chdir_current_service: vfs_ChDir(/mnt/.....) failed: Permission denied

[Gibon]

Hello,

After update to newest version of truenas I have this problem.

Sep 20 23:35:01 HikStor 1 2021-09-20T23:35:01.475853+02:00 HikStor......local smbd 90464 - - vfs_GetWd: couldn't stat "." error Permission denied (NFS problem ?)
Sep 20 23:35:01 HikStor 1 2021-09-20T23:35:01.476028+02:00 HikStor......local smbd 90464 - - [2021/09/20 23:35:01.476020, 1] ../../source3/smbd/vfs.c:1020(vfs_GetWd)
Sep 20 23:35:01 HikStor 1 2021-09-20T23:35:01.476038+02:00 HikStor.......local smbd 90464 - - vfs_GetWd: couldn't stat "." error Permission denied (NFS problem ?)
Sep 20 23:35:16 HikStor 1 2021-09-20T23:35:16.776659+02:00 HikStor.......local smbd 90464 - - [2021/09/20 23:35:16.776569, 0] ../../source3/smbd/service.c:171(chdir_current_service)
Sep 20 23:35:16 HikStor 1 2021-09-20T23:35:16.776693+02:00 HikStor.......local smbd 90464 - - chdir_current_service: vfs_ChDir(/mnt/RZ2-8x16T/VOL4) failed: Permission denied. Current token: uid=100004109, gid=100000516, 5 groups: 100004109 100000516 90000004 90000005 90000035


Has anyone encountered such a problem and can solve it without removing the pools?

 

[w.reidlinger]

I ran also into a chdir_current_service: vfs_ChDir(/mnt/.....) failed: Permission denied problem.

Here are the infos / facts to my setup:

• TrueNAS-12.0-U8.1
• (modern zfs) encrypted dataset on a HDD pool (/mnt/pool1-HDD/backup/backupserver/monitor)
  • backup is also a dataset with different owern
    • backupserver is a child dataset of backup with different owern
      • monitor is a child dataset of backupserver with the user backup-checkmk as owner
• all levels of datasets has ACL active
• user used to access the samba share is owner (backup-checkmk | uid=1004, gid=1004) of the dataset and all files into it
• dataset ist shared via samba service (share name: backup-monitor)

TrueNAS:

Pool Status:

Code:

root@truenas[~]# zpool status -v pool1-HDD
  pool: pool1-HDD
state: ONLINE
config:

NAME                                            STATE     READ WRITE CKSUM
pool1-HDD                                       ONLINE       0     0     0
raidz1-0                                      ONLINE       0     0     0
gptid/140d3d30-b98b-11ec-ab62-901b0e2c4a8e  ONLINE       0     0     0
gptid/141a10a1-b98b-11ec-ab62-901b0e2c4a8e  ONLINE       0     0     0
gptid/1429f218-b98b-11ec-ab62-901b0e2c4a8e  ONLINE       0     0     0

errors: No known data errors

Samba Share:

Code:

root@truenas[~]# sharesec --view-all
[backup-monitor]
REVISION:1
CONTROL:SR|DP
OWNER:
GROUP:
ACL:S-1-1-0:ALLOWED/0x0/FULL

Shell via of the dataset:

Code:

root@truenas[~]# ls -lah /mnt/pool1-HDD/backup/backupserver/monitor
total 33
drwxrwx---+ 3 backup-checkmk  backup-checkmk     3B Apr 13 17:04 .
drwxrwx---+ 7 wolfgang        wolfgang           7B Apr 14 20:34 ..
drwxrwx---+ 2 backup-checkmk  backup-checkmk     4B Apr 13 16:27 Check_MK-monitor-location-cmkadmin

ACL for the dataset which is the file base for the samba share i want to mount on the ubuntu machine.

Code:

root@truenas[~]# getfacl /mnt/pool1-HDD/backup/backupserver/monitor
# file: /mnt/pool1-HDD/backup/backupserver/monitor
# owner: backup-checkmk
# group: backup-checkmk
group:wolfgang:rwxpDdaARWcCos:fd-----:allow
owner@:rwxpDdaARWcCos:fd-----:allow
group@:rwxpDdaARWcCos:fd-----:allow
everyone@:--------------:fd-----:allow

Errors found in /var/log/samba4/log.smbd

Code:

