Register for the iXsystems Community to get an ad-free experience and exclusive discounts in our eBay Store.

Can't share anything after Upgrade to 11.3: Permissions don't work

Alfons

Cadet
Joined
Mar 29, 2020
Messages
6
So far, I've been running my FreeNAS as a pure backup server that fetches data automatically from my cloud. In the rare cases that I had to actually access data, I used SSH / WinSCP and the root user. Around 3 weeks ago, I've upgraded to 11.3 (Train STABLE) (from 11.2).

I have a Pool DATAPOOL with two subpools that I would like to share: Crypt via SMB and Test1 via Webdav (or anything else - it's only for testing).

Now I'm trying to get some SMB shares up and running. I can log in with my SMB user "CB" in windows (win 10 Pro build 18362) and I see my shares. However, I always got a permission denied, although I've followed instructions in your Video (LINK).
To debug, I set up the WebDav Test share Test1 and again I'm getting "FORBIDDEN: You don't have access to this source".
Finally, I tried to login via SSH with my SMB user "CB" and access the data using Putty. I could login, but when I tried to cd to the shared folder I got again: Permission Denied.

I'm now officially stuck and would really appreciate some help.

Here are my CHMOD Permissions (ls -l):
drwxrwx---+ 11 root wheel 12 Mar 28 16:40 Datapool
drwxrwxr--+ 3 cb cb 8 Feb 23 21:59 Crypt
drwxrwxrwx 2 webdav webdav 2 Mar 28 16:40 Test1

And here my ACL:
# file: Datapool
# owner: root
# group: wheel
owner@:rwxpDdaARWcCos:fd-----:allow
group@:rwxpDdaARWcCos:fd-----:allow
everyone@:--------------:fd-----:allow

# file: Crypt
# owner: cb
# group: cb
owner@:rwxp--aARWcCos:-------:allow
group@:rwxp--a-R-c--s:-------:allow
everyone@:r-----a-R-c--s:-------:allow
everyone@:--------------:fd-----:allow

# file: Test1
# owner: webdav
# group: webdav
owner@:rwxp--aARWcCos:-------:allow
group@:rwxp--a-R-c--s:-------:allow
everyone@:rwxp--a-R-c--s:-------:allow

