Windows share guid resolving to the wrong group?

Crispin · Oct 4, 2016

I have the following users and groups:

I have one pool (tank) with many datasets, basically one per group.

My users have secondary groups for each of the above where they should. Each user has Users as the primary group.
My user (Crispin) has all the groups as secondary.
I'll use Pics as an example;

In my windows share for, say, Pics, I am seeing something odd in the security tab.
When I first go to the tab it shows the guid-groupid

Then, when it refreshes, it looks like this

Now, the group ToSort has nothing to do with the volume Pics. (See above)
Interestingly the groupid (assuming it is the 1005 after the guid) is 1005.

Look what 1005 is:

The group ToSort is actually 1010

Why is windows showing me the wrong group name for this share?

Install is 9.10.1 (d989edd) (not the U1 install)

TIA
Crispin

anodos · Oct 4, 2016

Post output of following commands:

net groupmap list
net getlocalsid
net usersidlist
getfacl /mnt/tank/Pics

If you're unfamiliar with the CLI, try uploading a debug file ('system'->'advanced'->'debug) - note that the debug file contains LOTS of information about your system, you can PM it to me if you're concerned about such things.

Crispin · Oct 4, 2016

Here you go:

Code:

ToSort (S-1-5-21-2561242573-4180490267-2238170119-1012) -> ToSort
PersonalVideo (S-1-5-21-2561242573-4180490267-2238170119-1006) -> Scripts
Companies (S-1-5-21-2561242573-4180490267-2238170119-1007) -> Companies
Dump (S-1-5-21-2561242573-4180490267-2238170119-1001) -> Dev
Software (S-1-5-21-2561242573-4180490267-2238170119-1008) -> Software
Users (S-1-5-21-2561242573-4180490267-2238170119-1002) -> Documents
Web (S-1-5-21-2561242573-4180490267-2238170119-1009) -> Web
Users (S-1-5-21-2561242573-4180490267-2238170119-1010) -> Users
Companies (S-1-5-21-2561242573-4180490267-2238170119-1004) -> PersonalVideos
ToSort (S-1-5-21-2561242573-4180490267-2238170119-1005) -> Pics

Code:

SID for domain NAS is: S-1-5-21-2561242573-4180490267-2238170119

Code:

NAS\crispin
 S-1-5-21-2561242573-4180490267-2238170119-1000
 S-1-1-0
 S-1-5-2
 S-1-5-11
 S-1-5-21-2561242573-4180490267-2238170119-1010
 S-1-5-21-2561242573-4180490267-2238170119-1001
 S-1-5-21-2561242573-4180490267-2238170119-1002
 S-1-5-21-2561242573-4180490267-2238170119-1004
 S-1-5-21-2561242573-4180490267-2238170119-1005
 S-1-5-21-2561242573-4180490267-2238170119-1006
 S-1-5-21-2561242573-4180490267-2238170119-1008
 S-1-5-21-2561242573-4180490267-2238170119-1009
 S-1-5-21-2561242573-4180490267-2238170119-1012
NAS\denise
 S-1-5-21-2561242573-4180490267-2238170119-1011
 S-1-1-0
 S-1-5-2
 S-1-5-11
 S-1-5-21-2561242573-4180490267-2238170119-1010

Code:

# file: /mnt/tank/Pics
# owner: nobody
# group: Pics
			owner@:rwxpDdaARWcCos:fd-----:allow
			group@:rwxpDdaARWcCos:fd-----:allow
		 everyone@:r-x---a-R-c---:fd-----:allow

What's up with the groupmap? That looks screwy?

anodos · Oct 5, 2016

Crispin said:

ToSort (S-1-5-21-2561242573-4180490267-2238170119-1005) -> Pics

ToSort is the NT group that appears in a Windows Client
S-1-5-21-2561242573-4180490267-2238170119-1005 is the SID (think UID/GID on steroids) associated with the NT Group.
Pics is the local Unix group.

Obviously something happened to mess up the group mapping. Perhaps changing up GIDs of Unix Groups?
Below is one possible way to fix this situation

Change permissions on tank/Pics so that its owner (group) is different.
Then delete the group "pics" through the webui.
The run net groupmap list again from the CLI and verify that the above entry has been deleted.
If it hasn't been deleted, run net groupmap delete unixgroup=Pics
Verify that the groupmap has been nuked.
Reboot server to verify that it has been thoroughly nuked and isn't hiding in the nooks and crannies of the FreeNAS config file
Recreate the "Pics" group and redo your permissions.

Crispin · Oct 5, 2016

Thanks andos - I'll give it a try tomorrow.

Crispin · Oct 8, 2016

I've gone through all the permissions and deleted and re-added them. It all seems ok now.

No idea why this happened. I'll keep an eye on it and see for the future.

Thanks
C

itskando · Nov 9, 2018

anodos said:
Post output of following commands:

net groupmap list

net getlocalsid

net usersidlist

getfacl /mnt/tank/Pics

If you're unfamiliar with the CLI, try uploading a debug file ('system'->'advanced'->'debug) - note that the debug file contains LOTS of information about your system, you can PM it to me if you're concerned about such things.

I did this in the freeNAS shell and didn't see anything out of the ordinary except:

Code:

[root@Deetz ~]# getfacl /media
# file: /media
# owner: root
# group: wheel
			owner@:rwxp--aARWcCos:-------:allow
			group@:r-x---a-R-c--s:-------:allow
		 everyone@:r-x---a-R-c--s:-------:allow

I use Windows permissions (but I can't see them because I access the webGUI from macOS).
(I use Windows permissions just to maximize compatibility.)

.

This is strange to me because, in

webGUI: Storage : ./mnt/Deetz/media :

I set the group to public; however,
it remains set to wheel.
I even tried to change it again just now, but
the results remained the same.
(I'm logged into the webGUI as root.)

Why is this?

Important Announcement for the TrueNAS Community.

Windows share guid resolving to the wrong group?

Crispin

Explorer

Attachments

anodos

Sambassador

Crispin

Explorer

anodos

Sambassador

Crispin

Explorer

Crispin

Explorer

itskando

Contributor

Similar threads

Important Announcement for the TrueNAS Community.

Windows share guid resolving to the wrong group?

Crispin

Explorer

Attachments

anodos

Sambassador

Crispin

Explorer

anodos

Sambassador

Crispin

Explorer

Crispin

Explorer

itskando

Contributor

Important Announcement for the TrueNAS Community.

Related topics on forums.truenas.com for thread: "Windows share guid resolving to the wrong group?"

Similar threads