FreeNAS windows Share - You do not have permission to access

[bar17]

Hello,

I am having a problem accessing a FreeNAS SMB share I have created.

I have read the manual, read methods-for-fine-tuning-samba-permissions, read MANY online documents, and viewed The Internet Monkey's videos carefully.

First I created a dataset "wata" for windows data.
I have a user "bryan" that has the auxiliary group "winshare".
I edited the "wata" dataset options to windows and the permissions to Windows and user "nobody" group "winshare" and applied recursively.
I created the SMB share pointing to the location of "wata" in my pool.

From my Windows 10 computer I Click "Map Network Drive", \\Server-IP\wata , connect using different credentials, username bryan, password and the drive successfully mounts.

When I click the drive I get the error: "You do not have permission to access". This happens on 3 seperate Windows 10 computers. I have tried many various variations and client side things online. Nothing works.


Logs and command output below.

Any help is greatly appreciated!


Troubleshooting:

Code:

Command:
getfacl /mnt/tank1/ds1/smb/wata

Output:

root@MyServer[/mnt/tank1/iocage/jails]# getfacl /mnt/tank1/ds1/smb/wata
# file: /mnt/tank1/ds1/smb/wata
# owner: nobody
# group: winshare
            owner@:rwxpDdaARWcCos:fd-----:allow
            group@:rwxpDdaARWcCos:fd-----:allow
         everyone@:--------------:fd-----:allow

Code:

Command:

sharesec --view-all

Output:

[wata]
REVISION:1
CONTROL:SR|DP
OWNER:
GROUP:
ACL:S-1-1-0:ALLOWED/0x0/FULL

Parital Logs of logs.smbd

Code:

[2020/01/04 09:30:23.262905,  6, pid=7595, effective(0, 0), real(0, 0)] ../source3/param/loadparm.c:2341(lp_file_list_changed)
  lp_file_list_changed()
  file /usr/local/etc/smb4.conf -> /usr/local/etc/smb4.conf  last mod_time: Sat Jan  4 09:05:11 2020