The SMB Debug Log says (excerpt, I don't wanna spam the forum):
Code:
[2020/04/04 16:16:02.211523, 10, pid=30184, effective(1001, 1002), real(0, 0), class=smb2_credits] ../../source3/smbd/smb2_server.c:956(smb2_set_operation_credit)
  smb2_set_operation_credit: smb2_set_operation_credit: requested 8, charge 1, granted 8, current possible/max 8121/8192, total granted/max/low/range 79/8192/20/79
[2020/04/04 16:16:02.213697, 10, pid=30184, effective(1001, 1002), real(0, 0), class=smb2] ../../source3/smbd/smb2_server.c:3979(smbd_smb2_io_handler)
  smbd_smb2_request idx[1] of 5 vectors
[2020/04/04 16:16:02.213721, 10, pid=30184, effective(1001, 1002), real(0, 0), class=smb2_credits] ../../source3/smbd/smb2_server.c:691(smb2_validate_sequence_number)
  smb2_validate_sequence_number: smb2_validate_sequence_number: clearing id 20 (position 20) from bitmap
[2020/04/04 16:16:02.213741, 10, pid=30184, effective(1001, 1002), real(0, 0), class=smb2] ../../source3/smbd/smb2_server.c:2343(smbd_smb2_request_dispatch)
  smbd_smb2_request_dispatch: opcode[SMB2_OP_CREATE] mid = 20
[2020/04/04 16:16:02.213763,  5, pid=30184, effective(1001, 1002), real(0, 0)] ../../source3/smbd/uid.c:326(change_to_user_impersonate)
  change_to_user_impersonate: Skipping user change - already user
[2020/04/04 16:16:02.213786,  4, pid=30184, effective(1001, 1002), real(0, 0), class=vfs] ../../source3/smbd/vfs.c:805(vfs_ChDir)
  vfs_ChDir to /mnt/Datapool/Crypt
[2020/04/04 16:16:02.213810,  3, pid=30184, effective(1001, 1002), real(0, 0)] ../../source3/smbd/service.c:157(chdir_current_service)
  chdir (/mnt/Datapool/Crypt) failed, reason: Permission denied
[2020/04/04 16:16:02.213831,  0, pid=30184, effective(1001, 1002), real(0, 0)] ../../source3/smbd/uid.c:448(change_to_user_internal)
  change_to_user_internal: chdir_current_service() failed!
[2020/04/04 16:16:02.213852,  3, pid=30184, effective(1001, 1002), real(0, 0), class=smb2] ../../source3/smbd/smb2_server.c:3213(smbd_smb2_request_error_ex)
  smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1] status[NT_STATUS_ACCESS_DENIED] || at ../../source3/smbd/smb2_server.c:2542
[2020/04/04 16:16:02.213874, 10, pid=30184, effective(1001, 1002), real(0, 0), class=smb2] ../../source3/smbd/smb2_server.c:3104(smbd_smb2_request_done_ex)
  smbd_smb2_request_done_ex: idx[1] status[NT_STATUS_ACCESS_DENIED] body[8] dyn[yes:1] at ../../source3/smbd/smb2_server.c:3261
[2020/04/04 16:16:02.213897, 10, pid=30184, effective(1001, 1002), real(0, 0), class=smb2_credits] ../../source3/smbd/smb2_server.c:956(smb2_set_operation_credit)
  smb2_set_operation_credit: smb2_set_operation_credit: requested 7, charge 1, granted 7, current possible/max 8114/8192, total granted/max/low/range 85/8192/21/85
[2020/04/04 16:16:04.329771, 10, pid=30184, effective(1001, 1002), real(0, 0), class=smb2] ../../source3/smbd/smb2_server.c:3979(smbd_smb2_io_handler)
  smbd_smb2_request idx[1] of 5 vectors
[2020/04/04 16:16:04.329846, 10, pid=30184, effective(1001, 1002), real(0, 0), class=smb2_credits] ../../source3/smbd/smb2_server.c:691(smb2_validate_sequence_number)
  smb2_validate_sequence_number: smb2_validate_sequence_number: clearing id 21 (position 21) from bitmap
[2020/04/04 16:16:04.329871, 10, pid=30184, effective(1001, 1002), real(0, 0), class=smb2] ../../source3/smbd/smb2_server.c:2343(smbd_smb2_request_dispatch)
  smbd_smb2_request_dispatch: opcode[SMB2_OP_CREATE] mid = 21
[2020/04/04 16:16:04.329897,  5, pid=30184, effective(1001, 1002), real(0, 0)] ../../source3/smbd/uid.c:326(change_to_user_impersonate)
  change_to_user_impersonate: Skipping user change - already user
[2020/04/04 16:16:04.329919,  4, pid=30184, effective(1001, 1002), real(0, 0), class=vfs] ../../source3/smbd/vfs.c:805(vfs_ChDir)
  vfs_ChDir to /mnt/Datapool/Crypt
[2020/04/04 16:16:04.329958,  3, pid=30184, effective(1001, 1002), real(0, 0)] ../../source3/smbd/service.c:157(chdir_current_service)
  chdir (/mnt/Datapool/Crypt) failed, reason: Permission denied
[2020/04/04 16:16:04.329978,  0, pid=30184, effective(1001, 1002), real(0, 0)] ../../source3/smbd/uid.c:448(change_to_user_internal)
  change_to_user_internal: chdir_current_service() failed!
[2020/04/04 16:16:04.329998,  3, pid=30184, effective(1001, 1002), real(0, 0), class=smb2] ../../source3/smbd/smb2_server.c:3213(smbd_smb2_request_error_ex)
  smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1] status[NT_STATUS_ACCESS_DENIED] || at ../../source3/smbd/smb2_server.c:2542
[2020/04/04 16:16:04.330021, 10, pid=30184, effective(1001, 1002), real(0, 0), class=smb2] ../../source3/smbd/smb2_server.c:3104(smbd_smb2_request_done_ex)
  smbd_smb2_request_done_ex: idx[1] status[NT_STATUS_ACCESS_DENIED] body[8] dyn[yes:1] at ../../source3/smbd/smb2_server.c:3261
[2020/04/04 16:16:04.330042, 10, pid=30184, effective(1001, 1002), real(0, 0), class=smb2_credits] ../../source3/smbd/smb2_server.c:956(smb2_set_operation_credit)
  smb2_set_operation_credit: smb2_set_operation_credit: requested 6, charge 1, granted 6, current possible/max 8108/8192, total granted/max/low/range 90/8192/22/90
[2020/04/04 16:16:15.972796, 10, pid=30184, effective(1001, 1002), real(0, 0), class=smb2] ../../source3/smbd/smb2_server.c:3979(smbd_smb2_io_handler)
  smbd_smb2_request idx[1] of 5 vectors
[2020/04/04 16:16:15.972905, 10, pid=30184, effective(1001, 1002), real(0, 0), class=smb2_credits] ../../source3/smbd/smb2_server.c:691(smb2_validate_sequence_number)
  smb2_validate_sequence_number: smb2_validate_sequence_number: clearing id 22 (position 22) from bitmap
[2020/04/04 16:16:15.972932, 10, pid=30184, effective(1001, 1002), real(0, 0), class=smb2] ../../source3/smbd/smb2_server.c:2343(smbd_smb2_request_dispatch)
  smbd_smb2_request_dispatch: opcode[SMB2_OP_TDIS] mid = 22
[2020/04/04 16:16:15.972973,  4, pid=30184, effective(1001, 1002), real(0, 0)] ../../source3/smbd/sec_ctx.c:320(set_sec_ctx_internal)
  setting sec ctx (1001, 1002) - sec_ctx_stack_ndx = 0
[2020/04/04 16:16:15.972998,  5, pid=30184, effective(1001, 1002), real(0, 0)] ../../libcli/security/security_token.c:63(security_token_debug)
  Security token SIDs (11):
    SID[  0]: S-1-5-21-3838610737-2821999733-1669627128-1007
    SID[  1]: S-1-5-21-3838610737-2821999733-1669627128-513
    SID[  2]: S-1-22-2-1002
    SID[  3]: S-1-22-2-1001
    SID[  4]: S-1-1-0
    SID[  5]: S-1-5-2
    SID[  6]: S-1-5-11
    SID[  7]: S-1-22-1-1001
    SID[  8]: S-1-22-2-90000004
    SID[  9]: S-1-22-2-90000005
    SID[ 10]: S-1-22-2-90000007
   Privileges (0x               0):
   Rights (0x               0):
[2020/04/04 16:16:15.973149,  5, pid=30184, effective(1001, 1002), real(0, 0)] ../../source3/auth/token_util.c:866(debug_unix_user_token)
  UNIX token of user 1001
  Primary group is 1002 and contains 5 supplementary groups
  Group[  0]: 1002
  Group[  1]: 1001
  Group[  2]: 90000004
  Group[  3]: 90000005
  Group[  4]: 90000007
[2020/04/04 16:16:15.973288,  5, pid=30184, effective(1001, 1002), real(0, 0)] ../../source3/smbd/uid.c:300(print_impersonation_info)
  print_impersonation_info: Impersonated user: uid=(0,1001), gid=(0,1002), cwd=[/var/tmp]
 

