SOLVED group ownership remains even after being changed

[guermantes]

I readily admit that the interaction between freenas permissions and samba share acls is not my strongest field, but I thought I had gotten the hang of it. But here I am stumped. Why on Earth does the group ownership remain users all the time? On a windows machine, user cristina who is only member of group users can delete the file testfile even though 1) the group ownership is changed to linux_user, and 2) delete privileges for group members are removed. I am at a loss as to both 1 and 2.

largetemp is a samba share owned by peter:users and the acls are the defaults from when the share was created on 11.0-U4.
The windows images are taken after all the commands below have been executed and the Windows machine has been rebooted.
How come the file testfile continues to be owned by group users even though the owner is successfully changed?

Code:

root@freenas:/mnt/TANK/largetemp/dvd-musik # touch testfile

root@freenas:/mnt/TANK/largetemp/dvd-musik # ls -la
total 34832483
drwxrwxr-x+ 31 root        users                41 Mar  1 21:35 .
drwxrwxr-x+ 11 peter       users                25 Mar  1 19:12 ..
-rwxrwxr-x+  1 root        users                 0 Mar  1 21:35 testfile

root@freenas:/mnt/TANK/largetemp/dvd-musik # getfacl testfile
# file: testfile
# owner: root
# group: users
            owner@:rwxpDdaARWcCos:------I:allow
            group@:rwxpDdaARWcCos:------I:allow
         everyone@:r-x---a-R-c---:------I:allow

root@freenas:/mnt/TANK/largetemp/dvd-musik # chown linux_user:linux_user testfile

root@freenas:/mnt/TANK/largetemp/dvd-musik # ls -la | grep testfile
-rwxrwxr-x+  1 linux_user  linux_user            0 Mar  1 21:35 testfile

root@freenas:/mnt/TANK/largetemp/dvd-musik # getfacl testfile
# file: testfile
# owner: linux_user
# group: linux_user
            owner@:rwxpDdaARWcCos:------I:allow
            group@:rwxpDdaARWcCos:------I:allow
         everyone@:r-x---a-R-c---:------I:allow

root@freenas:/mnt/TANK/largetemp/dvd-musik # setfacl -bn testfile

root@freenas:/mnt/TANK/largetemp/dvd-musik # getfacl testfile
# file: testfile
# owner: linux_user
# group: linux_user
            owner@:rwxp--aARWcCos:-------:allow
            group@:rwxp--a-R-c--s:-------:allow
         everyone@:r-x---a-R-c--s:-------:allow

 

[anodos]

Generally speaking, in Unix a group can't be the User for a file. The Windows interface to change the file owner basically does a chown. From the CLI "chown users testfile" will fail as well because "users" is a group.

 

[guermantes]

Generally speaking, in Unix a group can't be the User for a file. The Windows interface to change the file owner basically does a chown. From the CLI "chown users testfile" will fail as well because "users" is a group.

I don't quite understand... I didn't do chown users testfile, I did chown linux_user:linux_user testfile, which I take to be equivalent to chown linux_user testfile && chgrp linux_user testfile. linux_user is a user with its own primary group.

The second getfacl shows that the group linux_user replaces users as group in the CLI, but in Windows that is not the case.

 

[anodos]

Did you do chown locally or over SMB protocol?

Can you post output of smbcacls //127.0.0.1/<SHARE> testfile -U <username> as well as getfacl output for the same file?

 

[guermantes]

I SSH:d into Freenas from Linux. The Windows machine I am referring to is a laptop sitting next to me. Everything is inside my home LAN.

It's midnight in Sweden now, so I have to go to bed, but thanks a lot for your help. I'll check this thread first thing in the morning.

This below also over SSH from Debian.

