Is this an ACL bug?

[SitQ80]

version:TrueNAS-SCALE-22.02-RC.1
I use NFSv4 Passthrough ACL setting.

For example, I create two groups: g1, g2 and one user: u1

u1 joined two groups, g1(Primary Group) & g2(Auxiliary Groups)


I create a dataset,
1.When the ACL setting is fully controlled by only g1, I can open this folder through SMB
2.When the ACL setting is fully controlled by only g2, I cannot open this folder through SMB.

Is this a bug? I want a user to have multiple groups, when any one group meets the conditions, I can open the folder

 

[anodos]

Works for me

Code:

root@truenas[~]# id smbuser
uid=1000(smbuser) gid=1000(smbuser) groups=545(builtin_users),1000(smbuser)
root@truenas[~]# nfs4xdr_getfacl /mnt/dozer/NFS4
# File: /mnt/dozer/NFS4
# owner: 0
# group: 10000
# mode: 0o40770
# trivial_acl: false
# ACL flags: none
            owner@:rwxpDdaARWcCos:fd-----:allow
            group@:rwxpDdaARWc--s:fd-----:allow
group:builtin_users:rwxpDdaARWcCos:fd-----:allow
            owner@:rwxpDdaARWc--s:fd-----:allow
root@truenas[~]# smbclient //127.0.0.1/SHARE -U smbuser
lpcfg_do_global_parameter: WARNING: The "syslog only" option is deprecated
Password for [WORKGROUP\smbuser]:
Try "help" to get a list of possible commands.
smb: \> mkdir testdir2
smb: \> exit

 

[SitQ80]

Works for me

Code:

root@truenas[~]# id smbuser
uid=1000(smbuser) gid=1000(smbuser) groups=545(builtin_users),1000(smbuser)
root@truenas[~]# nfs4xdr_getfacl /mnt/dozer/NFS4
# File: /mnt/dozer/NFS4
# owner: 0
# group: 10000
# mode: 0o40770
# trivial_acl: false
# ACL flags: none
            owner@:rwxpDdaARWcCos:fd-----:allow
            group@:rwxpDdaARWc--s:fd-----:allow
group:builtin_users:rwxpDdaARWcCos:fd-----:allow
            owner@:rwxpDdaARWc--s:fd-----:allow
root@truenas[~]# smbclient //127.0.0.1/SHARE -U smbuser
lpcfg_do_global_parameter: WARNING: The "syslog only" option is deprecated
Password for [WORKGROUP\smbuser]:
Try "help" to get a list of possible commands.
smb: \> mkdir testdir2
smb: \> exit

I use the windows smb client, the command line is a bit complicated for me, is there no better solution officially?

 

[SitQ80]

such as use GUI

 

[SitQ80]

I tried to understand and used the command line again, but it still doesn't work (the smb client that comes with windows)


root@truenas[~]# id hsf
uid=1000(hsf) gid=1000(user) groups=545(builtin_users),1001(admin),1000(user)
root@truenas[~]# nfs4xdr_getfacl /mnt/SU9Xpj/public
# File: /mnt/SU9Xpj/public
# owner: 0
# group: 0
# mode: 0o40770
# trivial_acl: false
# ACL flags: none
owner@:rwxpDdaARWcCos:fd-----:allow
group@:rwxpDdaARWc--s:fd-----:allow
group:admin:rwxpDdaARWcCos:fd-----:allow
owner@:rwxpDdaARWcCos:fd-----:allow
root@truenas[~]#

 

[SitQ80]

Works for me

Code:

root@truenas[~]# id smbuser
uid=1000(smbuser) gid=1000(smbuser) groups=545(builtin_users),1000(smbuser)
root@truenas[~]# nfs4xdr_getfacl /mnt/dozer/NFS4
# File: /mnt/dozer/NFS4
# owner: 0
# group: 10000
# mode: 0o40770
# trivial_acl: false
# ACL flags: none
            owner@:rwxpDdaARWcCos:fd-----:allow
            group@:rwxpDdaARWc--s:fd-----:allow
group:builtin_users:rwxpDdaARWcCos:fd-----:allow
            owner@:rwxpDdaARWc--s:fd-----:allow
root@truenas[~]# smbclient //127.0.0.1/SHARE -U smbuser
lpcfg_do_global_parameter: WARNING: The "syslog only" option is deprecated
Password for [WORKGROUP\smbuser]:
Try "help" to get a list of possible commands.
smb: \> mkdir testdir2
smb: \> exit

Finally found: Linux is normal, windows is not normal, using windows mapped smb hard disk, can not be opened.

 

[anodos]

No. An SMB client is an SMB client. This was a quick smoke-test for ACL handling.

