FreeNAS-9.10.2-U3 (e1497f269)

[imransheriff]

Guys i am having a bit of an issue, i have been suing freenas for long time however i just started to join freenas and samba ad (zentyal 5) however i am having a hard time getting the shares to work. ( freenas cifs share to zentyal ad user! can someone point me in the current direction / Docs / Post anything

I have connected to Active Directory and it shows the users/group (wbinfo -g / -u ) and i can assign the dataset permission to the AD users however when i access the share it asks me for a password, something like the password is wrong or not valid, i even tried to enter the AD user password manually but it dont accept it!

All i want to do is, get the DC user the respective share, via MAP Policy or Logon Scrip, please help me out, any help is much appreciated

Kind Regards
Imran

 

[anodos]

Guys i am having a bit of an issue, i have been suing freenas for long time however i just started to join freenas and samba ad (zentyal 5) however i am having a hard time getting the shares to work. ( freenas cifs share to zentyal ad user! can someone point me in the current direction / Docs / Post anything

I have connected to Active Directory and it shows the users/group (wbinfo -g / -u ) and i can assign the dataset permission to the AD users however when i access the share it asks me for a password, something like the password is wrong or not valid, i even tried to enter the AD user password manually but it dont accept it!

All i want to do is, get the DC user the respective share, via MAP Policy or Logon Scrip, please help me out, any help is much appreciated

Kind Regards
Imran

Post contents of following on FreeNAS server and enclose output in [ code ] tags:

• /var/log/samba4/log.smbd
• /usr/local/etc/smb4.conf

 

[imransheriff]

Hi, thx for the reply, please refer the following!

log.smbd
[2017/05/01 19:30:35.086492, 1] ../source3/smbd/service.c:599(make_connection_snum)
create_connection_session_info failed: NT_STATUS_ACCESS_DENIED
[2017/05/01 19:36:32.068981, 0] ../source3/lib/util_sock.c:876(matchname)
matchname: host name/name mismatch: 192.168.5.40 != (NULL)
[2017/05/01 19:36:32.069029, 0] ../source3/lib/util_sock.c:1055(get_remote_hostname)
matchname failed on 192.168.5.40
[2017/05/01 19:43:55.683865, 0] ../source3/lib/util_sock.c:876(matchname)
matchname: host name/name mismatch: 192.168.5.4 != (NULL)
[2017/05/01 19:43:55.683914, 0] ../source3/lib/util_sock.c:1055(get_remote_hostname)
matchname failed on 192.168.5.4

smb4.conf
recycle:touch = yes
recycle:directory_mode = 0777
recycle:subdir_mode = 0700
vfs objects = zfs_space zfsacl recycle
hide dot files = yes
guest ok = no
nfs4:mode = special
nfs4:acedup = merge
nfs4:chown = true
zfsacl:acesort = dontcare

 

[anodos]

Hi, thx for the reply, please refer the following!

log.smbd
[2017/05/01 19:30:35.086492, 1] ../source3/smbd/service.c:599(make_connection_snum)
create_connection_session_info failed: NT_STATUS_ACCESS_DENIED
[2017/05/01 19:36:32.068981, 0] ../source3/lib/util_sock.c:876(matchname)
matchname: host name/name mismatch: 192.168.5.40 != (NULL)
[2017/05/01 19:36:32.069029, 0] ../source3/lib/util_sock.c:1055(get_remote_hostname)
matchname failed on 192.168.5.40
[2017/05/01 19:43:55.683865, 0] ../source3/lib/util_sock.c:876(matchname)
matchname: host name/name mismatch: 192.168.5.4 != (NULL)
[2017/05/01 19:43:55.683914, 0] ../source3/lib/util_sock.c:1055(get_remote_hostname)
matchname failed on 192.168.5.4

smb4.conf
recycle:touch = yes
recycle:directory_mode = 0777
recycle:subdir_mode = 0700
vfs objects = zfs_space zfsacl recycle
hide dot files = yes
guest ok = no
nfs4:mode = special
nfs4:acedup = merge
nfs4:chown = true
zfsacl:acesort = dontcare

That's only a portion of the smb4.conf file, and not a particularly helpful one.

