How is it possible that Win10 sees those files?

[katit]

Ok, I'm totally confused with SMB share now. My config listed in other topic: https://forums.freenas.org/index.php?threads/delete-the-everyone-share-permission-smb.55629/

Point is - no "anonymous" access. I did slightly modify user structure, changed to nobody and use group as in video tutorial.

Problem: I DID NOT login to my share and yet I do have access. I'm not in a group and not using same user on windows. I even deleted "Everyone" ACL using same windows client machine. Now I see this under "Security" and yet I'm able to access share and write files :( Same from other windows machine. What am I doing wrong?

 

[anodos]

Ok, I'm totally confused with SMB share now. My config listed in other topic: https://forums.freenas.org/index.php?threads/delete-the-everyone-share-permission-smb.55629/

Point is - no "anonymous" access. I did slightly modify user structure, changed to nobody and use group as in video tutorial.

Problem: I DID NOT login to my share and yet I do have access. I'm not in a group and not using same user on windows. I even deleted "Everyone" ACL using same windows client machine. Now I see this under "Security" and yet I'm able to access share and write files :( Same from other windows machine. What am I doing wrong?

View attachment 19092

While you're connected to the share type smbstatus and post output here. Also post the full details of your smb4.conf file. Also, I wouldn't make the dataset owned by "nobody".

And please keep this to a single forum thread.

 

[katit]

This is status output, 33.90 and 33.111 two win clients I was talking about

It looks like (from what I can tell from this outputs) - samba didn't register/reload for settings I was changing (users)?

Code:

root@HOME-NAS:~ # smbstatus

Samba version 4.6.4-GIT-3909b46
PID  Username  Group  Machine  Protocol Version  Encryption  Signing 
----------------------------------------------------------------------------------------------------------------------------------------
24640  ivan  nogroup  192.168.33.90 (ipv4:192.168.33.90:54811)  SMB2_10  -  partial(HMAC-SHA256)
27757  abcd  wheel  192.168.99.4 (ipv4:192.168.99.4:63395)  SMB2_10  -  - 
24931  ivan  nogroup  192.168.33.111 (ipv4:192.168.33.111:56087) SMB2_10  -  partial(HMAC-SHA256)

Service  pid  Machine  Connected at  Encryption  Signing
---------------------------------------------------------------------------------------------
AAA 27757  192.168.99.4  Fri Jun 23 12:19:19 2017 CDT  -  -
IDATTLC  24931  192.168.33.111 Fri Jun 23 11:55:28 2017 CDT  -  -
IPC$  24640  192.168.33.90 Fri Jun 23 13:48:51 2017 CDT  -  -
IDATTLC  24640  192.168.33.90 Fri Jun 23 11:54:03 2017 CDT  -  -

Locked files:
Pid  Uid  DenyMode  Access  R/W  Oplock  SharePath  Name  Time
--------------------------------------------------------------------------------------------------
27757  1002  DENY_NONE  0x120089  RDONLY  LEASE(RWH)  /mnt/main-4TB-mirror/... hidden - other share
27757  1002  DENY_NONE  0x100081  RDONLY  NONE  /mnt/main-4TB-mirror/AAA.  Fri Jun 23 12:20:17 2017
24931  1001  DENY_NONE  0x100081  RDONLY  NONE  /mnt/main-4TB-mirror/IDATTLC  .  Fri Jun 23 11:55:36 2017
24931  1001  DENY_NONE  0x100081  RDONLY  NONE  /mnt/main-4TB-mirror/IDATTLC  .  Fri Jun 23 11:55:28 2017
24640  1001  DENY_NONE  0x100081  RDONLY  NONE  /mnt/main-4TB-mirror/IDATTLC  .  Fri Jun 23 13:48:52 2017
24640  1001  DENY_NONE  0x100081  RDONLY  NONE  /mnt/main-4TB-mirror/IDATTLC  .  Fri Jun 23 13:48:52 2017
24640  1001  DENY_NONE  0x100080  RDONLY  NONE  /mnt/main-4TB-mirror/IDATTLC  .  Fri Jun 23 13:48:52 2017

Config:

Code:

[global]
  server max protocol = SMB2
  encrypt passwords = yes
  dns proxy = no
  strict locking = no
  oplocks = yes
  deadtime = 15
  max log size = 51200
  max open files = 469568
  logging = file
  load printers = no
  printing = bsd
  printcap name = /dev/null
  disable spoolss = yes
  getwd cache = yes
  guest account = nobody
  map to guest = Bad User
  obey pam restrictions = yes
  ntlm auth = no
  directory name cache size = 0
  kernel change notify = no
  panic action = /usr/local/libexec/samba/samba-backtrace
  nsupdate command = /usr/local/bin/samba-nsupdate -g
  server string = FreeNAS Server
  ea support = yes
  store dos attributes = yes
  lm announce = yes
  acl allow execute always = true
  dos filemode = yes
  multicast dns register = yes
  domain logons = no
  local master = no
  idmap config *: backend = tdb
  idmap config *: range = 90000001-100000000
  server role = standalone
  netbios name = HOME-NAS
  workgroup = WORKGROUP
  security = user
  pid directory = /var/run/samba
  create mask = 0666
  directory mask = 0777
  client ntlmv2 auth = yes
  dos charset = CP437
  unix charset = UTF-8
  log level = 1

[IDATTLC]
  path = "/mnt/main-4TB-mirror/IDATTLC"
  printable = no
  veto files = /.snapshot/.windows/.mac/.zfs/
  writeable = yes
  browseable = yes
  vfs objects = zfs_space zfsacl streams_xattr aio_pthread
  hide dot files = yes
  guest ok = no
  nfs4:mode = special
  nfs4:acedup = merge
  nfs4:chown = true
  zfsacl:acesort = dontcare

 

[anodos]

This is status output, 33.90 and 33.111 two win clients I was talking about

It looks like (from what I can tell from this outputs) - samba didn't register/reload for settings I was changing (users)?

Well, it depends on what settings you're changing and whether you're reloading your smb.conf file or restarting samba. Reloading the smb.conf will not effect sessions that have already been established. Restarting samba will kill existing sessions which will force clients to reconnect to the share.

 

[katit]

Hm. OK. What is the best way to show issue? I guess I need to build completely clean case. Then restart SMB and then provide:
1. User/Group setup info
2. Dataset permission setup info
3. smb.conf
4. smbstatus
5. getfact on shared directory
6. What I see in Windows "Security" tab.

Should that provide all needed info for troubleshooting?

 

[anodos]

Hm. OK. What is the best way to show issue? I guess I need to build completely clean case. Then restart SMB and then provide:
1. User/Group setup info
2. Dataset permission setup info
3. smb.conf
4. smbstatus
5. getfact on shared directory
6. What I see in Windows "Security" tab.

Should that provide all needed info for troubleshooting?

A debug file will provide 1-5, and let us see all those juicy secrets you're trying to hide.

 

[katit]

Yeah :)

#1. What is debug file?
#2. This is not "sandbox" so I do have to remove some stuff/names. So, ideally there should be no "juicy" secrets. You can see my local subnet, that's OK :)

P.S. But seriously, will it be enough if I provide those details to isolate issue? It is really a big deal right now. People who shouldn't may see our private information if they browse to server IP

 

[anodos]

Yeah :)
#1. What is debug file?:)

System -> Advanced -> Save Debug

 

[katit]

Ok, making test as clean as possible this time..

1. Setup group "secret"
2. User "ivan" has primary group "secret" and no other groups
3. Data set owner(user) = "ivan", owner(group) = "secret"
4. getfacl. How come "everyone" came out again after I adjusted permissions??

Code:

root@HOME-NAS:~ # getfacl /mnt/main-4TB-mirror/IDATTLC/
# file: /mnt/main-4TB-mirror/IDATTLC/
# owner: ivan
# group: secret
  owner@:rwxpDdaARWcCos:fd-----:allow
  group@:rwxpDdaARWcCos:fd-----:allow
  everyone@:r-x---a-R-c---:fd-----:allow

5. samba.conf [global] and [IDATTLC] shares

Code:

[global]
  server max protocol = SMB2
  encrypt passwords = yes
  dns proxy = no
  strict locking = no
  oplocks = yes
  deadtime = 15
  max log size = 51200
  max open files = 469568
  logging = file
  load printers = no
  printing = bsd
  printcap name = /dev/null
  disable spoolss = yes
  getwd cache = yes
  guest account = nobody
  map to guest = Bad User
  obey pam restrictions = yes
  ntlm auth = no
  directory name cache size = 0
  kernel change notify = no
  panic action = /usr/local/libexec/samba/samba-backtrace
  nsupdate command = /usr/local/bin/samba-nsupdate -g
  server string = FreeNAS Server
  ea support = yes
  store dos attributes = yes
  lm announce = yes
  acl allow execute always = true
  dos filemode = yes
  multicast dns register = yes
  domain logons = no
  local master = no
  idmap config *: backend = tdb
  idmap config *: range = 90000001-100000000
  server role = standalone
  netbios name = HOME-NAS
  workgroup = WORKGROUP
  security = user
  pid directory = /var/run/samba
  create mask = 0666
  directory mask = 0777
  client ntlmv2 auth = yes
  dos charset = CP437
  unix charset = UTF-8
  log level = 1