Code:

root@freenas:/mnt/TANK/largetemp/dvd-musik # smbcacls //10.0.0.50/largetemp dvd-musik/testfile -U linux_user
Enter NIBELHEIM\linux_user's password:
REVISION:1
CONTROL:SR|PD|DP
OWNER:FREENAS\linux_user
GROUP:FREENAS\users
ACL:FREENAS\linux_user:ALLOWED/0x0/0x001e01ff
ACL:FREENAS\users:ALLOWED/0x0/0x001200af
ACL:Everyone:ALLOWED/0x0/READ

Code:

root@freenas:/mnt/TANK/largetemp/dvd-musik # getent group
wheel:*:0
daemon:*:1
//lots of groups
peter:*:1000
linux_user:*:1001
android_user:*:1006
apple_user:*:1007
backup_user:*:1008:linux_user
logfetcher:*:1009
users:*:1010:linux_user,peter
nogroup:*:65533
nobody:*:65534

 

[anodos]

I SSH:d into Freenas from Linux. The Windows machine I am referring to is a laptop sitting next to me. Everything is inside my home LAN.

It's midnight in Sweden now, so I have to go to bed, but thanks a lot for your help. I'll check this thread first thing in the morning.

This below also over SSH from Debian.

Code:

root@freenas:/mnt/TANK/largetemp/dvd-musik # smbcacls //10.0.0.50/largetemp dvd-musik/testfile -U linux_user
Enter NIBELHEIM\linux_user's password:
REVISION:1
CONTROL:SR|PD|DP
OWNER:FREENAS\linux_user
GROUP:FREENAS\users
ACL:FREENAS\linux_user:ALLOWED/0x0/0x001e01ff
ACL:FREENAS\users:ALLOWED/0x0/0x001200af
ACL:Everyone:ALLOWED/0x0/READ

Code:

root@freenas:/mnt/TANK/largetemp/dvd-musik # getent group
wheel:*:0
daemon:*:1
//lots of groups
peter:*:1000
linux_user:*:1001
android_user:*:1006
apple_user:*:1007
backup_user:*:1008:linux_user
logfetcher:*:1009
users:*:1010:linux_user,peter
nogroup:*:65533
nobody:*:65534

I'm looking for local on FreeNAS. Example:

Code:

truenas# smbcacls //127.0.0.1/SMB testfile2 -U smbuser%Cats   
REVISION:1
CONTROL:SR|DP
OWNER:TRUENAS\smbuser
GROUP:BUILTIN\Users
ACL:TRUENAS\smbuser:ALLOWED/I/FULL
ACL:BUILTIN\Users:ALLOWED/I/0x001301ff
truenas# chown smbuser:wheel /mnt/dozer/SMB/testfile2
truenas# smbcacls //127.0.0.1/SMB testfile2 -U smbuser%Cats
REVISION:1
CONTROL:SR|DP
OWNER:TRUENAS\smbuser
GROUP:Unix Group\wheel
ACL:TRUENAS\smbuser:ALLOWED/I/FULL
ACL:Unix Group\wheel:ALLOWED/I/0x001301ff

 

[guermantes]

Sorry... here:

Code:

root@freenas:~ # smbcacls //127.0.0.1/largetemp dvd-musik/testfile -U linux_user
Enter NIBELHEIM\linux_user's password:
REVISION:1
CONTROL:SR|PD|DP
OWNER:FREENAS\linux_user
GROUP:FREENAS\users
ACL:FREENAS\linux_user:ALLOWED/0x0/0x001e01ff
ACL:FREENAS\users:ALLOWED/0x0/0x001200af
ACL:Everyone:ALLOWED/0x0/READ

 

[anodos]

Sorry... here:

Code:

root@freenas:~ # smbcacls //127.0.0.1/largetemp dvd-musik/testfile -U linux_user
Enter NIBELHEIM\linux_user's password:
REVISION:1
CONTROL:SR|PD|DP
OWNER:FREENAS\linux_user
GROUP:FREENAS\users
ACL:FREENAS\linux_user:ALLOWED/0x0/0x001e01ff
ACL:FREENAS\users:ALLOWED/0x0/0x001200af
ACL:Everyone:ALLOWED/0x0/READ

And the local ACL as seen on the FreeNAS server? (using getfacl)

 

[guermantes]

And the local ACL as seen on the FreeNAS server? (using getfacl)

Code:

root@freenas:/mnt/TANK/largetemp/dvd-musik # getfacl testfile
# file: testfile
# owner: linux_user
# group: linux_user
            owner@:rwxp--aARWcCos:-------:allow
            group@:rwxp--a-R-c--s:-------:allow
         everyone@:r-x---a-R-c--s:-------:allow

 

[anodos]

Code:

root@freenas:/mnt/TANK/largetemp/dvd-musik # getfacl testfile
# file: testfile
# owner: linux_user
# group: linux_user
            owner@:rwxp--aARWcCos:-------:allow
            group@:rwxp--a-R-c--s:-------:allow
         everyone@:r-x---a-R-c--s:-------:allow

What's the output of net groupmap list?

