I guess I'm not understanding something - shares going wild

[katit]

If you read 10 topics below you see people having issues with CIFS shares becoming read-only, etc. And it's not just 1 case, there is many. I myself installed FreeNAS 2 days ago(9.3 STABLE) and BAM! - same issue. Ok, I gave up on setting anonymous/free/open share because in my case RO is fine. I created "home-users" group and then added 2 users to it. Added this groups to permissions on Datasets (using root as a user on dataset) and called it a day.

What I observe is that in Windows "Everyone" get's read permissions. And I can create file but can't modify it. Also it get's "root" full access and "home-users" group full access. This is understandable, but what's NOT understandable is whole thing about "guest" user paradigm in FreeNAS.

I will say that I'm not an Admin, I'm Microsoft developer with 15+ years of experience and just recently I started to play with Linux. I have some basic Linux installations behind my belt. Asterisk, etc. So, I DO understand how linux permissions work. There is nothing really to it.

NOW. I do understand that SAMBA is nothing but software demon serving Linux file system to the windows clients. And, FreeNAS using it for CIFS sharing. OK. I know I can play with it via .conf files but thats not "right", because I want to use FreeNAS gui.

So, issue #1:
1. ZFS is a *nix file system. When I create Dataset in storage, why would I even bother saying it's Windows or Mac?? It's on *nix, why is this needed? IMO if I share via CIFS - yes, it's Windows, so why even confuse like this?

2. When creating CIFS share. Looks like "Apply SANE permissions" is one part of ticket where FreeNAS will forward *nix permissions to windows, thats why we see them in security properties. Another part is "anonymous" access that's controlled via check boxes. And not working. If it's for Windows, why can't we just have *nix permissions forwarded to world? Where "anyone" level on *nix will transfer to "Everyone" on windows? That would be easiest and understandable. No need for "Read only", "Only anonymous", etc.

3. CIFS shares look like they work. But all of the sudden (and I had it happen couple times already) - on a windows side it will show "UNKNOWN" permission group. Or user. In console on FreeNAS it will throw something about deadlock and not able to lookup group by id and so on.

4. AFN (Mac TimeMachine). I was really happy. Setup share yesterday, my Mac happily started to backup via WiFi. I went to work, Mac re-connected (my routers tunneled) and kept backing up. Great! I decided let me take thunderbolt network adapter home and let my Mac complete backup over ethernet. Once connected - Mac can't find TimeMachine anymore. After restarting service (just because I learned to restart) - it won't connect still, and I was getting repetative errors in FreeNAS console (there is plenty of topics on this). Connected via WiFi again - works! Connects! Well, maybe it should function like that, but I don't think Apple's device will behave like this..

5. Installed plugin Crashplan - Problem again. Until I modified .conf file - nothing worked. It's not FreeNAS product, but it kind of goes together with experience.

To be honest - I'm little sad with a situation. On a surface set of features work great. And it is marketed to home users, etc. And there is GUI. But basic things just don't work right away. I'm not even sure if data is safe when system behaves like this in any place I touch. Usually I don't "complain" but this one been just weird feeling, I though if something so popular - it should be working out of the box..

 

[anodos]

So, issue #1:
1. ZFS is a *nix file system. When I create Dataset in storage, why would I even bother saying it's Windows or Mac?? It's on *nix, why is this needed? IMO if I share via CIFS - yes, it's Windows, so why even confuse like this?

ZFS natively supports nfsv4 acls, which are managed through setfacl rather than chmod. Among other things, selecting Windows/Mac dataset changes the ZFS property 'aclmode' to 'restricted', which prevents users / applications from accidentally clobbering the acls through chmod operations.

2. When creating CIFS share. Looks like "Apply SANE permissions" is one part of ticket where FreeNAS will forward *nix permissions to windows, thats why we see them in security properties. Another part is "anonymous" access that's controlled via check boxes. And not working. If it's for Windows, why can't we just have *nix permissions forwarded to world? Where "anyone" level on *nix will transfer to "Everyone" on windows? That would be easiest and understandable. No need for "Read only", "Only anonymous", etc.

it's not forwarding *nix permissions, it's exposing zfs's nfsv4 acls (which are largely identical to NTFS acls) to windows.