[2020/01/04 09:30:23.262940, 10, pid=7595, effective(0, 0), real(0, 0)] ../source3/lib/util_event.c:54(smbd_idle_event_handler)
  smbd_idle_event_handler: idle_evt(housekeeping) 0x0 rescheduled
[2020/01/04 09:31:14.690216, 10, pid=7595, effective(0, 0), real(0, 0), class=smb2] ../source3/smbd/smb2_server.c:3980(smbd_smb2_io_handler)
  smbd_smb2_request idx[1] of 5 vectors
[2020/01/04 09:31:14.690244, 10, pid=7595, effective(0, 0), real(0, 0), class=smb2_credits] ../source3/smbd/smb2_server.c:691(smb2_validate_sequence_number)
  smb2_validate_sequence_number: smb2_validate_sequence_number: clearing id 233 (position 233) from bitmap
[2020/01/04 09:31:14.690257, 10, pid=7595, effective(0, 0), real(0, 0), class=smb2] ../source3/smbd/smb2_server.c:2342(smbd_smb2_request_dispatch)
  smbd_smb2_request_dispatch: opcode[SMB2_OP_CREATE] mid = 233
[2020/01/04 09:31:14.690289,  4, pid=7595, effective(0, 0), real(0, 0)] ../source3/smbd/sec_ctx.c:320(set_sec_ctx_internal)
  setting sec ctx (1003, 1003) - sec_ctx_stack_ndx = 0
[2020/01/04 09:31:14.690301,  5, pid=7595, effective(0, 0), real(0, 0)] ../libcli/security/security_token.c:63(security_token_debug)
  Security token SIDs (13):
    SID[  0]: S-1-5-21-2321401650-3958342810-1290666931-1014
    SID[  1]: S-1-5-21-2321401650-3958342810-1290666931-513
    SID[  2]: S-1-5-21-2321401650-3958342810-1290666931-1013
    SID[  3]: S-1-5-21-2321401650-3958342810-1290666931-1020
    SID[  4]: S-1-1-0
    SID[  5]: S-1-5-2
    SID[  6]: S-1-5-11
    SID[  7]: S-1-22-1-1003
    SID[  8]: S-1-22-2-1003
    SID[  9]: S-1-22-2-1005
    SID[ 10]: S-1-22-2-90000004
    SID[ 11]: S-1-22-2-90000005
    SID[ 12]: S-1-22-2-90000007
   Privileges (0x               0):
   Rights (0x               0):
[2020/01/04 09:31:14.690377,  5, pid=7595, effective(0, 0), real(0, 0)] ../source3/auth/token_util.c:866(debug_unix_user_token)
  UNIX token of user 1003
  Primary group is 1003 and contains 5 supplementary groups
  Group[  0]: 1003
  Group[  1]: 1005
  Group[  2]: 90000004
  Group[  3]: 90000005
  Group[  4]: 90000007
[2020/01/04 09:31:14.690419,  4, pid=7595, effective(1003, 1003), real(0, 0), class=vfs] ../source3/smbd/vfs.c:805(vfs_ChDir)
  vfs_ChDir to /mnt/tank1/ds1/smb/wata
[2020/01/04 09:31:14.690439,  3, pid=7595, effective(1003, 1003), real(0, 0)] ../source3/smbd/service.c:156(chdir_current_service)
  chdir (/mnt/tank1/ds1/smb/wata) failed, reason: Permission denied
[2020/01/04 09:31:14.690450,  0, pid=7595, effective(1003, 1003), real(0, 0)] ../source3/smbd/uid.c:453(change_to_user_internal)
  change_to_user_internal: chdir_current_service() failed!
[2020/01/04 09:31:14.690460,  3, pid=7595, effective(1003, 1003), real(0, 0), class=smb2] ../source3/smbd/smb2_server.c:3214(smbd_smb2_request_error_ex)
  smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1] status[NT_STATUS_ACCESS_DENIED] || at ../source3/smbd/smb2_server.c:2541
[2020/01/04 09:31:14.690472, 10, pid=7595, effective(1003, 1003), real(0, 0), class=smb2] ../source3/smbd/smb2_server.c:3105(smbd_smb2_request_done_ex)
  smbd_smb2_request_done_ex: idx[1] status[NT_STATUS_ACCESS_DENIED] body[8] dyn[yes:1] at ../source3/smbd/smb2_server.c:3262
[2020/01/04 09:31:14.690483, 10, pid=7595, effective(1003, 1003), real(0, 0), class=smb2_credits] ../source3/smbd/smb2_server.c:956(smb2_set_operation_credit)
  smb2_set_operation_credit: smb2_set_operation_credit: requested 1, charge 1, granted 1, current possible/max 8084/8192, total granted/max/low/range 109/8192/234/109

Code:

[2020/01/04 09:28:44.113246,  6, pid=9754, effective(0, 0), real(0, 0)] ../source3/param/loadparm.c:2341(lp_file_list_changed)
  lp_file_list_changed()
  file /usr/local/etc/smb4.conf -> /usr/local/etc/smb4.conf  last mod_time: Sat Jan  4 09:05:11 2020