 

[anodos]

And what version of FreeNAS?

 

[guermantes]

And what version of FreeNAS?

I'm on FreeNAS-11.3-RELEASE

Code:

root@freenas:~ # net groupmap list
users (S-1-5-21-646972039-1787580843-879365588-1014) -> linux_user
Guests (S-1-5-32-546) -> 90000006
users (S-1-5-21-646972039-1787580843-879365588-1019) -> users
replica (S-1-5-21-646972039-1787580843-879365588-1035) -> peter
Administrators (S-1-5-32-544) -> 90000004
Users (S-1-5-32-545) -> 90000005

 

[anodos]

I'm on FreeNAS-11.3-RELEASE

Code:

root@freenas:~ # net groupmap list
users (S-1-5-21-646972039-1787580843-879365588-1014) -> linux_user
Guests (S-1-5-32-546) -> 90000006
users (S-1-5-21-646972039-1787580843-879365588-1019) -> users
replica (S-1-5-21-646972039-1787580843-879365588-1035) -> peter
Administrators (S-1-5-32-544) -> 90000004
Users (S-1-5-32-545) -> 90000005

Okay. The problem is your group_mapping.tdb. Run following commands and then post output of "net groupmap list" again.

Code:

rm /var/db/system/samba4/group_mapping.tdb
midclt call etc.generate smb_configure

 

[anodos]

Okay. The problem is your group_mapping.tdb. Run following commands and then post output of "net groupmap list" again.

Code:

rm /var/db/system/samba4/group_mapping.tdb
midclt call etc.generate smb_configure

The choice of "users" as a Unix group name is unfortunate and shouldn't have snuck into the group_mapping.tdb (since it collides with BUILTIN\Users).

 

[guermantes]

Oops... what happened here?
Maybe I should have made a copy of group_mapping.tdb first...

Code:

root@freenas:~ # rm /var/db/system/samba4/group_mapping.tdb
root@freenas:~ # midclt call etc.generate smb_configure
null
root@freenas:~ # net groupmap list
root@freenas:~ #

 

[anodos]

Oops... what happened here?
Maybe I should have made a copy of group_mapping.tdb first...

Code:

root@freenas:~ # rm /var/db/system/samba4/group_mapping.tdb
root@freenas:~ # midclt call etc.generate smb_configure
null
root@freenas:~ # net groupmap list
root@freenas:~ #

That's okay. It should be auto-generated. Are there any error messages inside /var/log/middlewared.log?

 

[guermantes]

There are just these debugs... (and lots of other things but they seem replication and python related)

Code:

[2020/03/02 16:53:38] (DEBUG) EtcService.generate():274 - No new changes for /etc/local/smbusername.map
[2020/03/02 16:53:40] (DEBUG) SMBService.groupmap_add():343 - Setting group map for android_user is not permitted
[2020/03/02 16:53:40] (DEBUG) SMBService.groupmap_add():343 - Setting group map for apple_user is not permitted
[2020/03/02 16:53:40] (DEBUG) SMBService.groupmap_add():343 - Setting group map for backup_user is not permitted
[2020/03/02 16:53:40] (DEBUG) SMBService.groupmap_add():343 - Setting group map for linux_user is not permitted
[2020/03/02 16:53:41] (DEBUG) SMBService.groupmap_add():343 - Setting group map for logfetcher is not permitted
[2020/03/02 16:53:41] (DEBUG) SMBService.groupmap_add():343 - Setting group map for peter is not permitted
[2020/03/02 16:53:41] (DEBUG) SMBService.groupmap_add():343 - Setting group map for users is not permitted

 

[anodos]