[IDATTLC]
  path = "/mnt/main-4TB-mirror/IDATTLC"
  printable = no
  veto files = /.snapshot/.windows/.mac/.zfs/
  writeable = yes
  browseable = yes
  vfs objects = zfs_space zfsacl streams_xattr aio_pthread
  hide dot files = yes
  guest ok = no
  nfs4:mode = special
  nfs4:acedup = merge
  nfs4:chown = true
  zfsacl:acesort = dontcare

6. Browse into IDATT LC folder,

Code:

root@HOME-NAS:~ # smbstatus

Samba version 4.6.4-GIT-3909b46
PID  Username  Group  Machine  Protocol Version  Encryption  Signing
----------------------------------------------------------------------------------------------------------------------------------------
55657  ivan  secret  192.168.33.90 (ipv4:192.168.33.90:59151)  SMB2_10  -  partial(HMAC-SHA256)

Service  pid  Machine  Connected at  Encryption  Signing
---------------------------------------------------------------------------------------------
IDATTLC  55657  192.168.33.90 Fri Jun 23 15:24:56 2017 CDT  -  -

Locked files:
Pid  Uid  DenyMode  Access  R/W  Oplock  SharePath  Name  Time
--------------------------------------------------------------------------------------------------
55657  1001  DENY_NONE  0x100081  RDONLY  NONE  /mnt/main-4TB-mirror/IDATTLC  .  Fri Jun 23 15:33:02 2017
55657  1001  DENY_NONE  0x100081  RDONLY  NONE  /mnt/main-4TB-mirror/IDATTLC  .  Fri Jun 23 15:42:07 2017

7. Windows security property, now it can't lookup group for some reason

Any ideas why it still let's me browse/edit? And why it keeps setting "Everyone" permission? And also this permission only "Read" - it allows editing.

 

[anodos]

Ok, making test as clean as possible this time..

1. Setup group "secret"
2. User "ivan" has primary group "secret" and no other groups
3. Data set owner(user) = "ivan", owner(group) = "secret"
4. getfacl. How come "everyone" came out again after I adjusted permissions??

Code:

root@HOME-NAS:~ # getfacl /mnt/main-4TB-mirror/IDATTLC/
# file: /mnt/main-4TB-mirror/IDATTLC/
# owner: ivan
# group: secret
  owner@:rwxpDdaARWcCos:fd-----:allow
  group@:rwxpDdaARWcCos:fd-----:allow
  everyone@:r-x---a-R-c---:fd-----:allow

5. samba.conf [global] and [IDATTLC] shares

Code:

[global]
  server max protocol = SMB2
  encrypt passwords = yes
  dns proxy = no
  strict locking = no
  oplocks = yes
  deadtime = 15
  max log size = 51200
  max open files = 469568
  logging = file
  load printers = no
  printing = bsd
  printcap name = /dev/null
  disable spoolss = yes
  getwd cache = yes
  guest account = nobody
  map to guest = Bad User
  obey pam restrictions = yes
  ntlm auth = no
  directory name cache size = 0
  kernel change notify = no
  panic action = /usr/local/libexec/samba/samba-backtrace
  nsupdate command = /usr/local/bin/samba-nsupdate -g
  server string = FreeNAS Server
  ea support = yes
  store dos attributes = yes
  lm announce = yes
  acl allow execute always = true
  dos filemode = yes
  multicast dns register = yes
  domain logons = no
  local master = no
  idmap config *: backend = tdb
  idmap config *: range = 90000001-100000000
  server role = standalone
  netbios name = HOME-NAS
  workgroup = WORKGROUP
  security = user
  pid directory = /var/run/samba
  create mask = 0666
  directory mask = 0777
  client ntlmv2 auth = yes
  dos charset = CP437
  unix charset = UTF-8
  log level = 1

[IDATTLC]
  path = "/mnt/main-4TB-mirror/IDATTLC"
  printable = no
  veto files = /.snapshot/.windows/.mac/.zfs/
  writeable = yes
  browseable = yes
  vfs objects = zfs_space zfsacl streams_xattr aio_pthread
  hide dot files = yes
  guest ok = no
  nfs4:mode = special
  nfs4:acedup = merge
  nfs4:chown = true
  zfsacl:acesort = dontcare