 

[anodos]

For example, powershell:

Code:

PS C:\Windows\system32> Get-SmbConnection

ServerName   ShareName UserName     Credential    Dialect NumOpens
----------   --------- --------     ----------    ------- --------
192.168.0.57 IPC$      BILLY\joiner BILLY\smbuser 3.1.1   1
192.168.0.57 share     BILLY\joiner BILLY\smbuser 3.1.1   2

Code:

Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.

PS C:\Users\joiner> cd \\192.168.0.57\SHARE
PS Microsoft.PowerShell.Core\FileSystem::\\192.168.0.57\SHARE> ls


    Directory: \\192.168.0.57\SHARE


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
d-----        9/30/2021  11:51 AM                BILLY
d-----       10/20/2021   6:36 AM                foo
d-----         6/8/2021  10:07 AM                homes
d-----       10/17/2021   5:35 AM                smbuser
d-----        6/14/2021   9:45 AM                test
d-----       10/28/2021   1:08 PM                testdir1
d-----        11/3/2021   3:18 AM                testdir2


PS Microsoft.PowerShell.Core\FileSystem::\\192.168.0.57\SHARE> rmdir testdir2
PS Microsoft.PowerShell.Core\FileSystem::\\192.168.0.57\SHARE> ls


    Directory: \\192.168.0.57\SHARE


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
d-----        9/30/2021  11:51 AM                BILLY
d-----       10/20/2021   6:36 AM                foo
d-----         6/8/2021  10:07 AM                homes
d-----       10/17/2021   5:35 AM                smbuser
d-----        6/14/2021   9:45 AM                test
d-----       10/28/2021   1:08 PM                testdir1

 

[anodos]

ACL on my share can be viewed via Windows:

Code:

PS Microsoft.PowerShell.Core\FileSystem::\\192.168.0.57\share> Get-Acl . | format-list


Path   : Microsoft.PowerShell.Core\FileSystem::\\192.168.0.57\share
Owner  : O:S-1-22-1-0
Group  : G:S-1-22-2-10000
Access : CREATOR OWNER Allow  FullControl
         CREATOR GROUP Allow  DeleteSubdirectoriesAndFiles, Modify, Synchronize
         S-1-5-21-810430591-2926651391-2835446198-10000 Allow  FullControl
         S-1-22-1-0 Allow  FullControl
         S-1-22-2-10000 Allow  DeleteSubdirectoriesAndFiles, Modify, Synchronize
Audit  :
Sddl   : O:S-1-22-1-0G:S-1-22-2-10000D:(A;OICIIO;FA;;;CO)(A;OICIIO;0x1301ff;;;CG)(A;OICI;FA;;;S-1-5-21-810430591-292665
         1391-2835446198-10000)(A;;FA;;;S-1-22-1-0)(A;;0x1301ff;;;S-1-22-2-10000)

You can see here:

Code:

oot@truenas[~]# midclt call smb.groupmap_list | jq .local    
{
  "545": {
    "nt_name": "builtin_users",
    "sid": "S-1-5-21-810430591-2926651391-2835446198-10000",
    "gid": 545,
    "group_type_int": 4,
    "comment": "",
    "unix_group": "builtin_users",
    "group_type_str": "Local Group"
  }

That builtin_users (SID S-1-5-21-810430591-2926651391-2835446198-10000) has full_control per the Windows client, which also matches what I see from CLI.

 

[anodos]

So... tl;dr it's not an ACL bug as far as I can tell. So you need to probably try to break down what you're seeing into all the possible ways that the session can go wrong. For instance, Windows may not be authenticating with the user you think it is. Permissions on /mnt/SU9Xpj may be wrong, etc, etc.

 

[SitQ80]

Thank you very much. I changed a computer and tried to map the network disk, and it succeeded. Maybe it should be a problem with my computer system.

Thank you. bro.

 

[SitQ80]

Unfortunately, another computer accessed normally, but after a few minutes, I suddenly prompted that I did not have permission to access this directory. A symptom with the previous computer.

 

[anodos]

Unfortunately, another computer accessed normally, but after a few minutes, I suddenly prompted that I did not have permission to access this directory. A symptom with the previous computer.

Hmm... the windows GUI errors do not always match what's actually happening. Sounds like network issue. Perhaps a durable reconnect failure. Maybe check that your NIC in windows isn't configured to go into power saving mode, and review logs on our side. The SMB server's logs are at /var/log/samba4/log.smbd. /var/log/messages may give some clues. You can disable durable handles on the share and restart the SMB server to see if the error messages change. Windows event viewer can also give some clues.

If you provide full networking details perhaps someone on the forums can give more detailed help on that side (I primarily come here to keep an eye open for software bugs).

 

[SitQ80]

Thank you.

This is my own network problem, not truenas's problem.