_xattr
nfs4:acedup = merge
nfs4:chown = true
 

anodos

Sambassador
iXsystems
Joined
Mar 6, 2014
Messages
9,543
Code:
root@OB-NAS-MAIN:/mnt/Pool_2/VIDEO # getfacl /mnt/Pool_2/VIDEO
# file: /mnt/Pool_2/VIDEO
# owner: HJEMME\ole_berg
# group: HJEMME\domain users
        everyone@:--x---a-R-c---:fd-----:allow
           owner@:rwxpDdaARWcCos:fdi----:allow
group:HJEMME\ftpgroup:r-x---a-R-c---:fd-----:allow
group:HJEMME\trustedfriends:r-x---a-R-c---:fd-----:allow
group:HJEMME\vpnuser:r-x---a-R-c---:fd-----:allow
user:HJEMME\ole_berg:rwxpDdaARWcCos:fd-----:allow
        everyone@:--------------:fd-----:allow

You don't have permissions defined for group@ (domain users).
 

Elo

Contributor
Joined
Mar 11, 2012
Messages
122
Code:
root@OB-NAS-MAIN:/mnt/Pool_2/VIDEO # getfacl /mnt/Pool_2/VIDEO
# file: /mnt/Pool_2/VIDEO
# owner: HJEMME\ole_berg
# group: HJEMME\domain users
        everyone@:--x---a-R-c---:fd-----:allow
           owner@:rwxpDdaARWcCos:fdi----:allow
group:HJEMME\ftpgroup:r-x---a-R-c---:fd-----:allow
group:HJEMME\trustedfriends:r-x---a-R-c---:fd-----:allow
group:HJEMME\vpnuser:r-x---a-R-c---:fd-----:allow
user:HJEMME\ole_berg:rwxpDdaARWcCos:fd-----:allow
        everyone@:--------------:fd-----:allow

You don't have permissions defined for group@ (domain users).
I did set group@ to basic -> read... Did not help
 

Elo

Contributor
Joined
Mar 11, 2012
Messages
122
NOW:

root@OB-NAS-MAIN:/mnt/Pool_2/VIDEO # getfacl /mnt/Pool_2
# file: /mnt/Pool_2
# owner: root
# group: wheel
owner@:rwxp--aARWcCos:-------:allow
group@:rwxp--a-R-c--s:-------:allow
everyone@:rwxp--a-R-c--s:-------:allow

root@OB-NAS-MAIN:/mnt/Pool_2/VIDEO # getfacl /mnt/Pool_2/VIDEO
# file: /mnt/Pool_2/VIDEO
# owner: HJEMME\ole_berg
# group: HJEMME\domain users
everyone@:--x---a-R-c---:fd-----:allow
owner@:rwxpDdaARWcCos:fdi----:allow
group:HJEMME\ftpgroup:r-x---a-R-c---:fd-----:allow
group:HJEMME\trustedfriends:r-x---a-R-c---:fd-----:allow
group:HJEMME\vpnuser:r-x---a-R-c---:fd-----:allow
user:HJEMME\ole_berg:rwxpDdaARWcCos:fd-----:allow
group@:r-x---a-R-c---:fd-----:allow
everyone@:--------------:fd-----:allow
 

anodos

Sambassador
iXsystems
Joined
Mar 6, 2014
Messages
9,543
NOW:

root@OB-NAS-MAIN:/mnt/Pool_2/VIDEO # getfacl /mnt/Pool_2
# file: /mnt/Pool_2
# owner: root
# group: wheel
owner@:rwxp--aARWcCos:-------:allow
group@:rwxp--a-R-c--s:-------:allow
everyone@:rwxp--a-R-c--s:-------:allow

root@OB-NAS-MAIN:/mnt/Pool_2/VIDEO # getfacl /mnt/Pool_2/VIDEO
# file: /mnt/Pool_2/VIDEO
# owner: HJEMME\ole_berg
# group: HJEMME\domain users
everyone@:--x---a-R-c---:fd-----:allow
owner@:rwxpDdaARWcCos:fdi----:allow
group:HJEMME\ftpgroup:r-x---a-R-c---:fd-----:allow
group:HJEMME\trustedfriends:r-x---a-R-c---:fd-----:allow
group:HJEMME\vpnuser:r-x---a-R-c---:fd-----:allow
user:HJEMME\ole_berg:rwxpDdaARWcCos:fd-----:allow
group@:r-x---a-R-c---:fd-----:allow
everyone@:--------------:fd-----:allow
And can you access the share if you use smbclient //127.0.0.1/VIDEO -U HJEMME\\ole_berg from the FreeNAS CLI?
 

Elo

Contributor
Joined
Mar 11, 2012
Messages
122
And can you access the share if you use smbclient //127.0.0.1/VIDEO -U HJEMME\\ole_berg from the FreeNAS CLI?

No....

root@OB-NAS-MAIN:/mnt/Pool_2/VIDEO # smbclient //127.0.0.1/VIDEO -U HJEMME\\ole_berg
do_connect: Connection to 127.0.0.1 failed (Error NT_STATUS_CONNECTION_REFUSED)
 

Elo

Contributor
Joined
Mar 11, 2012
Messages
122
And can you access the share if you use smbclient //127.0.0.1/VIDEO -U HJEMME\\ole_berg from the FreeNAS CLI?
Anodos thanks so far... I am jumping on a plane in some 15minutes and will be offline for some hours... It seems I am far from the bottom of this and still hope for your kind help... Rgrds /O
 

anodos

Sambassador
iXsystems
Joined
Mar 6, 2014
Messages
9,543
No....

root@OB-NAS-MAIN:/mnt/Pool_2/VIDEO # smbclient //127.0.0.1/VIDEO -U HJEMME\\ole_berg
do_connect: Connection to 127.0.0.1 failed (Error NT_STATUS_CONNECTION_REFUSED)
Right, that's because you've bound samba to 192.168.111.6. This doesn't appear to be a bug. It's just a configuration issue.
 