3. CIFS shares look like they work. But all of the sudden (and I had it happen couple times already) - on a windows side it will show "UNKNOWN" permission group. Or user. In console on FreeNAS it will throw something about deadlock and not able to lookup group by id and so on.

that sounds like winbind is having problems resolving SID to GID. Post a debug file 'system' -> 'advamced' -> 'debug'

To be honest - I'm little sad with a situation. On a surface set of features work great. And it is marketed to home users, etc. And there is GUI. But basic things just don't work right away. I'm not even sure if data is safe when system behaves like this in any place I touch. Usually I don't "complain" but this one been just weird feeling, I though if something so popular - it should be working out of the box..

I haven't seen any problems yet on my freenas cifs servers so I'm not sure if there was a regression. Samba is complicated. Post your debug and I'll see if anything stands out. Feel free to send me a PM with it attached.

 

[katit]

anodos, See separate PM with logs. I think this message about "deadlock" is at the end of messages file. Not sure what else to look for :)

Thanks for explanation about nfsv4. Makes sense. But then why can't they call it proper names and let us manager permissions windows way ? *nix - give us rwxrwxrwx on user/group/world and nfsv4 - users, groups and other goodies? Would make sense to me, maybe more complex but no "magic".

 

[SweetAndLow]

If you read 10 topics below you see people having issues with CIFS shares becoming read-only, etc. And it's not just 1 case, there is many. I myself installed FreeNAS 2 days ago(9.3 STABLE) and BAM! - same issue. Ok, I gave up on setting anonymous/free/open share because in my case RO is fine. I created "home-users" group and then added 2 users to it. Added this groups to permissions on Datasets (using root as a user on dataset) and called it a day.

What I observe is that in Windows "Everyone" get's read permissions. And I can create file but can't modify it. Also it get's "root" full access and "home-users" group full access. This is understandable, but what's NOT understandable is whole thing about "guest" user paradigm in FreeNAS.

I will say that I'm not an Admin, I'm Microsoft developer with 15+ years of experience and just recently I started to play with Linux. I have some basic Linux installations behind my belt. Asterisk, etc. So, I DO understand how linux permissions work. There is nothing really to it.

NOW. I do understand that SAMBA is nothing but software demon serving Linux file system to the windows clients. And, FreeNAS using it for CIFS sharing. OK. I know I can play with it via .conf files but thats not "right", because I want to use FreeNAS gui.

So, issue #1:
1. ZFS is a *nix file system. When I create Dataset in storage, why would I even bother saying it's Windows or Mac?? It's on *nix, why is this needed? IMO if I share via CIFS - yes, it's Windows, so why even confuse like this?

2. When creating CIFS share. Looks like "Apply SANE permissions" is one part of ticket where FreeNAS will forward *nix permissions to windows, thats why we see them in security properties. Another part is "anonymous" access that's controlled via check boxes. And not working. If it's for Windows, why can't we just have *nix permissions forwarded to world? Where "anyone" level on *nix will transfer to "Everyone" on windows? That would be easiest and understandable. No need for "Read only", "Only anonymous", etc.

3. CIFS shares look like they work. But all of the sudden (and I had it happen couple times already) - on a windows side it will show "UNKNOWN" permission group. Or user. In console on FreeNAS it will throw something about deadlock and not able to lookup group by id and so on.

4. AFN (Mac TimeMachine). I was really happy. Setup share yesterday, my Mac happily started to backup via WiFi. I went to work, Mac re-connected (my routers tunneled) and kept backing up. Great! I decided let me take thunderbolt network adapter home and let my Mac complete backup over ethernet. Once connected - Mac can't find TimeMachine anymore. After restarting service (just because I learned to restart) - it won't connect still, and I was getting repetative errors in FreeNAS console (there is plenty of topics on this). Connected via WiFi again - works! Connects! Well, maybe it should function like that, but I don't think Apple's device will behave like this..

5. Installed plugin Crashplan - Problem again. Until I modified .conf file - nothing worked. It's not FreeNAS product, but it kind of goes together with experience.

To be honest - I'm little sad with a situation. On a surface set of features work great. And it is marketed to home users, etc. And there is GUI. But basic things just don't work right away. I'm not even sure if data is safe when system behaves like this in any place I touch. Usually I don't "complain" but this one been just weird feeling, I though if something so popular - it should be working out of the box..

1. Why not use posix permissions with CIFS share? I prefer it because I don't need to manage permissions through windows but I like using smb because of its cross platform support.

2. anonymous mode works great it's just that people don't understand how it works. I don't even think its complicated it is just something with lots of variables so they always mess it up and can't keep the scope of the problem in their head to fix it.

