CIFS share doesn't recognize owner ACLs

[Jim Newsome]

On my FreeNAS, I have a user jnewsome and a group jnewsome. When accessing a CIFS share from my Windows machine, I can access files that have the appropriate group permissions, but it seems that it doesn't allow me to access files that only have owner permissions.

Here are the ACLs on the FreeNAS:

Code:

 % getfacl src
# file: src
# owner: jnewsome
# group: jnewsome
            owner@:rwxp--aARWcCos:------:allow
            group@:------a-R-c--s:------:allow
         everyone@:------a-R-c--s:------:allow

And here are the permissions as seen on Windows. I have Account Unknown, where probably I want it to recognize it as something like jnewsome (Unix User\jnewsome). But how?

And if I try to actually open the folder, of course I get an error:

For the moment I'm working around it by adding permissions for group jnewsome. That's an annoying workaround though, and I'd rather understand whether/how it's possible to get it to recognize the user/owner permission.

 

[JoeVulture]

I admit that I'm new to ACLs myself, but I configured my share (this one allows owner and group full access, but read-only for guests). Here's my output of getfacl on a share where I (joevulture) own everything and have full access (as well as my group), but guests get read-only:

Code:

[joevulture@freenas /mnt/volume]$ getfacl Videos/
# file: Videos/
# owner: joevulture
# group: joevulture
            owner@:rwxpDdaARWcCos:fd----:allow
            group@:rwxpDdaARWcCos:fd----:allow
         everyone@:r-x---a-R-c---:fd----:allow

I'd upload the properties dialog, but I can't seem to do it from a thumbdrive. However, these are the items in the list:
Everyone
joevulture (Unix group\joevulture)
Joe Votour (FREENAS\joevulture)

For an actual file in my "users" directory where I keep things that I only want to get to:

Code:

[joevulture@freenas ~]$ getfacl Address\ Labels.docx
# file: Address Labels.docx
# owner: joevulture
# group: joevulture
            owner@:rwxpDdaARWcCos:------:allow
            group@:rwxpDdaARWcCos:------:allow
         everyone@:--------------:------:allow

Please note that I actually did this through the setfacl command, although at one point I granted my account the SeDiskOperatorPrivilege so that I could do things through Windows if I so desired (but I didn't need to).

Hope this helps.

-- Joe

 

[ghostwolf59]

I am having similar issues - after upgrading freenas, windows acl is no longer recognized

I have one main group all users belong to (that should provide a default read only access to content)
I also have one main (super user account) held by me that provide close to root access to everything
Once I upgraded the freenas FreeNAS-9.3-STABLE-201506042008 my windows acl started to break with "Account Unknown(S-xxxx) being reported by windows
Whats really weird is that one of the two accounts always seem to be loaded properly after rebooting freenas, but it's flicking between the super user and the general group account)
My current reboot exposed the super user account, where the general account is reported as "Account Unknown (S-xxxx)
Yesterday my super user account reported "Account unknown" while the general account was ok.
So the acl being successfully recognized seem random - most annoying !

freenas also spits out messages like this to the console...
"STATUS=demon 'smbd' finished starting up on file ./..." Error = Operation not supported"

Other messages reported are: "STATUS=deamon on 'winbindd' finsihed starting up and ready to serve connectionssam_sids_to_names: possible deadlock - trying to lookup SID S-XXXXXX"

I have tried to manually clear acls (as per https://forums.freenas.org/index.ph...le-deadlock-trying-to-lookup-sid.21982/page-2)
i.e
1. [root@freenas ~]# net groupmap list
Environment LOGNAME is not defined. Trying anonymous access.
xxx (S-1-5-21-2736923429-478344119-3993861682-1000) -> xxx

2.[root@freenas ~]# net groupmap delete sid="S-1-5-21-2736923429-478344119-3993861682-1000"
Environment LOGNAME is not defined. Trying anonymous access.
Sucessfully removed S-1-5-21-2736923429-478344119-3993861682-1000 from the mapping db

3. [root@freenas ~]# net groupmap add unixgroup=users rid=1000
Environment LOGNAME is not defined. Trying anonymous access. <== Error
Can't lookup UNIX group users

So even though I can delete the account, I don't seem to be able to re-create it.

... and from what I have read, unless I manage to get this account created, but acl will continue to be stuffed up after next reboot.

What is the solution to this ???? - This is driving me nuts!

Short time solution seem to allow everyone open access to everything - which I clearly don't want !:(

cheers

 

[anodos]

I am having similar issues - after upgrading freenas, windows acl is no longer recognized

I have one main group all users belong to (that should provide a default read only access to content)
I also have one main (super user account) held by me that provide close to root access to everything
Once I upgraded the freenas FreeNAS-9.3-STABLE-201506042008 my windows acl started to break with "Account Unknown(S-xxxx) being reported by windows
Whats really weird is that one of the two accounts always seem to be loaded properly after rebooting freenas, but it's flicking between the super user and the general group account)
My current reboot exposed the super user account, where the general account is reported as "Account Unknown (S-xxxx)
Yesterday my super user account reported "Account unknown" while the general account was ok.
So the acl being successfully recognized seem random - most annoying !

freenas also spits out messages like this to the console...
"STATUS=demon 'smbd' finished starting up on file ./..." Error = Operation not supported"

Other messages reported are: "STATUS=deamon on 'winbindd' finsihed starting up and ready to serve connectionssam_sids_to_names: possible deadlock - trying to lookup SID S-XXXXXX"

I have tried to manually clear acls (as per https://forums.freenas.org/index.ph...le-deadlock-trying-to-lookup-sid.21982/page-2)
i.e
1. [root@freenas ~]# net groupmap list
Environment LOGNAME is not defined. Trying anonymous access.
xxx (S-1-5-21-2736923429-478344119-3993861682-1000) -> xxx

2.[root@freenas ~]# net groupmap delete sid="S-1-5-21-2736923429-478344119-3993861682-1000"
Environment LOGNAME is not defined. Trying anonymous access.
Sucessfully removed S-1-5-21-2736923429-478344119-3993861682-1000 from the mapping db

3. [root@freenas ~]# net groupmap add unixgroup=users rid=1000
Environment LOGNAME is not defined. Trying anonymous access. <== Error
Can't lookup UNIX group users

So even though I can delete the account, I don't seem to be able to re-create it.

... and from what I have read, unless I manage to get this account created, but acl will continue to be stuffed up after next reboot.

What is the solution to this ???? - This is driving me nuts!

Short time solution seem to allow everyone open access to everything - which I clearly don't want !:(

cheers

There was a recent bug fix that was supposed to resolve this issue. Run updates. If you are on latest current, then create a bug report at https://bugs.freenas.org/

 

[Ericloewe]

I can verify that the SID issues seem to have been (finally) fixed in one of the recent updates.

I'm not sure if mappings still need to be manually nuked, though. The update came just around the time when I was nuking them constantly trying to troubleshoot the problem.