[2022/04/14 20:32:08.337782,  2] ../../source3/auth/auth.c:329(auth_check_ntlm_password) check_ntlm_password:  authentication for user [backup-checkmk] -> [backup-checkmk] -> [backup-checkmk] succeeded
[2022/04/14 20:32:08.344039,  2] ../../source3/param/loadparm.c:2872(lp_do_section) Processing section "[backup-monitor]"
[2022/04/14 20:32:08.358839,  2] ../../source3/smbd/service.c:863(make_connection_snum) (ipv4:10.0.0.12:54646) connect to service backup-monitor initially as user backup-checkmk (uid=1004, gid=1004) (pid 4202)
[2022/04/14 20:32:08.359150,  0] ../../source3/smbd/service.c:169(chdir_current_service) chdir_current_service: vfs_ChDir(/mnt/pool1-HDD/backup/backupserver/monitor) failed: Permission denied. Current token: uid=1004, gid=1004, 5 groups: 545 1004 90000133 90000134 90000136
[2022/04/14 20:32:08.359730,  2] ../../source3/smbd/service.c:1138(close_cnum) (ipv4:10.0.0.12:54646) closed connection to service backup-monitor

• auth_check_ntlm_password) check_ntlm_password: authentication for user [backup-checkmk] -> [backup-checkmk] -> [backup-checkmk] succeeded -> seams the password ist correct!!
• vfs_ChDir(/mnt/pool1-HDD/backup/backupserver/monitor) failed: Permission denied.-> why??

ubuntu server:

Code:

apt-get install cifs-utils

Mount via terminal is not working, resulting in the smbd error shown above.

Code:

root@monitor:/mnt/backup# mount.cifs -o username=backup-checkmk,password=******* //10.0.0.10/backup-test /mnt/backup-checkmk --verbose
mount.cifs kernel mount options: ip=10.0.0.10,unc=\\10.0.0.10\backup-monitor,user=backup-checkmk,pass=********
mount error(5): Input/output error
Refer to the mount.cifs(8) manual page (e.g. man mount.cifs)

Mount via /etc/fstab and mount -a is also not working.

Code:

//10.0.0.10/backup-monitor  /mnt/backup           cifs  rw,uid=999,gid=1001,username=backup-checkmk,password=****,vers=3.0 0 0

Code:

root@monitor:/mnt# mount -a
mount error(5): Input/output error
Refer to the mount.cifs(8) manual page (e.g. man mount.cifs)

dmesg output:

Code:

kern  :err   : [Thu Apr 14 21:56:30 2022] CIFS VFS: validate protocol negotiate failed: -13
kern  :err   : [Thu Apr 14 21:56:30 2022] CIFS VFS: cifs_mount failed w/return code = -5

When I try a wrong password, i'm getting a different error:

Code:

mount error(13): Permission denied
Refer to the mount.cifs(8) manual page (e.g. man mount.cifs)

dmesg:

Code:

kern  :notice: [Thu Apr 14 22:01:37 2022] Status code returned 0xc000006d STATUS_LOGON_FAILURE
kern  :err   : [Thu Apr 14 22:01:37 2022] CIFS VFS: Send error in SessSetup = -13
kern :err : [Thu Apr 14 22:01:37 2022] CIFS VFS: cifs_mount failed w/return code = -13

A test from a different linux client is working.

Code:

rpcclient -U backup-checkmk -c netshareenum 10.0.0.10

netname: backup-monitor
        remark: SMB Share for data backup
        path:   C:\mnt\pool1-HDD\backup\backupserver\monitor
        password:

Also tried a lot of different mount options (sec=ntlm, vers=3.0 etc)

Anyone any ideas??

 

[anodos]

This almost always means that the user you're trying to authenticate as lacks execute (x) permissions on some path component leading to the share.

 

[w.reidlinger]

This almost always means that the user you're trying to authenticate as lacks execute (x) permissions on some path component leading to the share.

@anodos thanks for the fast respond. As you can see in the output I posted the (x) permission is present in the root directory of the samba share, also the ACL is set to Full Control via the ACL editor. Do the parent directory / dataset needs the (x) permission for the user how wants to access? The permissions for everyone is set to ---, so no permissions.

Code:

root@truenas[...pool1-HDD/backup/backupserver/monitor]# ll
total 33
drwxrwx---+ 3 backup-checkmk  backup-checkmk  uarch 3 Apr 13 17:04 ./
drwxrwx---+ 7 wolfgang        wolfgang        uarch 7 Apr 14 20:34 ../     --->>>> ???????????
drwxrwx---+ 2 backup-checkmk  backup-checkmk  uarch 4 Apr 13 16:27 Check_MK-monitor-check

Parent directory / dataset:

Code:

root@truenas[/mnt/pool1-HDD/backup/backupserver]# ll
total 77
drwxrwx---+ 7 wolfgang          wolfgang          uarch 7 Apr 14 20:34 ./
drwxrwx---+ 4 wolfgang          wolfgang          uarch 4 Apr 13 13:18 ../
drwxrwx---+ 2 backup-nextcloud  backup-nextcloud  uarch 2 Apr 13 13:20 cloud/
drwxrwx---+ 4 backup-hosting    backup-hosting    uarch 4 Apr 13 16:50 hosting/
drwxrwx---+ 3 backup-checkmk    backup-checkmk    uarch 3 Apr 13 17:04 monitor/

 

[anodos]

What is getfacl output for

Code:

/mnt/pool1-HDD
/mnt/pool1-HDD/backup
/mnt/pool1-HDD/backup/backupserver

?