[2020/01/04 09:28:44.113276,  3, pid=9754, effective(0, 0), real(0, 0), class=smb2] ../source3/smbd/smb2_negprot.c:294(smbd_smb2_request_process_negprot)
  Selected protocol SMB3_11
[2020/01/04 09:28:44.113288,  5, pid=9754, effective(0, 0), real(0, 0), class=auth] ../source3/auth/auth.c:536(make_auth3_context_for_ntlm)
  Making default auth method list for server role = 'standalone server', encrypt passwords = yes
[2020/01/04 09:28:44.113301,  5, pid=9754, effective(0, 0), real(0, 0), class=auth] ../source3/auth/auth.c:412(load_auth_module)
  load_auth_module: Attempting to find an auth method to match anonymous
[2020/01/04 09:28:44.113312,  5, pid=9754, effective(0, 0), real(0, 0), class=auth] ../source3/auth/auth.c:437(load_auth_module)
  load_auth_module: auth method anonymous has a valid init
[2020/01/04 09:28:44.113322,  5, pid=9754, effective(0, 0), real(0, 0), class=auth] ../source3/auth/auth.c:412(load_auth_module)
  load_auth_module: Attempting to find an auth method to match sam_ignoredomain
[2020/01/04 09:28:44.113333,  5, pid=9754, effective(0, 0), real(0, 0), class=auth] ../source3/auth/auth.c:437(load_auth_module)
  load_auth_module: auth method sam_ignoredomain has a valid init
[2020/01/04 09:28:44.113385,  5, pid=9754, effective(0, 0), real(0, 0), class=auth] ../auth/gensec/gensec_start.c:739(gensec_start_mech)
  Starting GENSEC mechanism spnego
[2020/01/04 09:28:44.113409,  5, pid=9754, effective(0, 0), real(0, 0), class=auth] ../auth/gensec/gensec_start.c:739(gensec_start_mech)
  Starting GENSEC submechanism ntlmssp
[2020/01/04 09:28:44.113430, 10, pid=9754, effective(0, 0), real(0, 0), class=auth] ../auth/gensec/gensec.c:440(gensec_update_send)
  gensec_update_send: spnego[0x813fbd820]: subreq: 0x813e17480
[2020/01/04 09:28:44.113445, 10, pid=9754, effective(0, 0), real(0, 0), class=auth] ../auth/gensec/gensec.c:498(gensec_update_done)
  gensec_update_done: spnego[0x813fbd820]: NT_STATUS_MORE_PROCESSING_REQUIRED tevent_req[0x813e17480/../auth/gensec/spnego.c:1610]: state[2] error[0 (0x0)]  state[struct gensec_spnego_update_state (0x813e17630)] timer[0x0] finish[../auth/gensec/spnego.c:2094]
[2020/01/04 09:28:44.113476, 10, pid=9754, effective(0, 0), real(0, 0), class=smb2] ../source3/smbd/smb2_server.c:3105(smbd_smb2_request_done_ex)
  smbd_smb2_request_done_ex: idx[1] status[NT_STATUS_OK] body[64] dyn[yes:140] at ../source3/smbd/smb2_negprot.c:662
[2020/01/04 09:28:44.113489, 10, pid=9754, effective(0, 0), real(0, 0), class=smb2_credits] ../source3/smbd/smb2_server.c:956(smb2_set_operation_credit)
  smb2_set_operation_credit: smb2_set_operation_credit: requested 1, charge 1, granted 1, current possible/max 8192/8192, total granted/max/low/range 1/8192/2/1
[2020/01/04 09:28:44.113961, 10, pid=9754, effective(0, 0), real(0, 0), class=smb2] ../source3/smbd/smb2_server.c:1113(smbd_server_connection_terminate_ex)
  smbd_server_connection_terminate_ex: conn[ipv4:10.17.17.110:61908] reason[NT_STATUS_END_OF_FILE] at ../source3/smbd/smb2_server.c:4032
[2020/01/04 09:28:44.114016,  4, pid=9754, effective(0, 0), real(0, 0)] ../source3/smbd/sec_ctx.c:320(set_sec_ctx_internal)
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2020/01/04 09:28:44.114029,  5, pid=9754, effective(0, 0), real(0, 0)] ../libcli/security/security_token.c:53(security_token_debug)
  Security token: (NULL)
[2020/01/04 09:28:44.114040,  5, pid=9754, effective(0, 0), real(0, 0)] ../source3/auth/token_util.c:866(debug_unix_user_token)
  UNIX token of user 0
  Primary group is 0 and contains 0 supplementary groups
[2020/01/04 09:28:44.114065,  5, pid=9754, effective(0, 0), real(0, 0)] ../source3/smbd/uid.c:509(smbd_change_to_root_user)
  change_to_root_user: now uid=(0,0) gid=(0,0)
[2020/01/04 09:28:44.114077,  4, pid=9754, effective(0, 0), real(0, 0)] ../source3/smbd/sec_ctx.c:320(set_sec_ctx_internal)
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2020/01/04 09:28:44.114087,  5, pid=9754, effective(0, 0), real(0, 0)] ../libcli/security/security_token.c:53(security_token_debug)
  Security token: (NULL)
[2020/01/04 09:28:44.114097,  5, pid=9754, effective(0, 0), real(0, 0)] ../source3/auth/token_util.c:866(debug_unix_user_token)
  UNIX token of user 0
  Primary group is 0 and contains 0 supplementary groups
[2020/01/04 09:28:44.114114,  5, pid=9754, effective(0, 0), real(0, 0)] ../source3/smbd/uid.c:509(smbd_change_to_root_user)
  change_to_root_user: now uid=(0,0) gid=(0,0)
[2020/01/04 09:28:44.114125,  4, pid=9754, effective(0, 0), real(0, 0)] ../source3/smbd/sec_ctx.c:320(set_sec_ctx_internal)
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2020/01/04 09:28:44.114135,  5, pid=9754, effective(0, 0), real(0, 0)] ../libcli/security/security_token.c:53(security_token_debug)
  Security token: (NULL)
[2020/01/04 09:28:44.114145,  5, pid=9754, effective(0, 0), real(0, 0)] ../source3/auth/token_util.c:866(debug_unix_user_token)
  UNIX token of user 0
  Primary group is 0 and contains 0 supplementary groups
[2020/01/04 09:28:44.114161,  5, pid=9754, effective(0, 0), real(0, 0)] ../source3/smbd/uid.c:509(smbd_change_to_root_user)
  change_to_root_user: now uid=(0,0) gid=(0,0)
[2020/01/04 09:28:44.114173,  4, pid=9754, effective(0, 0), real(0, 0)] ../source3/smbd/sec_ctx.c:320(set_sec_ctx_internal)