Elo

Contributor
Joined
Mar 11, 2012
Messages
122
Right, that's because you've bound samba to 192.168.111.6. This doesn't appear to be a bug. It's just a configuration issue.
I do not undestand. Do you mean that I have bound SAMBA to a specific interface which have a static and specific IP? How do I solve the problem not beeing able to access my shares?
 

anodos

Sambassador
iXsystems
Joined
Mar 6, 2014
Messages
9,543
I do not undestand. Do you mean that I have bound SAMBA to a specific interface which have a static and specific IP? How do I solve the problem not beeing able to access my shares?
No, you're getting ECONNREFUSED on the smbclient command because you've configured samba to only listen on 192.168.111.6. We always allow 127.0.0.1 on FreeNAS so that we can do things like this. What is the output of midclt call smb.config?
 

Elo

Contributor
Joined
Mar 11, 2012
Messages
122
No, you're getting ECONNREFUSED on the smbclient command because you've configured samba to only listen on 192.168.111.6. We always allow 127.0.0.1 on FreeNAS so that we can do things like this. What is the output of midclt call smb.config?

root@OB-NAS-MAIN:~ # midclt call smb.config
{"id": 1, "netbiosname": "OB-NAS-MAIN", "netbiosname_b": null, "netbiosalias": [], "workgroup": "HJEMME", "description": "FreeNAS Main Server", "enable_smb1": false, "unixcharset": "UTF-8", "loglevel": "MINIMUM", "syslog": false, "localmaster": true, "guest": "nobody", "admin_group": null, "filemask": "", "dirmask": "", "smb_options": "netbios aliases =\nnetbios name = OB-NAS-MAIN\n\ngetwd cache = yes\n\nsocket options=SO_RCVBUF=131072 SO_SNDBUF=131072 TCP_NODELAY\n\nmin receivefile size=16384\n\ninterfaces = 192.168.111.6\nwins support = yes\n\nos level =255\npreferred master = yes", "zeroconf": true, "ntlmv1_auth": false, "bindip": [], "cifs_SID": "S-1-5-21-3611432354-2116677988-3925923535", "netbiosname_local": "OB-NAS-MAIN"}


SMB has not been explicit bound to 192.168.111.6 under services->SMB->bind IP addresses where only option is 192.168.111.6 which is not hooked-off. Even if it was I thought this was fixed as pr.
Bug #40572
c0667847720b19c67a0e52d4056f2f1d
c0667847720b19c67a0e52d4056f2f1d

Allow Samba to also listen on loopback when specifying a Bind IP
and was automatic.

There is also one strange issue. I have several PCs that are in my HJEMME (HOME) domain. One access the share with no problem when loged in asdomain user ole_berg. The other 4 acts like the MSServer 2016 machine we have been looking at.
 
Last edited:

anodos

Sambassador
iXsystems
Joined
Mar 6, 2014
Messages
9,543
Currently in 11.3 you can only explicitly select bind IPs if they happen to be static addresses. When a bind IP is selected in the UI, we automatically add 127.0.0.1, your auxiliary parameter doesn't do this. Remove the bind-IP address auxiliary parameter and re-test with local SMB client access over loopback like in the previous example I gave. This will exclude server issues and allow you to focus on your clients. Recent versions of Windows disallow SMB guest access, and so you should also try removing guest access from your shares. If there is an actual bug in our product, then I'll fix it, but at this point I think it's probably a configuration issue.
 

Elo

Contributor
Joined
Mar 11, 2012
Messages
122
Currently in 11.3 you can only explicitly select bind IPs if they happen to be static addresses. When a bind IP is selected in the UI, we automatically add 127.0.0.1, your auxiliary parameter doesn't do this. Remove the bind-IP address auxiliary parameter and re-test with local SMB client access over loopback like in the previous example I gave. This will exclude server issues and allow you to focus on your clients. Recent versions of Windows disallow SMB guest access, and so you should also try removing guest access from your shares. If there is an actual bug in our product, then I'll fix it, but at this point I think it's probably a configuration issue.

OK .

The auxiliary parameters was set as follows (I now have removed all this)

netbios aliases =
netbios name = OB-NAS-MAIN
getwd cache = yes
socket options=SO_RCVBUF=131072 SO_SNDBUF=131072 TCP_NODELAY
min receivefile size=16384
interfaces = 192.168.111.6
wins support = yes
os level =255
preferred master = yes

After this with no explicit bind AND WITH IP bind I can connect with the smbclient:
root@OB-NAS-MAIN:~ # smbclient //127.0.0.1/VIDEO -U HJEMME\\ole_berg
Enter HJEMME\ole_berg's password:
Try "help" to get a list of possible commands.
smb: \>

Still not allowed to access through Windows Explorer.
I still have Guest access enabled and I will remove that and try further:

Removing guest access did not help and the fact remains. After updating 2 servers to RC1 I can not access my shares on any of them from AD users/Non AD users on W10 and Windows Server 2016 machines except from one specific machine.
 
Last edited:

Elo

Contributor
Joined
Mar 11, 2012
Messages
122
All issues resolved... I am not completely sure what was the problem but after tweaking the issues as discussed in the thread above AND POWER CYCLING all clients in the domain all clients was able to connect to the shares again...

ANODOS: Thank you for your assitance. The new ACL editor is a very helpful peace of software which deserves credit!!!!
 
Top