 

[imransheriff]

Ops sorry i used tail.

smb4.conf
[global]
server max protocol = SMB2
encrypt passwords = yes
dns proxy = no
strict locking = no
oplocks = yes
deadtime = 15
max log size = 51200
max open files = 113591
logging = file
load printers = no
printing = bsd
printcap name = /dev/null
disable spoolss = yes
getwd cache = yes
guest account = nobody
map to guest = Bad User
obey pam restrictions = yes
directory name cache size = 0
kernel change notify = no
panic action = /usr/local/libexec/samba/samba-backtrace
nsupdate command = /usr/local/bin/samba-nsupdate -g
server string = FreeNAS Server
ea support = yes
store dos attributes = yes
lm announce = yes
hostname lookups = yes
time server = yes
acl allow execute always = true
dos filemode = yes
multicast dns register = yes
domain logons = no
idmap config *: backend = tdb
idmap config *: range = 90000001-100000000
server role = member server
workgroup = ONAIR
realm = ONAIR.COM
security = ADS
client use spnego = yes
cache directory = /var/tmp/.cache/.samba
local master = no
domain master = no
preferred master = no
ads dns update = yes
winbind cache time = 7200
winbind offline logon = yes
winbind enum users = yes
winbind enum groups = yes
winbind nested groups = yes
winbind use default domain = yes
winbind refresh tickets = yes
idmap config ONAIR: backend = rid
idmap config ONAIR: range = 20000-90000000
allow trusted domains = no
client ldap sasl wrapping = plain
template shell = /bin/sh
template homedir = /home/%D/%U
netbios name = NASSTUDIO
pid directory = /var/run/samba
create mask = 0666
directory mask = 0777
client ntlmv2 auth = yes
dos charset = CP437
unix charset = UTF-8
log level = 1


[Accounts]
path = /mnt/TeraStore/TeraBackup/Accounts
printable = no
veto files = /.snapshot/.windows/.mac/.zfs/
writeable = yes
browseable = yes
vfs objects = zfs_space zfsacl streams_xattr aio_pthread
hide dot files = yes
guest ok = no
nfs4:mode = special
nfs4:acedup = merge
nfs4:chown = true
zfsacl:acesort = dontcare


[EProductions]
path = /mnt/TeraStore/Productions/Eprd
printable = no
veto files = /.snapshot/.windows/.mac/.zfs/
writeable = yes
browseable = yes
vfs objects = zfs_space zfsacl streams_xattr aio_pthread
hide dot files = yes
guest ok = no
nfs4:mode = special
nfs4:acedup = merge
nfs4:chown = true
zfsacl:acesort = dontcare


[Lite]
path = /mnt/MusicTera/PGStore/Lite
printable = no
veto files = /.snapshot/.windows/.mac/.zfs/
writeable = yes
browseable = yes
vfs objects = zfs_space zfsacl streams_xattr aio_pthread
hide dot files = yes
guest ok = no
nfs4:mode = special
nfs4:acedup = merge
nfs4:chown = true
zfsacl:acesort = dontcare


[Lite SMS]
path = /mnt/MusicTera/Studio/Lite
printable = no
veto files = /.snapshot/.windows/.mac/.zfs/
writeable = yes
browseable = yes
vfs objects = zfs_space zfsacl streams_xattr aio_pthread
hide dot files = yes
guest ok = no
nfs4:mode = special
nfs4:acedup = merge
nfs4:chown = true
zfsacl:acesort = dontcare


[MStore]
path = /mnt/MusicTera/MusicStore
printable = no
veto files = /.snapshot/.windows/.mac/.zfs/
writeable = yes
browseable = yes
vfs objects = zfs_space zfsacl streams_xattr aio_pthread
hide dot files = yes
guest ok = no
nfs4:mode = special
nfs4:acedup = merge
nfs4:chown = true
zfsacl:acesort = dontcare


[Productions]
path = /mnt/TeraStore/TeraBackup/Production
printable = no
veto files = /.snapshot/.windows/.mac/.zfs/
writeable = yes
browseable = yes
vfs objects = zfs_space zfsacl streams_xattr aio_pthread
hide dot files = yes
guest ok = no
nfs4:mode = special
nfs4:acedup = merge
nfs4:chown = true
zfsacl:acesort = dontcare


[Rhythm SMS]
path = /mnt/MusicTera/Studio/Rhythm
printable = no
veto files = /.snapshot/.windows/.mac/.zfs/
writeable = yes
browseable = yes
vfs objects = zfs_space zfsacl streams_xattr aio_pthread
hide dot files = yes
guest ok = no
nfs4:mode = special
nfs4:acedup = merge
nfs4:chown = true
zfsacl:acesort = dontcare


[SProductions]
path = /mnt/TeraStore/Productions/Sprd
printable = no
veto files = /.snapshot/.windows/.mac/.zfs/
writeable = yes
browseable = yes
vfs objects = zfs_space zfsacl streams_xattr aio_pthread
hide dot files = yes
guest ok = no
nfs4:mode = special
nfs4:acedup = merge
nfs4:chown = true
zfsacl:acesort = dontcare