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2020/01/04 09:28:44.114183,  5, pid=9754, effective(0, 0), real(0, 0)] ../libcli/security/security_token.c:53(security_token_debug)
  Security token: (NULL)
[2020/01/04 09:28:44.114193,  5, pid=9754, effective(0, 0), real(0, 0)] ../source3/auth/token_util.c:866(debug_unix_user_token)
  UNIX token of user 0
  Primary group is 0 and contains 0 supplementary groups
[2020/01/04 09:28:44.114210,  5, pid=9754, effective(0, 0), real(0, 0)] ../source3/smbd/uid.c:509(smbd_change_to_root_user)
  change_to_root_user: now uid=(0,0) gid=(0,0)
[2020/01/04 09:28:44.114241, 10, pid=9754, effective(0, 0), real(0, 0)] ../source3/lib/messages_dgm_ref.c:163(msg_dgm_ref_destructor)
  msg_dgm_ref_destructor: refs=0x0
[2020/01/04 09:28:44.114637,  3, pid=9754, effective(0, 0), real(0, 0)] ../source3/smbd/server_exit.c:237(exit_server_common)
  Server exit (NT_STATUS_END_OF_FILE)
[2020/01/04 09:28:44.133224, 10, pid=7436, effective(0, 0), real(0, 0)] ../source3/lib/messages_dgm.c:1432(messaging_dgm_send)
  messaging_dgm_send: Sending message to 7461
[2020/01/04 09:28:44.133318, 10, pid=7461, effective(0, 0), real(0, 0)] ../source3/lib/messages.c:429(messaging_recv_cb)
  messaging_recv_cb: Received message 0x314 len 0 (num_fds:0) from 7436
[2020/01/04 09:28:44.133384, 10, pid=7461, effective(0, 0), real(0, 0)] ../source3/smbd/smbd_cleanupd.c:194(smbd_cleanupd_process_exited)
  smbd_cleanupd_process_exited: cleaned up pid 9754
[2020/01/04 09:29:23.169995, 10, pid=7595, effective(1003, 1003), real(0, 0)] ../source3/lib/util_event.c:43(smbd_idle_event_handler)
  smbd_idle_event_handler: idle_evt(deadtime) 0x0 called
[2020/01/04 09:29:23.170058, 10, pid=7595, effective(1003, 1003), real(0, 0)] ../source3/lib/util_event.c:54(smbd_idle_event_handler)
  smbd_idle_event_handler: idle_evt(deadtime) 0x0 rescheduled
[2020/01/04 09:29:23.170087, 10, pid=7595, effective(1003, 1003), real(0, 0)] ../source3/lib/util_event.c:43(smbd_idle_event_handler)
  smbd_idle_event_handler: idle_evt(housekeeping) 0x0 called
[2020/01/04 09:29:23.170098,  5, pid=7595, effective(1003, 1003), real(0, 0)] ../source3/smbd/process.c:2898(housekeeping_fn)
  housekeeping
[2020/01/04 09:29:23.170109,  4, pid=7595, effective(1003, 1003), real(0, 0)] ../source3/smbd/sec_ctx.c:320(set_sec_ctx_internal)
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2020/01/04 09:29:23.170120,  5, pid=7595, effective(1003, 1003), real(0, 0)] ../libcli/security/security_token.c:53(security_token_debug)
  Security token: (NULL)
[2020/01/04 09:29:23.170131,  5, pid=7595, effective(1003, 1003), real(0, 0)] ../source3/auth/token_util.c:866(debug_unix_user_token)
  UNIX token of user 0
  Primary group is 0 and contains 0 supplementary groups
[2020/01/04 09:29:23.170157,  5, pid=7595, effective(0, 0), real(0, 0)] ../source3/smbd/uid.c:509(smbd_change_to_root_user)
  change_to_root_user: now uid=(0,0) gid=(0,0)
[2020/01/04 09:29:23.170173, 10, pid=7595, effective(0, 0), real(0, 0)] ../source3/lib/util_event.c:54(smbd_idle_event_handler)
  smbd_idle_event_handler: idle_evt(housekeeping) 0x0 rescheduled
[2020/01/04 09:30:23.262436, 10, pid=7595, effective(0, 0), real(0, 0)] ../source3/lib/util_event.c:43(smbd_idle_event_handler)
  smbd_idle_event_handler: idle_evt(deadtime) 0x0 called
[2020/01/04 09:30:23.262526, 10, pid=7595, effective(0, 0), real(0, 0)] ../source3/lib/util_event.c:54(smbd_idle_event_handler)
  smbd_idle_event_handler: idle_evt(deadtime) 0x0 rescheduled
[2020/01/04 09:30:23.262558, 10, pid=7595, effective(0, 0), real(0, 0)] ../source3/lib/util_event.c:43(smbd_idle_event_handler)
  smbd_idle_event_handler: idle_evt(housekeeping) 0x0 called
[2020/01/04 09:30:23.262570,  5, pid=7595, effective(0, 0), real(0, 0)] ../source3/smbd/process.c:2898(housekeeping_fn)
  housekeeping
[2020/01/04 09:30:23.262581,  4, pid=7595, effective(0, 0), real(0, 0)] ../source3/smbd/sec_ctx.c:320(set_sec_ctx_internal)
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2020/01/04 09:30:23.262593,  5, pid=7595, effective(0, 0), real(0, 0)] ../libcli/security/security_token.c:53(security_token_debug)
  Security token: (NULL)
[2020/01/04 09:30:23.262604,  5, pid=7595, effective(0, 0), real(0, 0)] ../source3/auth/token_util.c:866(debug_unix_user_token)
  UNIX token of user 0
  Primary group is 0 and contains 0 supplementary groups
[2020/01/04 09:30:23.262657,  5, pid=7595, effective(0, 0), real(0, 0)] ../source3/smbd/uid.c:509(smbd_change_to_root_user)
  change_to_root_user: now uid=(0,0) gid=(0,0)
[2020/01/04 09:30:23.262680,  5, pid=7595, effective(0, 0), real(0, 0)] ../lib/util/debug.c:754(debug_dump_status)
  INFO: Current debug levels:
    all: 10
    tdb: 10
    printdrivers: 10
    lanman: 10
    smb: 10
    rpc_parse: 10
    rpc_srv: 10
    rpc_cli: 10
    passdb: 10
    sam: 10
    auth: 10
    winbind: 10
    vfs: 10
    idmap: 10
    quota: 10
    acls: 10
    locking: 10
    msdfs: 10
    dmapi: 10
    registry: 10
    scavenger: 10
    dns: 10
    ldb: 10
    tevent: 10
    auth_audit: 10
    auth_json_audit: 10
    kerberos: 10
    drs_repl: 10
    smb2: 10
    smb2_credits: 10
    dsdb_audit: 10
    dsdb_json_audit: 10
    dsdb_password_audit: 10
    dsdb_password_json_audit: 10
    dsdb_transaction_audit: 10
    dsdb_transaction_json_audit: 10
    dsdb_group_audit: 10
    dsdb_group_json_audit: 10
    dfs_samba4: 10