There are just these debugs... (and lots of other things but they seem replication and python related)

Code:

[2020/03/02 16:53:38] (DEBUG) EtcService.generate():274 - No new changes for /etc/local/smbusername.map
[2020/03/02 16:53:40] (DEBUG) SMBService.groupmap_add():343 - Setting group map for android_user is not permitted
[2020/03/02 16:53:40] (DEBUG) SMBService.groupmap_add():343 - Setting group map for apple_user is not permitted
[2020/03/02 16:53:40] (DEBUG) SMBService.groupmap_add():343 - Setting group map for backup_user is not permitted
[2020/03/02 16:53:40] (DEBUG) SMBService.groupmap_add():343 - Setting group map for linux_user is not permitted
[2020/03/02 16:53:41] (DEBUG) SMBService.groupmap_add():343 - Setting group map for logfetcher is not permitted
[2020/03/02 16:53:41] (DEBUG) SMBService.groupmap_add():343 - Setting group map for peter is not permitted
[2020/03/02 16:53:41] (DEBUG) SMBService.groupmap_add():343 - Setting group map for users is not permitted

The only groups that should be usable in SMB are ones created in the GUI that are not named ['users', 'admins', or 'guests'] since these are reserve NT group names. Try renaming the group "users" to something different (like "smb_users").

 

[guermantes]

The only groups that should be usable in SMB are ones created in the GUI that are not named ['users', 'admins', or 'guests'] since these are reserve NT group names. Try renaming the group "users" to something different (like "smb_users").

THANKS for your patience!

I renamed the group name in the Freenas GUI and then reran the commands:

Code:

root@freenas:~ # rm /var/db/system/samba4/group_mapping.tdb
root@freenas:~ # midclt call etc.generate smb_configure
null
root@freenas:~ # net groupmap list
smb-users (S-1-5-21-646972039-1787580843-879365588-1042) -> smb-users


[2020/03/02 20:20:42] (DEBUG) EtcService.generate():274 - No new changes for /etc/local/smbusername.map
[2020/03/02 20:20:44] (DEBUG) SMBService.groupmap_add():343 - Setting group map for android_user is not permitted
[2020/03/02 20:20:44] (DEBUG) SMBService.groupmap_add():343 - Setting group map for apple_user is not permitted
[2020/03/02 20:20:44] (DEBUG) SMBService.groupmap_add():343 - Setting group map for backup_user is not permitted
[2020/03/02 20:20:45] (DEBUG) SMBService.groupmap_add():343 - Setting group map for linux_user is not permitted
[2020/03/02 20:20:45] (DEBUG) SMBService.groupmap_add():343 - Setting group map for logfetcher is not permitted
[2020/03/02 20:20:45] (DEBUG) SMBService.groupmap_add():343 - Setting group map for peter is not permitted

 

[anodos]

THANKS for your patience!

I renamed the group name in the Freenas GUI and then reran the commands:

Code:

root@freenas:~ # rm /var/db/system/samba4/group_mapping.tdb
root@freenas:~ # midclt call etc.generate smb_configure
null
root@freenas:~ # net groupmap list
smb-users (S-1-5-21-646972039-1787580843-879365588-1042) -> smb-users


[2020/03/02 20:20:42] (DEBUG) EtcService.generate():274 - No new changes for /etc/local/smbusername.map
[2020/03/02 20:20:44] (DEBUG) SMBService.groupmap_add():343 - Setting group map for android_user is not permitted
[2020/03/02 20:20:44] (DEBUG) SMBService.groupmap_add():343 - Setting group map for apple_user is not permitted
[2020/03/02 20:20:44] (DEBUG) SMBService.groupmap_add():343 - Setting group map for backup_user is not permitted
[2020/03/02 20:20:45] (DEBUG) SMBService.groupmap_add():343 - Setting group map for linux_user is not permitted
[2020/03/02 20:20:45] (DEBUG) SMBService.groupmap_add():343 - Setting group map for logfetcher is not permitted
[2020/03/02 20:20:45] (DEBUG) SMBService.groupmap_add():343 - Setting group map for peter is not permitted

Do the local getfacl and smbcacls commands now give expected output?