SOLVED Group permissions not showing up in windows 10 client

Status
Not open for further replies.

schoffman

Dabbler
Joined
Jan 21, 2016
Messages
18
I just recently noticed that I can't see my freenas group accounts on windows 10 clients. My current configuration originated in 9.3 or 9.10 and I currently have 11.2 RC2. The users show up just fine and the shares work. From previously set permissions I get Account Unknown(S-1-5-21-2751733394-2278657307-...) for the group account. I'm checking for groups with the "find now" and the "check" on the dialog boxes for security permissions from 2 different windows 10 clients.

I have a VM of freenas for test on the same box that was originally installed on 11.1, when I upgraded to 11.2 RC2 the groups show up. Just as a test I cleared the configuration from the console (option 8) and just set up a default windows share and turned on SMB, added a user and a group and they don't show up.

In Summary I have 3 cases that I've tried:

Case 1: I have a working configuration in 11.2 RC2 that was upgraded/migrated from 11.1 (test VM);
Case 2: My main box that has been migrated from 9.10 doesn't work but I'm not sure when it stopped working;
Case 3: 11.2 RC2 with default options doesn't work (test VM) and (bare metal),

The users show up in all cases with the "find now" from the windows security dialog box, but the groups are the ones not showing up in cases 2 and 3.

Since I have a working configuration I can compare whats different but I've only checked /usr/local/etc/smb4.conf and it was equal for working and non working.

Thanks for looking


I have a skylake E3 1140 V5 build
with 32 GB of ECC memory (samsung)
Supermicro SSH-F Motherboard
6x 8TB reds in raid Z2.
2 USB boot drives in mirror
 

anodos

Sambassador
iXsystems
Joined
Mar 6, 2014
Messages
9,544
I just recently noticed that I can't see my freenas group accounts on windows 10 clients. My current configuration originated in 9.3 or 9.10 and I currently have 11.2 RC2. The users show up just fine and the shares work. From previously set permissions I get Account Unknown(S-1-5-21-2751733394-2278657307-...) for the group account. I'm checking for groups with the "find now" and the "check" on the dialog boxes for security permissions from 2 different windows 10 clients.

I have a VM of freenas for test on the same box that was originally installed on 11.1, when I upgraded to 11.2 RC2 the groups show up. Just as a test I cleared the configuration from the console (option 8) and just set up a default windows share and turned on SMB, added a user and a group and they don't show up.

In Summary I have 3 cases that I've tried:

Case 1: I have a working configuration in 11.2 RC2 that was upgraded/migrated from 11.1 (test VM);
Case 2: My main box that has been migrated from 9.10 doesn't work but I'm not sure when it stopped working;
Case 3: 11.2 RC2 with default options doesn't work (test VM) and (bare metal),

The users show up in all cases with the "find now" from the windows security dialog box, but the groups are the ones not showing up in cases 2 and 3.

Since I have a working configuration I can compare whats different but I've only checked /usr/local/etc/smb4.conf and it was equal for working and non working.

Thanks for looking


I have a skylake E3 1140 V5 build
with 32 GB of ECC memory (samsung)
Supermicro SSH-F Motherboard
6x 8TB reds in raid Z2.
2 USB boot drives in mirror
Post output of "net groupmap list" and "net getlocalsid"
 

schoffman

Dabbler
Joined
Jan 21, 2016
Messages
18
Post output of "net groupmap list" and "net getlocalsid"

I did this command on a VM with 11.2 RC2 and a "Reset Configuration to Defaults" before adding a volume, share and users all with default options:

Code:
root@freenas[~]# net groupmap list
Guests (S-1-5-32-546) -> 90000006
sam (S-1-5-21-2896240121-2048705663-2426383916-1002) -> sam
group1 (S-1-5-21-2359851790-2859644675-1018775400-1000) -> hshh
home (S-1-5-21-2359851790-2859644675-1018775400-1003) -> group1
Users (S-1-5-32-545) -> 90000005
root@freenas[~]# net getlocalsid
SID for domain FREENASTEST is: S-1-5-21-2896240121-2048705663-2426383916
root@freenas[~]#



Thanks
 

schoffman

Dabbler
Joined
Jan 21, 2016
Messages
18
I did this command on a VM with 11.2 RC2 and a "Reset Configuration to Defaults" before adding a volume, share and users all with default options:

Code:
root@freenas[~]# net groupmap list
Guests (S-1-5-32-546) -> 90000006
sam (S-1-5-21-2896240121-2048705663-2426383916-1002) -> sam
group1 (S-1-5-21-2359851790-2859644675-1018775400-1000) -> hshh
home (S-1-5-21-2359851790-2859644675-1018775400-1003) -> group1
Users (S-1-5-32-545) -> 90000005
root@freenas[~]# net getlocalsid
SID for domain FREENASTEST is: S-1-5-21-2896240121-2048705663-2426383916
root@freenas[~]#



Thanks

Windows is reading for group1:
Account Unknown(S-1-5-21-2359851790-2859644675-1018775400-1001)

So that might be the error?
 

anodos

Sambassador
iXsystems
Joined
Mar 6, 2014
Messages
9,544
Windows is reading for group1:
Account Unknown(S-1-5-21-2359851790-2859644675-1018775400-1001)

So that might be the error?

It looks like your server's SID changed and the group_mapping.tdb file got out of sync. Try:
Code:
service samba_server stop
mv /var/db/samba4/group_mapping.tdb /var/db/samba4/group_mapping.tdb.bak
service ix-pre-samba start
service samba_server restart
 
Last edited:

schoffman

Dabbler
Joined
Jan 21, 2016
Messages
18
It looks like your server's SID changed and the group_mapping.tdb file got out of sync. Try:
Code:
service samba-server stop
mv /var/db/samba4/group_mapping.tdb /var/db/samba4/group_mapping.tdb.bak
service ix-pre-samba start
service samba_server restart

Thank you, that fixed it!

Should I file a bug report because it seems like this is repeatable in my testing?

There was a typo in case anybody wants to use the commands to fix a similar problem, samba-server should be samba_server

Code:
service samba_server stop
mv /var/db/samba4/group_mapping.tdb /var/db/samba4/group_mapping.tdb.bak
service ix-pre-samba start
service samba_server restart
 

anodos

Sambassador
iXsystems
Joined
Mar 6, 2014
Messages
9,544
Thank you, that fixed it!

Should I file a bug report because it seems like this is repeatable in my testing?

There was a typo in case anybody wants to use the commands to fix a similar problem, samba-server should be samba_server

Code:
service samba_server stop
mv /var/db/samba4/group_mapping.tdb /var/db/samba4/group_mapping.tdb.bak
service ix-pre-samba start
service samba_server restart

Can you just post the steps you used to get into this situation and I'll make a report / fix if necessary.
 

schoffman

Dabbler
Joined
Jan 21, 2016
Messages
18
Can you just post the steps you used to get into this situation and I'll make a report / fix if necessary.

After a few hours of trying to reproduce it I have failed. I think it has something to do with residual permissions left on the pool from a previous version of freenas but I don't know. Thank you for your help as my main box has been fixed.
 
Status
Not open for further replies.
Top