Code:

[2020/01/04 09:28:42.933211, 10, pid=7595, effective(1003, 1003), real(0, 0), class=smb2] ../source3/smbd/smb2_server.c:3105(smbd_smb2_request_done_ex)
  smbd_smb2_request_done_ex: idx[1] status[NT_STATUS_ACCESS_DENIED] body[8] dyn[yes:1] at ../source3/smbd/smb2_server.c:3262
[2020/01/04 09:28:42.933222, 10, pid=7595, effective(1003, 1003), real(0, 0), class=smb2_credits] ../source3/smbd/smb2_server.c:956(smb2_set_operation_credit)
  smb2_set_operation_credit: smb2_set_operation_credit: requested 1, charge 1, granted 1, current possible/max 8084/8192, total granted/max/low/range 109/8192/222/109
[2020/01/04 09:28:42.935392, 10, pid=7595, effective(1003, 1003), real(0, 0), class=smb2] ../source3/smbd/smb2_server.c:3980(smbd_smb2_io_handler)
  smbd_smb2_request idx[1] of 5 vectors
[2020/01/04 09:28:42.935429, 10, pid=7595, effective(1003, 1003), real(0, 0), class=smb2_credits] ../source3/smbd/smb2_server.c:691(smb2_validate_sequence_number)
  smb2_validate_sequence_number: smb2_validate_sequence_number: clearing id 222 (position 222) from bitmap
[2020/01/04 09:28:42.935442, 10, pid=7595, effective(1003, 1003), real(0, 0), class=smb2] ../source3/smbd/smb2_server.c:2342(smbd_smb2_request_dispatch)
  smbd_smb2_request_dispatch: opcode[SMB2_OP_CREATE] mid = 222
[2020/01/04 09:28:42.935457,  5, pid=7595, effective(1003, 1003), real(0, 0)] ../source3/smbd/uid.c:331(change_to_user_impersonate)
  change_to_user_impersonate: Skipping user change - already user
[2020/01/04 09:28:42.935469,  4, pid=7595, effective(1003, 1003), real(0, 0), class=vfs] ../source3/smbd/vfs.c:805(vfs_ChDir)
  vfs_ChDir to /mnt/tank1/ds1/smb/wata
[2020/01/04 09:28:42.935495,  3, pid=7595, effective(1003, 1003), real(0, 0)] ../source3/smbd/service.c:156(chdir_current_service)
  chdir (/mnt/tank1/ds1/smb/wata) failed, reason: Permission denied
[2020/01/04 09:28:42.935506,  0, pid=7595, effective(1003, 1003), real(0, 0)] ../source3/smbd/uid.c:453(change_to_user_internal)
  change_to_user_internal: chdir_current_service() failed!
[2020/01/04 09:28:42.935517,  3, pid=7595, effective(1003, 1003), real(0, 0), class=smb2] ../source3/smbd/smb2_server.c:3214(smbd_smb2_request_error_ex)
  smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1] status[NT_STATUS_ACCESS_DENIED] || at ../source3/smbd/smb2_server.c:2541