Or if you want to quickly smoke-test you can

Code:

su backup-checkmk
cd /mnt/pool1-HDD/backup/backupserver/monitor

If that fails, then you are missing execute on one of the above paths.

 

[w.reidlinger]

Code:

root@truenas[/mnt/pool1-HDD]# getfacl /mnt/pool1-HDD
# file: /mnt/pool1-HDD
# owner: root
# group: wheel
owner@:rwxp--aARWcCos:-------:allow
group@:r-x---a-R-c--s:-------:allow
everyone@:r-x---a-R-c--s:-------:allow


root@truenas[/mnt/pool1-HDD]# ll /mnt/pool1-HDD
total 87
drwxr-xr-x   6 root      wheel     uarch   6 Apr 13 15:30 ./

Code:

root@truenas[/mnt/pool1-HDD]# getfacl /mnt/pool1-HDD/backup
# file: /mnt/pool1-HDD/backup
# owner: wolfgang
# group: wolfgang
owner@:rwxpDdaARWcCos:fd-----:allow
group@:rwxpDdaARWcCos:fd-----:allow
everyone@:--------------:fd-----:allow


root@truenas[/mnt/pool1-HDD]# ll /mnt/pool1-HDD/backup  
total 44
drwxrwx---+ 4 wolfgang  wolfgang  uarch 4 Apr 13 13:18 ./

Code:

root@truenas[/mnt/pool1-HDD]# getfacl /mnt/pool1-HDD/backup/backupserver
# file: /mnt/pool1-HDD/backup/backupserver
# owner: wolfgang
# group: wolfgang
owner@:rwxpDdaARWcCos:fd-----:allow
group@:rwxpDdaARWcCos:fd-----:allow
everyone@:--------------:fd-----:allow


root@truenas[/mnt/pool1-HDD]# ll /mnt/pool1-HDD/backup/backupserver  
total 77
drwxrwx---+ 7 wolfgang          wolfgang          uarch 7 Apr 14 20:34 ./

Because /mnt/pool1-HDD/backup/backupserver/monitor is the root path of the samba share, I tought to put the ACL there is enought.

Code:

root@truenas[/mnt/pool1-HDD]# getfacl /mnt/pool1-HDD/backup/backupserver/monitor
# file: /mnt/pool1-HDD/backup/backupserver/monitor
# owner: backup-checkmk
# group: backup-checkmk
group:wolfgang:rwxpDdaARWcCos:fd-----:allow
owner@:rwxpDdaARWcCos:fd-----:allow
group@:rwxpDdaARWcCos:fd-----:allow
everyone@:--------------:fd-----:allow


root@truenas[/mnt/pool1-HDD]# ll /mnt/pool1-HDD/backup/backupserver/monitor  
total 33
drwxrwx---+ 3 backup-checkmk  backup-checkmk  uarch 3 Apr 13 17:04 ./

The smoke test failed, so there is the problem, but how to fix it in a secure way? Do I have to put the (x) permission in every parent dataset for the user backup-checkmk or the (x) for @Everyone?

Code:

truenas% id
uid=1004(backup-checkmk) gid=1004(backup-checkmk) groups=1004(backup-checkmk),545(builtin_users)

truenas% ls -lah /mnt/pool1-HDD/backup/backupserver/monitor   
ls: /mnt/pool1-HDD/backup/backupserver/monitor: Permission denied

 

[anodos]

Because /mnt/pool1-HDD/backup/backupserver/monitor is the root path of the samba share, I tought to put the ACL there is enought.

No, that's not how permissions work on Unix-like OSes (Linux, FreeBSD, MacOS, etc). Even if you have no ACLs at all, the lack of execute would prevent chdir().
If you look at our ACL editor, there's a permissions set labelled TRAVERSE. You can add non-inheriting to ACL on each dataset mountpoint.

Alternatively, you can
setfacl -a 0 everyone@:xaRc::allow <path> for each of the above paths.

 

[w.reidlinger]

setfacl -a 0 everyone@:xaRc::allow <path> for each of the above paths.

@anodos thanks, for the troubleshooting. I did the following and now everything working.