[Studio Library]
path = /mnt/TeraStore/Library
printable = no
veto files = /.snapshot/.windows/.mac/.zfs/
writeable = yes
browseable = yes
vfs objects = zfs_space zfsacl streams_xattr aio_pthread
hide dot files = yes
guest ok = no
nfs4:mode = special
nfs4:acedup = merge
nfs4:chown = true
zfsacl:acesort = dontcare


[Tnlradio SMS]
path = /mnt/MusicTera/Studio/Tnlradio
printable = no
veto files = /.snapshot/.windows/.mac/.zfs/
writeable = yes
browseable = yes
vfs objects = zfs_space zfsacl streams_xattr aio_pthread
hide dot files = yes
guest ok = no
nfs4:mode = special
nfs4:acedup = merge
nfs4:chown = true
zfsacl:acesort = dontcare


[imran]
path = /mnt/MusicTera/MusicStore/imran
printable = no
veto files = /.snapshot/.windows/.mac/.zfs/
writeable = yes
browseable = yes
recycle:repository = .recycle/%U
recycle:keeptree = yes
recycle:versions = yes
recycle:touch = yes
recycle:directory_mode = 0777
recycle:subdir_mode = 0700
vfs objects = zfs_space zfsacl recycle
hide dot files = yes
guest ok = no
nfs4:mode = special
nfs4:acedup = merge
nfs4:chown = true
zfsacl:acesort = dontcare

 

[anodos]

this is all that's their!!

[root@nasstudio] ~# tail /usr/local/etc/smb4.conf
recycle:touch = yes
recycle:directory_mode = 0777
recycle:subdir_mode = 0700
vfs objects = zfs_space zfsacl recycle
hide dot files = yes
guest ok = no
nfs4:mode = special
nfs4:acedup = merge
nfs4:chown = true
zfsacl:acesort = dontcare

tail only shows the last 10 lines ;)
try cat /usr/local/etc/smb4.conf

 

[imransheriff]

yes sorry, i just remembered, i also post the log

[2017/05/01 22:17:56.211598, 0] ../source3/lib/util_sock.c:876(matchname)
matchname: host name/name mismatch: 192.168.80.200 != (NULL)
[2017/05/01 22:17:56.211673, 0] ../source3/lib/util_sock.c:1055(get_remote_hostname)
matchname failed on 192.168.80.200
[2017/05/01 22:17:59.665847, 1] ../source3/smbd/service.c:599(make_connection_snum)
create_connection_session_info failed: NT_STATUS_ACCESS_DENIED
[2017/05/01 22:17:59.666872, 1] ../source3/smbd/service.c:599(make_connection_snum)
create_connection_session_info failed: NT_STATUS_ACCESS_DENIED
[2017/05/01 22:17:59.667635, 1] ../source3/smbd/service.c:599(make_connection_snum)
create_connection_session_info failed: NT_STATUS_ACCESS_DENIED
[2017/05/01 22:17:59.667941, 1] ../source3/smbd/service.c:599(make_connection_snum)
create_connection_session_info failed: NT_STATUS_ACCESS_DENIED
[2017/05/01 22:17:59.668829, 1] ../source3/smbd/service.c:599(make_connection_snum)
create_connection_session_info failed: NT_STATUS_ACCESS_DENIED
[2017/05/01 22:17:59.669149, 1] ../source3/smbd/service.c:599(make_connection_snum)
create_connection_session_info failed: NT_STATUS_ACCESS_DENIED
[2017/05/01 22:17:59.670364, 1] ../source3/smbd/service.c:599(make_connection_snum)
create_connection_session_info failed: NT_STATUS_ACCESS_DENIED

 

[anodos]

Okay. Now post the following:

• output of "getfacl /path/to/share" for one of the shares that is causing problems. For example getfacl /mnt/MusicTera/MusicStore
• output of smbstatus

 

[imransheriff]

[root@nasstudio] ~# getfacl /mnt/MusicTera/MusicStore/imran
# file: /mnt/MusicTera/MusicStore/imran
# owner: imransheriff
# group: demo
owner@:rwxpDdaARWcCos:fd-----:allow
group@:rwxpDdaARWcCos:fd-----:allow
everyone@:r-x---a-R-c---:fd-----:allow

 

[imransheriff]

so basicully the test user is me. "imransheriff" to the dataset "imran"

 

[anodos]

so basicully the test user is me. "imransheriff" to the dataset "imran"

Correct. Assuming that "imran" isn't also a local user. "smbstatus" will show which user you're authenticated as. When you check "use default domain" samba can get somewhat confused regarding which groups and users are local and which ones are domain. Post getfacl output for "/mnt/MusicTera/MusicStore" as well as the smbstatus output I requested above.