3. The deadlock issue was fixed and you have a SID mapping issue that can be fixed.

4. You have a networking problem or winbind issue. Maybe double nat on your network?

5. Crashplan does't officially support freenas for freebsd for that matter. So expecting it to work flawlessly is to much. And the reason it is broken is because crashplan auto updates things and overwrote a config file that is used by java and was modified so it could run on freebsd. This is fixed in newer versions of the port but I don't think the plugin got updated with the new version of the port.

 

[katit]

1. Why not use posix permissions with CIFS share? I prefer it because I don't need to manage permissions through windows but I like using smb because of its cross platform support.

How do I do it? I don't try to manage permissions via Windows, this is how I was checking what do I get from FreeNAS after changing/setting permissions.

2. anonymous mode works great it's just that people don't understand how it works. I don't even think its complicated it is just something with lots of variables so they always mess it up and can't keep the scope of the problem in their head to fix it.

Is there any place where it's described? Documentation is very dry and shows only wizard which I'm hesitant to run after system is set, it's for first time, right?

you have a SID mapping issue that can be fixed.

How? And it's random. I can't reproduce it. Sometime it will do it, sometime it's fine. It only happens when I check "security" tab on windows machine.

4. You have a networking problem or winbind issue. Maybe double nat on your network?

Yes, it's some kind of DNS issue. I've seen in Mac history names like:
afp://FreeNAS-home._afpovertcp._tcp.local
afp://FreeNAS-home._afpovertcp._tcp.local.
(see differences in "." ?)

I didn't setup anything special network-wise, all defaults, just name changed. IP served by router (Mikrotik) by MAC address.

So, now I just access it by IP and call it done. Will see if it works long run on both wifi and wire.

5. Crashplan does't officially support freenas for freebsd for that matter. So expecting it to work flawlessly is to much. And the reason it is broken is because crashplan auto updates things and overwrote a config file that is used by java and was modified so it could run on freebsd. This is fixed in newer versions of the port but I don't think the plugin got updated with the new version of the port.

Hopefully it won't brake on next update :)

 

[anodos]

Just to summarize a few issues fixed here:

Ran following commands to resolve the SID to GID errors that winbind was throwing up:

Code:

service samba_server stop
rm -rf /var/db/samba4/*
rm -rf /var/etc/private/*
net groupmap cleanup
service ix-pre-samba start
service samba_server start

User had also checked the box "disable password login" in the user config for "guest". Remedy was to uncheck box "disable password login", and set a password for "guest".

edit: corrected instructions as specified below.

 

[katit]

Actually, there is no "Change Password" button in my version of FreeNAS. I clicked "Edit", removed checkbox and set password

 

[Spearfoot]

@anodos - Thanks a million for your script! I've used it to get rid of the SID error messages I'd been seeing. In my case, it was the owner group that caused the problems. After running your script, Windows displays the correct group name instead of the 'unknown' SID when I look at the security settings of CIFS shares.

(N.B.: I believe you're missing a '/' between 'private' and the '*' in the second 'rm' command.)

 

[katit]

Well.. Problem came back. Just normal use of CIFS shares, didn't even touch FreeNAS, no load whatsoever:

Code:

Jun 23 10:04:35 FreeNAS-home nmbd[2380]: *****
Jun 23 10:04:43 FreeNAS-home linux: pid 4668 (java): syscall inotify_init not implemented
Jun 23 10:04:43 FreeNAS-home linux: pid 5310 (java): syscall inotify_init not implemented
Jun 23 10:23:29 FreeNAS-home kernel: arp: 192.168.99.99 moved from 02:37:44:00:07:0a to 90:2b:34:13:6e:c9 on epair0b
Jun 23 10:43:30 FreeNAS-home winbindd[2390]: [2015/06/23 10:43:30.789238, 0] ../source3/winbindd/winbindd_samr.c:769(sam_rids_to_names)
Jun 23 10:43:30 FreeNAS-home winbindd[2390]: sam_rids_to_names: possible deadlock - trying to lookup SID S-1-5-21-398995748-1458836629-2535466209
Jun 23 10:43:30 FreeNAS-home smbd[12903]: [2015/06/23 10:43:30.810508, 0] ../source3/smbd/smb2_server.c:668(smb2_validate_message_id)
Jun 23 10:43:30 FreeNAS-home smbd[12903]: smb2_validate_message_id: client used more credits than granted, mid 5, charge 1, credits_granted 0, seqnum low/range: 5/0
Jun 23 10:43:35 FreeNAS-home winbindd[2390]: [2015/06/23 10:43:35.969053, 0] ../source3/winbindd/winbindd_samr.c:769(sam_rids_to_names)
Jun 23 10:43:35 FreeNAS-home winbindd[2390]: sam_rids_to_names: possible deadlock - trying to lookup SID S-1-5-21-398995748-1458836629-2535466209
Jun 23 10:58:40 FreeNAS-home winbindd[2390]: [2015/06/23 10:58:40.745933, 0] ../source3/winbindd/winbindd_samr.c:769(sam_rids_to_names)
Jun 23 10:58:40 FreeNAS-home winbindd[2390]: sam_rids_to_names: possible deadlock - trying to lookup SID S-1-5-21-398995748-1458836629-2535466209
Jun 23 10:59:56 FreeNAS-home winbindd[2390]: [2015/06/23 10:59:56.520519, 0] ../source3/winbindd/winbindd_samr.c:769(sam_rids_to_names)
Jun 23 10:59:56 FreeNAS-home winbindd[2390]: sam_rids_to_names: possible deadlock - trying to lookup SID S-1-5-21-398995748-1458836629-2535466209
Jun 23 14:36:55 FreeNAS-home winbindd[2390]: [2015/06/23 14:36:55.001809, 0] ../source3/winbindd/winbindd_samr.c:769(sam_rids_to_names)
Jun 23 14:36:55 FreeNAS-home winbindd[2390]: sam_rids_to_names: possible deadlock - trying to lookup SID S-1-5-21-398995748-1458836629-2535466209
Jun 23 15:08:44 FreeNAS-home winbindd[2390]: [2015/06/23 15:08:44.939815, 0] ../source3/winbindd/winbindd_samr.c:769(sam_rids_to_names)
Jun 23 15:08:44 FreeNAS-home winbindd[2390]: sam_rids_to_names: possible deadlock - trying to lookup SID S-1-5-21-398995748-1458836629-2535466209
Jun 23 18:53:29 FreeNAS-home winbindd[2390]: [2015/06/23 18:53:29.404074, 0] ../source3/winbindd/winbindd_samr.c:769(sam_rids_to_names)
Jun 23 18:53:29 FreeNAS-home winbindd[2390]: sam_rids_to_names: possible deadlock - trying to lookup SID S-1-5-21-398995748-1458836629-2535466209
Jun 23 18:53:29 FreeNAS-home smbd[26885]: [2015/06/23 18:53:29.476288, 0] ../source3/smbd/smb2_server.c:668(smb2_validate_message_id)
Jun 23 18:53:29 FreeNAS-home smbd[26885]: smb2_validate_message_id: client used more credits than granted, mid 5, charge 1, credits_granted 0, seqnum low/range: 5/0
Jun 23 18:53:34 FreeNAS-home winbindd[2390]: [2015/06/23 18:53:34.643371, 0] ../source3/winbindd/winbindd_samr.c:769(sam_rids_to_names)
Jun 23 18:53:34 FreeNAS-home winbindd[2390]: sam_rids_to_names: possible deadlock - trying to lookup SID S-1-5-21-398995748-1458836629-2535466209
Jun 23 20:21:17 FreeNAS-home kernel: arp: 192.168.99.99 moved from 02:37:44:00:07:0a to 90:2b:34:13:6e:c9 on epair0b

 

[Ericloewe]

I think this was finally fixed with the latest update. At least my groups seem to be working.

 

[katit]

Nope. Installed update and here we go:

Jun 25 16:11:41 FreeNAS-home winbindd[2397]: [2015/06/25 16:11:41.911434, 0] ../source3/winbindd/winbindd_samr.c:769(sam_rids_to_names)
Jun 25 16:11:41 FreeNAS-home winbindd[2397]: sam_rids_to_names: possible deadlock - trying to lookup SID S-1-5-21-398995748-1458836629-2535466209

 

[anodos]

Nope. Installed update and here we go:

Jun 25 16:11:41 FreeNAS-home winbindd[2397]: [2015/06/25 16:11:41.911434, 0] ../source3/winbindd/winbindd_samr.c:769(sam_rids_to_names)
Jun 25 16:11:41 FreeNAS-home winbindd[2397]: sam_rids_to_names: possible deadlock - trying to lookup SID S-1-5-21-398995748-1458836629-2535466209

At this point, perhaps you should consider one of the following:

1) Fresh install of latest FreeNAS on a new USB. Recreate your config and try to replicate the error.
2) File a bug report about the error.

 

[katit]

Is it possible because of one of the windows clients cached something?