Code:

setfacl -a 0 everyone@:xaRc::allow /mnt/pool1-HDD/backup/backupserver/
setfacl -a 0 everyone@:xaRc::allow /mnt/pool1-HDD/backup/

 

[sukarechhe]

Seems still same error at my end after using sefacl for @Everyone = Traverse.

Error as below in my log.smdb:
--------------------------------------------------------------
[2022/05/03 22:03:34.293557, 1] ../../source3/smbd/vfs.c:1020(vfs_GetWd)
vfs_GetWd: couldn't stat "." error Permission denied (NFS problem ?)

--------------------------------------------------------------

[2022/05/03 22:03:34.476859, 0] ../../source3/smbd/service.c:171(chdir_current_service)
chdir_current_service: vfs_ChDir(/mnt/Pool/Share) failed: Permission denied. Current token: uid=100001482, gid=100000516, 5 groups: 100001482 100000516 90000001 90000002 90000004

Appreciations if someone look into. Thanks in advance.

 

[anodos]

Seems still same error at my end after using sefacl for @Everyone = Traverse.

Error as below in my log.smdb:
--------------------------------------------------------------
[2022/05/03 22:03:34.293557, 1] ../../source3/smbd/vfs.c:1020(vfs_GetWd)
vfs_GetWd: couldn't stat "." error Permission denied (NFS problem ?)

--------------------------------------------------------------

[2022/05/03 22:03:34.476859, 0] ../../source3/smbd/service.c:171(chdir_current_service)
chdir_current_service: vfs_ChDir(/mnt/Pool/Share) failed: Permission denied. Current token: uid=100001482, gid=100000516, 5 groups: 100001482 100000516 90000001 90000002 90000004

Appreciations if someone look into. Thanks in advance.

What version of TrueNAS is this?

 

[sukarechhe]

What version of TrueNAS is this?

TrueNAS-12.0-U5.1

 

[anodos]

TrueNAS-12.0-U5.1

If you run the following two commands in an SSH session, do they succeed:

Code:

su 100001482
cd /mnt/Pool/Share

 

[sukarechhe]

If you run the following two commands in an SSH session, do they succeed:

Code:

su 100001482
cd /mnt/Pool/Share

Thanks for response :
root@nas5[/var/log/samba4]# su 100001482
su: unknown login: 100001482

I'm using domain user to have access on shared path, I think su won't work for that users those are fetched from AD. I believe so. kindly advise.

regards.

 

[anodos]

Thanks for response :
root@nas5[/var/log/samba4]# su 100001482
su: unknown login: 100001482

I'm using domain user to have access on shared path, I think su won't work for that users those are fetched from AD. I believe so. kindly advise.

regards.

It should work unless the bind is having problems. You can run `id 100001482` to see what user that is.

 

[sukarechhe]

root@nas5[~]# id 100001482
uid=100001482(DOMAIN\computer1$) gid=100000516(DOMAIN\domain computers) groups=100000516(DOMAIN\domain computers),100001482(DOMAIN\computer1$)

 

[anodos]

root@nas5[~]# id 100001482
uid=100001482(DOMAIN\computer1$) gid=100000516(DOMAIN\domain computers) groups=100000516(DOMAIN\domain computers),100001482(DOMAIN\computer1$)

Okay. That's often a local Windows application that is trying to use the local system (superuser) account to perform an operation and isn't checking whether it's over SMB protocol. In this case, account is switched to the AD computer account (which isn't a member of Domain Users for example). It's failing to chdir into the specified path, which is probably what's expected depending on filesystem permissions on that path and parent paths.

 

[sukarechhe]

Another thing which I observe, on restarting truenas, it automatically remove domain and I have to join it again in domain then after user can access shared path. it seems weird but that is the second issue. as you said for smb protocol for client it is the latest one and for AD users I have set permission except "full" so do you think it is the issue ?

 

[anodos]

Another thing which I observe, on restarting truenas, it automatically remove domain and I have to join it again in domain then after user can access shared path. it seems weird but that is the second issue. as you said for smb protocol for client it is the latest one and for AD users I have set permission except "full" so do you think it is the issue ?

We don't remove ourselves from the domain. It might mean that there is an issue with initializing some other part of the server though (our domain secrets are stored in system dataset -- if that fails to get properly initialized then join will be "lost").

 

[sukarechhe]

Ok, got it. I see my domain function level is 2008, does it make any sense for that issue? Kindly suggest. Thanks in advanced.

 

[anodos]

It's easier if you post `getfacl` output for the paths in question
/mnt/Pool
/mnt/Pool/Share
^^^ need to see actual permissions for both of those.