 

[imransheriff]

smbstatus

[root@nasstudio] ~# smbstatus

Samba version 4.5.5-GIT-UNKNOWN
PID Username Group Machine Protocol Version Encryption Signing
----------------------------------------------------------------------------------------------------------------------------------------
44926 prdadmin prdadmin 192.168.80.85 (ipv4:192.168.80.85:55683) SMB2_10 - -
99589 prd prd 192.168.5.40 (ipv4:192.168.5.40:49546) SMB2_02 - -
35646 prd prd 192.168.40.32 (ipv4:192.168.40.32:61855) SMB2_02 - -
93833 prd prd 192.168.5.4 (ipv4:192.168.5.4:58401) SMB2_10 - partial(HMAC-SHA256)
35645 prd prd 192.168.80.87 (ipv4:192.168.80.87:61856) SMB2_02 - -
40614 prd prd 192.168.40.33 (ipv4:192.168.40.33:60975) SMB2_02 - -

Service pid Machine Connected at Encryption Signing
---------------------------------------------------------------------------------------------
MStore 93833 192.168.5.4 Mon May 1 21:41:45 2017 +0530 - -
MStore 93833 192.168.5.4 Mon May 1 21:40:42 2017 +0530 - -
MStore 93833 192.168.5.4 Mon May 1 20:56:13 2017 +0530 - -
Tnlradio SMS 35645 192.168.80.87 Sun Apr 30 07:02:34 2017 +0530 - -
MStore 99589 192.168.5.40 Mon May 1 22:36:16 2017 +0530 - -
MStore 93833 192.168.5.4 Mon May 1 21:10:15 2017 +0530 - -
MStore 93833 192.168.5.4 Mon May 1 19:44:55 2017 +0530 - -
MStore 93833 192.168.5.4 Mon May 1 21:39:56 2017 +0530 - -
Studio Library 99589 192.168.5.40 Mon May 1 22:36:16 2017 +0530 - -
MStore 93833 192.168.5.4 Mon May 1 19:44:53 2017 +0530 - -
Studio Library 93833 192.168.5.4 Mon May 1 19:44:53 2017 +0530 - -
MStore 93833 192.168.5.4 Mon May 1 21:10:15 2017 +0530 - -
MStore 93833 192.168.5.4 Mon May 1 21:41:40 2017 +0530 - -
MStore 93833 192.168.5.4 Mon May 1 19:45:06 2017 +0530 - -
SProductions 44926 192.168.80.85 Sun Apr 30 12:15:08 2017 +0530 - -
MStore 93833 192.168.5.4 Mon May 1 19:45:31 2017 +0530 - -
MStore 93833 192.168.5.4 Mon May 1 19:45:03 2017 +0530 - -
MStore 93833 192.168.5.4 Mon May 1 20:56:09 2017 +0530 - -
MStore 93833 192.168.5.4 Mon May 1 21:40:41 2017 +0530 - -
EProductions 40614 192.168.40.33 Sun Apr 30 09:35:19 2017 +0530 - -
EProductions 93833 192.168.5.4 Mon May 1 19:43:56 2017 +0530 - -
MStore 93833 192.168.5.4 Mon May 1 19:45:31 2017 +0530 - -
MStore 93833 192.168.5.4 Mon May 1 21:39:51 2017 +0530 - -
MStore 93833 192.168.5.4 Mon May 1 20:56:09 2017 +0530 - -
MStore 93833 192.168.5.4 Mon May 1 22:36:47 2017 +0530 - -
MStore 93833 192.168.5.4 Mon May 1 21:41:40 2017 +0530 - -
MStore 93833 192.168.5.4 Mon May 1 21:10:15 2017 +0530 - -
SProductions 93833 192.168.5.4 Mon May 1 19:44:53 2017 +0530 - -
EProductions 35646 192.168.40.32 Sun Apr 30 07:02:34 2017 +0530 - -
MStore 93833 192.168.5.4 Mon May 1 21:39:51 2017 +0530 - -
MStore 93833 192.168.5.4 Mon May 1 22:36:52 2017 +0530 - -
Tnlradio SMS 40614 192.168.40.33 Sun Apr 30 09:35:19 2017 +0530 - -
MStore 93833 192.168.5.4 Mon May 1 22:36:47 2017 +0530 - -