6. Browse into IDATT LC folder,

Code:

root@HOME-NAS:~ # smbstatus

Samba version 4.6.4-GIT-3909b46
PID  Username  Group  Machine  Protocol Version  Encryption  Signing
----------------------------------------------------------------------------------------------------------------------------------------
55657  ivan  secret  192.168.33.90 (ipv4:192.168.33.90:59151)  SMB2_10  -  partial(HMAC-SHA256)

Service  pid  Machine  Connected at  Encryption  Signing
---------------------------------------------------------------------------------------------
IDATTLC  55657  192.168.33.90 Fri Jun 23 15:24:56 2017 CDT  -  -

Locked files:
Pid  Uid  DenyMode  Access  R/W  Oplock  SharePath  Name  Time
--------------------------------------------------------------------------------------------------
55657  1001  DENY_NONE  0x100081  RDONLY  NONE  /mnt/main-4TB-mirror/IDATTLC  .  Fri Jun 23 15:33:02 2017
55657  1001  DENY_NONE  0x100081  RDONLY  NONE  /mnt/main-4TB-mirror/IDATTLC  .  Fri Jun 23 15:42:07 2017

7. Windows security property, now it can't lookup group for some reason

View attachment 19095

Any ideas why it still let's me browse/edit? And why it keeps setting "Everyone" permission? And also this permission only "Read" - it allows editing.

The dataset is owned by "ivan", you are authenticated as "ivan", ergo you can access the dataset. Default permissions on a newly-minted dataset are:

Code:

 owner@:rwxpDdaARWcCos:fd-----:allow
  group@:rwxpDdaARWcCos:fd-----:allow
  everyone@:r-x---a-R-c---:fd-----:allow

What you are describing is normal behavior. Remove the everyone@ ACE and people who aren't the "ivan" or a member of "secret" will not be able to access the share. If File Explorer is causing problems, you can remove it via the following command: setfacl -x everyone@::allow /mnt/main-4TB-mirror/IDATTLC

 

[katit]

The dataset is owned by "ivan", you are authenticated as "ivan", ergo you can access the dataset. Default permissions on a newly-minted dataset are:

Code:

 owner@:rwxpDdaARWcCos:fd-----:allow
  group@:rwxpDdaARWcCos:fd-----:allow
  everyone@:r-x---a-R-c---:fd-----:allow

Hmm. 2 questions here:
1. How is it possible that I'm authenticated as "ivan"? All I did - typed "\\192.168.99.10" in File Explorer. I did not enter any passwords or user names.. Not on first or seconds computer..

2. Is it possible to change default permissions so there is no "Everyone"? Also I'm not sure it's important after I figure #1..

If File Explorer is causing problems, you can remove it via the following command: setfacl -x everyone@::allow /mnt/main-4TB-mirror/IDATTLC

Not sure what exactly it will do? Or, you mean, it will remove "Everyone" if I can't do it via File Explorer? I guess ideally I'd like to be able to use system without manually touching ACLs. Main problem is how come it thinks I'm coming in as "ivan"?

 

[anodos]

Hmm. 2 questions here:
1. How is it possible that I'm authenticated as "ivan"? All I did - typed "\\192.168.99.10" in File Explorer. I did not enter any passwords or user names.. Not on first or seconds computer..

In some situations Windows will cache credentials.

2. Is it possible to change default permissions so there is no "Everyone"? Also I'm not sure it's important after I figure #1..

No.

Not sure what exactly it will do? Or, you mean, it will remove "Everyone" if I can't do it via File Explorer? I guess ideally I'd like to be able to use system without manually touching ACLs.

At some point you have to touch ACLs. You're administering a server. You can remove the everyone ACE from your share using File Explorer or the CLI. File Explorer is nicer because it will automatically propagate the changes through the file tree.

 

[katit]

Now I'm even more confused :)
Windows login name: "Ivan Lastname".
FreeNAS login name: "ivan"

I used same password. Is it possible windows passing name/password as attempt to login and FreeNas doesn't use "Lastname" portion? This is ONLY way I can see why it worked.. Because my other Win10 laptop was brand new OS install couple days ago and I didn't login to FreeNAS shares for sure!

Now I changed password in FreeNAS, restarted CIFS, tried to open share and got login prompt! All is well!

Code:

You can remove the everyone ACE from your share using File Explorer or the CLI

Now I have another question. "Everyone" means everyone should see/browse files. But it's not the case now. The way it seems to be working now - I'm OK with it. But, why doesn't it let me browse anonymous, I'm "everyone" by default, no? Guest access disabled right now, I'm just trying to understand what this "everyone" permission does right now and if there any security risk?