View open CIFS sessions via Windows Computer Management / MMC

Status
Not open for further replies.
Brentnall

Brentnall

Dabbler
Joined
May 24, 2015
Messages
16
Can anyone shed any light on the possibility of viewing open files and sessions of a freenas box from the remote computer management console?

I understand this may be possible when joined to a domain but when in a workgroup im greeted with the following:

mmc_error.JPG



Viewing the shares from this console works fine, even the hidden/admin ones show up. Just the 'Sessions' and 'Open Files' views are access denied.


Looking into the log.smbd file shows my many attempts at getting this working with the following:

[2015/09/28 19:15:38.686116, 1] ../source3/rpc_server/srvsvc/srv_srvsvc_nt.c:998(_srvsvc_NetFileEnum)
Enumerating files only allowed for administrators

[2015/09/28 19:15:39.999770, 1] ../source3/rpc_server/srvsvc/srv_srvsvc_nt.c:1190(_srvsvc_NetSessEnum)
Enumerating sessions only allowed for administrators



I've tried several variations of the windows 'runas' command to get the MMC running as the freenas root user as well as attempting to give another user administrative privileges to no avail.

Is it possible to configure privileges in a way which makes enumerating sessions and open files possible in a workgroup environment?

Many thanks in advance. Let me know if I've missed out any info.
 
Brentnall

Brentnall

Dabbler
Joined
May 24, 2015
Messages
16
In my travels researching the topic I stumbled across the following from the samba codebase:

if (!nt_token_check_sid(&global_sid_Builtin_Administrators, p->session_info->security_token)) {
DEBUG(1, ("Enumerating files only allowed for administrators\n"));
return WERR_ACCESS_DENIED;
}

This suggests the user attempting access must be part of the "Builtin_Administrators"

Any ideas how I would do this for a local freenas user account?
 
anodos

anodos

Sambassador
iXsystems
Joined
Mar 6, 2014
Messages
9,554
If I recall correctly, you need to grant 'SeDiskOperatorPrivilege' to the group you use to be able to view open files. For instance "CoolPeople". You can grant these privileges through the 'net' command.
Code:
net sam rights grant "<NETBIOS hostname>\CoolPeople" SeDiskOperatorPrivilege


You can then verify privileges by typing the following command (you will be prompted for your root password)
Code:
net rpc rights list accounts


Caveat: I'm not sure if these changes will persist after a reboot. If not, create a startup script.
 
Status
Not open for further replies.

Similar threads

M
  • Locked
OSX CIFS : unable to open some files ?
Replies
0
Views
1K
Martintamare
M
jdrouhard
TrueNAS 12 SMB share oddities
Replies
5
Views
1K
anodos
anodos
T
  • Locked
Strange AD Issues on 9.3
Replies
12
Views
2K
sapwood
S
B
FreeNAS windows Share - You do not have permission to access
Replies
3
Views
15K
anodos
anodos
berrick
  • Locked
SOLVED Cant access CIFS via AD. Was working.
Replies
4
Views
3K
berrick
berrick
Top