CIFS and LDAP

[bkp]

I am using 9.2.1.5. I have LDAP set up and things like SSH are working fine. getent passwd/group shows me all my ldap users and groups. However, CIFS isn't working right. It does appear to grab the ldap user and primary group. However, it won't read any other groups. So if I have a folder/file that has permissions for, say, group1, if a user does not have group1 as their primary group, even if they are a part of that group otherwise, they cannot access that folder/file.

Has anyone run into this yet? I'm not sure what info I can give you. Here is what smb.conf looks like:

[global]
server max protocol = SMB3
encrypt passwords = yes
dns proxy = no
strict locking = no
oplocks = yes
deadtime = 15
max log size = 51200
max open files = 11070
load printers = no
printing = bsd
printcap name = /dev/null
disable spoolss = yes
getwd cache = yes
guest account = www
map to guest = Bad User
obey pam restrictions = Yes
directory name cache size = 0
kernel change notify = no
panic action = /usr/local/libexec/samba/samba-backtrace
server string = FreeNAS Server
ea support = yes
store dos attributes = yes
map archive = no
map readonly = no
map hidden = no
map system = no
unix extensions = no
acl allow execute always = true
server role = member server
security = user
passdb backend = ldapsam:ldap://172.16.10.11
ldap admin dn = uid=auth,ou=System,dc=boxcarpress,dc=com
ldap suffix = dc=boxcarpress,dc=com
ldap user suffix = ou=people
ldap group suffix = ou=groups
ldap machine suffix = ou=computers
ldap ssl = off
ldap replication sleep = 1000
ldap passwd sync = yes
ldapsam:trusted = yes
idmap uid = 10000-39999
idmap gid = 10000-39999
netbios name = OFFICE1
workgroup = WORKGROUP
pid directory = /var/run/samba
smb passwd file = /var/etc/private/smbpasswd
private dir = /var/etc/private
create mask = 0666
directory mask = 0777
client ntlmv2 auth = yes
dos charset = CP437
unix charset = iso-8859-1
log level = 3

[office]
path = /mnt/boxraid/office
printable = no
veto files = /.snap/.windows/.zfs/
writeable = yes
browseable = yes
inherit owner = no
inherit permissions = no
recycle:repository = .recycle/%U
recycle:keeptree = yes
recycle:versions = yes
recycle:touch = yes
recycle:directory_mode = 0777
recycle:subdir_mode = 0700
vfs objects = zfsacl streams_xattr aio_pthread
hide dot files = yes
guest ok = no
inherit acls = yes
nfs4:mode = special
nfs4:acedup = merge
nfs4:chown = yes
zfsacl:acesort = dontcare

 

[bkp]

My LDAP is set up for samba. We use samba on two other servers which authenticate against LDAP.

 

[bkp]

I checked and AFP seems to handle all the groups correctly. So this appears to be something to do with samba and either the way I have it set up or there is a bug. Since no one else seems to be having this problem I can only conclude it is me. If anyone has any hints I'm all ears.

 

[dlavigne]

It might be a bug as its possible noone has reported a secondary group issue yet. If you don't see something similar at bugs.freenas.org, it is worth opening a ticket and posting the issue number here. Include your smb.conf in the ticket.

 

[bkp]

Has anyone else seen this? Anyone? Maybe I just have the settings wrong?

 

[bkp]

I created a test share and set the follow acls:

# file: test/
# owner: root
# group: wheel
group:management:rwxpDdaARWcCos:fd----:allow
group:it:rwxpDdaARWcCos:fd----:allow
everyone@:------a-R-c---:------:allow
group@:rwxpD-a-R-c---:------:allow
owner@:rwxpD-aARWcCo-:------:allow

If my user is a part of both it and management, and management is my primary group, I can get in.
If I remove the management acl, even though I am a part of the it group, I can no longer access the file.

I've tried everything I can think of.
I

 

[bkp]

Ok, I think I found the problem. When I run:

net rpc group members group_name

I find that some groups show up. However, a lot of groups aren't showing up. I've checked it out and it seems the groups not showing up are the ones that are being denied access. Not sure why they aren't showing up. A few didn't have sambaSID's, but I was able to correct that (in LDAP, where the group/user data is coming from). However, there are a few with samba data that aren't showing up either.

 

[dlavigne]

That's progres... I wonder if it is related to this bug? https://bugs.freenas.org/issues/5166

 

[cyberjock]

How much RAM does your box have? Ideally I'd like to think you have 10GB of RAM or more.. ;)

 

[bkp]

Dlavigne, Ha! That's my bug :) But now I'm starting to think that it isn't a bug after all. Not having group members show would definitely create the problem I'm seeing.

Cyberjock, There is 8Gb. Do you think that might be it? I'm going to be poking around some more today, so hopefully I'll have a better idea what's going on.

 

[cyberjock]

Cyberjock, There is 8Gb. Do you think that might be it? I'm going to be poking around some more today, so hopefully I'll have a better idea what's going on.

To be honest, it's just a guess. I just threw it out there as something to think about. If you have some spare RAM lying around that you could throw in temporarily just to see if things change I'd give it a shot.

Usually, but not always, the problems with LDAP, AD and the ilk are that the domain has something configured in a weird/screwed-up/bizaare way and that make it not compatible with FreeNAS or the setup of FreeNAS to work with account authentication and permissions is not setup properly. There's obvious exceptions, but that's the two most common problems.

 

[bkp]

cyberjock, looks like you hit the nail on the second guess. I found that some of the groups had members that were no longer available (They were moved to an "inactive" ou). Once I removed the member 'net npc group members' showed the members of some of the groups.

There are a couple of groups that are still not working and I'm tracking that down.

 

[bkp]

Ok, all the members are showing up for my groups using net rpc group members [group name].

But still the original problem exists. Unless my primary group has permissions to access the particular folder/file I will get access denied :(

 

[cyberjock]

Sorry, you're kind of on your own. I'm working on a permissions primer, but there's no current ETA on it right now. I'd like to think before the end of the month, but time will tell.

 

[bkp]

The thing I'm stuck on is how can this be happening on just my machine? I've seen other people run into this, but only on older versions of samba. getent, id, net rpc, everything is showing the correct groups, mappings, memberships, etc. Just samba doesn't seem to be reading anything beyond the primary group. I have samba running just fine on ubuntu servers with ldap and acls. Really odd.

 

[cyberjock]

Well, since there's a boatload of ways for permissions to look right on the surface but not function properly that's why if you search the forums there's no answers from experienced users. Totally not worth the time to try to fix stuff for a single person when there's only like 4 of us here.

So when you say:

The thing I'm stuck on is how can this be happening on just my machine?

It is very possible you've done something wrong that is unique to your exact machine and you don't know it. That's why getting permissions problems answered is like asking for someone to give you a winning lottery ticket. It just doesn't happen.

Last time I tried to help someone fix their permissions problems it took 3x6 hour sessions to fix everything that was screwed up on his server. All of the experienced guys have dealt with too many of them so we run in the other direction.

 

[bkp]

I hear you, cyberjock. Just frustrating. But I have a few more things to try and I'll post for posterity should it work :)