Locked files:
Pid Uid DenyMode Access R/W Oplock SharePath Name Time
--------------------------------------------------------------------------------------------------
35646 1015 DENY_NONE 0x100081 RDONLY NONE /mnt/TeraStore/Productions/Eprd TNL/DRIVE - CHASSY/ULTRA HEY DJ CLIPS Mon May 1 17:09:58 2017
40614 1015 DENY_WRITE 0x120089 RDONLY EXCLUSIVE+BATCH /mnt/TeraStore/Productions/Eprd LITE/MIRROR TOP 20/HOUR 01 SEG 03 - MIRROR TOP 20 - 2017-04-30.mp3 Sun Apr 30 10:34:05 2017
44926 1009 DENY_ALL 0x100080 RDONLY NONE /mnt/TeraStore/Productions/Sprd . Sun Apr 30 12:15:08 2017
93833 1015 DENY_ALL 0x100080 RDONLY NONE /mnt/TeraStore/Productions/Sprd . Mon May 1 19:44:55 2017
35646 1015 DENY_NONE 0x100081 RDONLY NONE /mnt/TeraStore/Productions/Eprd TNL/DRIVE - CHASSY Mon May 1 17:09:56 2017
40614 1015 DENY_WRITE 0x120089 RDONLY EXCLUSIVE+BATCH /mnt/TeraStore/Productions/Eprd LITE/MIRROR TOP 20/HOUR 02 SEG 04 - MIRROR TOP 20 - 2017-04-30.mp3 Sun Apr 30 11:49:45 2017
40614 1015 DENY_WRITE 0x120089 RDONLY EXCLUSIVE+BATCH /mnt/TeraStore/Productions/Eprd LITE/MIRROR TOP 20/HOUR 02 SEG 02 - MIRROR TOP 20 - 2017-04-30.mp3 Sun Apr 30 11:16:57 2017
40614 1015 DENY_WRITE 0x120089 RDONLY EXCLUSIVE+BATCH /mnt/TeraStore/Productions/Eprd LITE/MIRROR TOP 20/HOUR 01 SEG 02 - MIRROR TOP 20 - 2017-04-30.mp3 Sun Apr 30 10:19:00 2017
35646 1015 DENY_NONE 0x100081 RDONLY NONE /mnt/TeraStore/Productions/Eprd . Sun Apr 30 07:02:39 2017
40614 1015 DENY_NONE 0x100081 RDONLY NONE /mnt/TeraStore/Productions/Eprd . Sun Apr 30 09:35:20 2017
93833 1015 DENY_NONE 0x100081 RDONLY NONE /mnt/TeraStore/Productions/Eprd . Mon May 1 19:43:56 2017
40614 1015 DENY_WRITE 0x120089 RDONLY EXCLUSIVE+BATCH /mnt/TeraStore/Productions/Eprd LITE/MIRROR TOP 20/HOUR 01 SEG 01 - MIRROR TOP 20 - 2017-04-30.mp3 Sun Apr 30 10:04:52 2017
35645 1015 DENY_NONE 0x100081 RDONLY NONE /mnt/MusicTera/Studio/Tnlradio . Mon May 1 17:09:48 2017
40614 1015 DENY_ALL 0x100080 RDONLY NONE /mnt/MusicTera/Studio/Tnlradio . Sun Apr 30 09:35:19 2017
40614 1015 DENY_WRITE 0x120089 RDONLY EXCLUSIVE+BATCH /mnt/TeraStore/Productions/Eprd LITE/MIRROR TOP 20/HOUR 02 SEG 03 - MIRROR TOP 20 - 2017-04-30.mp3 Sun Apr 30 11:36:17 2017
35646 1015 DENY_WRITE 0x120089 RDONLY EXCLUSIVE+BATCH /mnt/TeraStore/Productions/Eprd TNL/DRIVE - CHASSY/ULTRA HEY DJ CLIPS/Steve Aoki Louis Tomlinson - Just Hold On.mp3 Mon May 1 18:08:34 2017
93833 1015 DENY_ALL 0x100080 RDONLY NONE /mnt/TeraStore/Library . Mon May 1 19:44:55 2017
99589 1015 DENY_ALL 0x100080 RDONLY NONE /mnt/TeraStore/Library . Mon May 1 22:36:16 2017

 

[imransheriff]

the DC has diffrent IP rangers, all local, does that have an effect with it?

 

[imransheriff]

[root@nasstudio] ~# getfacl /mnt/MusicTera/MusicStore
# file: /mnt/MusicTera/MusicStore
# owner: 1007
# group: studiomgr
owner@:-w-p----------:-------:deny
owner@:r-x---aARWcCos:-------:allow
group@:rwxp--a-R-c--s:-------:allow
everyone@:------a-R-c--s:-------:allow
[root@nasstudio] ~#