 

[anodos]

[2020/01/04 09:31:14.690450, 0, pid=7595, effective(1003, 1003), real(0, 0)] ../source3/smbd/uid.c:453(change_to_user_internal)
change_to_user_internal: chdir_current_service() failed!

^^^ this means that permissions to your share path are too restrictive for your user to access it. Review ACL on all directories leading to the share path.

 

[bar17]

^^^ this means that permissions to your share path are too restrictive for your user to access it. Review ACL on all directories leading to the share path.

Thank you!

The parent directory to /mnt/tank1/ds1/smb/wata, /mnt/tank1/ds1 was mod 770. Apparently the parent directories must be either read and/or executable by the samba client group.

I changed the /mnt/tank1/ds1 mod to 775 and it worked!

I then changed it back to 770 and added group owner of the parent directory as an aux group of the user accessing samba. This was sufficient as well.

What is security best practices for the folder hierarchy of a pool? Interestingly, the top directory tank1 is defaulted to root/wheel 755. Why would the default allow "Everyone" to read and execute files?

Again, thank you very much!

 

[anodos]

Thank you!

The parent directory to /mnt/tank1/ds1/smb/wata, /mnt/tank1/ds1 was mod 770. Apparently the parent directories must be either read and/or executable by the samba client group.

I changed the /mnt/tank1/ds1 mod to 775 and it worked!

I then changed it back to 770 and added group owner of the parent directory as an aux group of the user accessing samba. This was sufficient as well.

What is security best practices for the folder hierarchy of a pool? Interestingly, the top directory tank1 is defaulted to root/wheel 755. Why would the default allow "Everyone" to read and execute files?

Again, thank you very much!

Windows:

Code:

    const int SEC_DIR_TRAVERSE         = 0x00000020;
    const int SEC_FILE_EXECUTE         = 0x00000020;

See how those are the same number? For files it's "execute" and for directories it's "traverse". If you strip that bit, you can't traverse that _directory_. You can change behavior for this in windows by manipulating the group policy object "Bypass traverse checking".
This group policy setting will not change the FreeNAS behavior because it's a fundamental aspect of how unix permissions work.