Alfons

Cadet
Joined
Mar 29, 2020
Messages
6
Thanks @anodos, this did the trick!
And I've been testing and debugging up and down for a week o_O
 

AltecBX

Patron
Joined
Nov 3, 2014
Messages
262
@Alfons I'm having a similar problem. What's the command to get all those lines that says -------:allow ?
 

AltecBX

Patron
Joined
Nov 3, 2014
Messages
262
Thanks, but it just stays here.
1586030706003.png
 

AltecBX

Patron
Joined
Nov 3, 2014
Messages
262
Is this right? setfacl -m everyone@:rxaRc::allow /mnt/Media-Storage\Media
1586035766799.png


I can access Backup Files folders and sub-folders just fine but I can only see The top folders in Media-Storage, I can't get see it's sub-folder or files.
This is what I get:
1586036013676.png
 

Redcoat

MVP
Joined
Feb 18, 2014
Messages
2,572
That's because you haven't given it any parameters. Do a Google search for getfacl and you'll find the command described in full.
 

AltecBX

Patron
Joined
Nov 3, 2014
Messages
262
That's because you haven't given it any parameters. Do a Google search for getfacl and you'll find the command described in full.
I did when anodos wrote it above, but no matter how many pages I read, it's foreign to me. I'm trying but still can't grasp it. This is why I posted the picture above to see if I was up to something.
 

Alfons

Cadet
Joined
Mar 29, 2020
Messages
6
I did when anodos wrote it above, but no matter how many pages I read, it's foreign to me. I'm trying but still can't grasp it. This is why I posted the picture above to see if I was up to something.

Ok, so you get two layers of security:
the traditional CHMOD unix security.
And then access control lists.

To get the CHMOD access rights, use
ls -l
Then to get the ACL, use getfacl and the path to your folder. So in my case:
getfacl /mnt/Datapool

Please note that my problem was highly specific, most likely caused by me tempering with access rights in an older Freenas version when migrating data via console. Don't jump to conclusions only because a problem "looks" similar - you might put yourself in an even messier situation ;)
 

asw2012

Contributor
Joined
Dec 17, 2012
Messages
167
Permissions are wrong on DATAPOOL. setfacl -m everyone@:rxaRc::allow /mnt/Datapool.
I had the same problem. I imported a pool from 11.2 U8 into a fresh install of 11.3 U1 - could not for the life of me get any SMB shares to work.

Applied that command with my poolname, and poof. worked. thanks!
 

lbagel

Cadet
Joined
Apr 14, 2020
Messages
2
Permissions are wrong on DATAPOOL. setfacl -m everyone@:rxaRc::allow /mnt/Datapool.
This also worked for me. Out of curiosity, what would cause the permissions to become this way? In my case I created a new share a couple of weeks ago and have been fighting this issue with ALL of my shares since. I'm still fairly new to FreeNAS and its permissions, so it could easily be me screwing up and I'd like to know so I don't do it again.
 

anodos

Sambassador
iXsystems
Joined
Mar 6, 2014
Messages
8,643
This also worked for me. Out of curiosity, what would cause the permissions to become this way? In my case I created a new share a couple of weeks ago and have been fighting this issue with ALL of my shares since. I'm still fairly new to FreeNAS and its permissions, so it could easily be me screwing up and I'd like to know so I don't do it again.
What version of FreeNAS are you on?
 

lbagel

Cadet
Joined
Apr 14, 2020
Messages
2
What version of FreeNAS are you on?
It started for me on 11.2-U7 after creating a new share. I then upgraded to 11.3 as a fresh install, then 11.3-U2, which is what I'm on now. This fix worked for me on 11.3-U2.
 
Top