Lost access to SMB share "Permission Denied"

[Basil Hendroff]

...and on the Windows 7 PC you are logged in as marlon?

 

[Cascadoo]

As a test I just created a new dataset with no files called testvol, made an ACL with marlon as the user and all the inherit flags set. Double checked I have access to it on the shell when logged in as marlon and was able to create file under /mnt/Storage/testvol. Once again able to see testvol folder on both Ubuntu and Windows but permission denied when trying to access it.

 

[Cascadoo]

...and on the Windows 7 PC you are logged in as marlon?

Yes. Initially when I had connection I actually was not logged in as marlon on the windows PC but used the freenas marlon credentials when prompted, same on Ubuntu.

 

[Basil Hendroff]

Let's forget Ubuntu for the moment and focus on Windows 7. Fix one thing first.

Make sure marlow on the PC has the same password as the marlow account on FreeNAS. I'm assuming you're authenticating as a local user and not through AD. Log in as marlow on the PC and attempt to access the share. Make sure there is nothing in the Windows Credential Manager.

 

[Cascadoo]

Let's forget Ubuntu for the moment and focus on Windows 7. Fix one thing first.

Make sure marlow on the PC has the same password as the marlow account on FreeNAS. I'm assuming you're authenticating as a local user and not through AD. Log in as marlow on the PC and attempt to access the share.

The account on the windows 7 machine is local and has the same password as the freenas account so the username and passwords do match.

 

[Basil Hendroff]

Double checked I have access to it on the shell when logged in as marlon and was able to create file under /mnt/Storage/testvol.

I'm unclear how you achieved this? You can only log in as root on a FreeNAS server.

 

[Cascadoo]

Tested as su marlon on the shell.

 

[Cascadoo]

My apologies on the wording, I meant switching the user:

 

[Basil Hendroff]

Alright, the penny has dropped. I suggest you do not chop and change users and permissions between the GUI and Shell. I'm not surprised now that you're having problems. My recommendation to you is as follows:

1. Keep it simple. Leave Ubuntu out of the equation for now. As SMB is native to Windows get that working first.
2. Make all your user and permission changes (especially Unix mode bits) through the GUI.
3. Do not work on mediashare, but get a test share working how you want it to work for the users and groups of mediashare. In the first instance, make marlon the owner of the share and make sure that share works with the Windows 7 user marlon.
4. Then build up a more complex ACL. I leave you with this post.
5. Once you're satisfied that the share behaves the way it should for various users, transfer what you have done to the mediashare.
6. Finally, get it working with the Win10 Microsoft account and Ubuntu.

 

[Cascadoo]

Alright, the penny has dropped. I suggest you do not chop and change users and permissions between the GUI and Shell. I'm not surprised now that you're having problems. My recommendation to you is as follows:

1. Keep it simple. Leave Ubuntu out of the equation for now. As SMB is native to Windows get that working first.
2. Make all your user and permission changes (especially Unix mode bits) through the GUI.
3. Do not work on mediashare, but get a test share working how you want it to work for the users and groups of mediashare. In the first instance, make marlon the owner of the share and make sure that share works with the Windows 7 user marlon.
4. Then build up a more complex ACL. I leave you with this post.
5. Once you're satisfied that the share behaves the way it should for various users, transfer what you have done to the mediashare.
6. Finally, get it working with the Win10 Microsoft account and Ubuntu.

I did not make any changes on the shell, just logged into the shell to verify that the permissions that were on the ACL actually did take effect on the directories. The only thing I created on the shell was the test file under the testvol.

At the moment I am working with the testvol instead of mediashare. Will look into the instructions in the post.

 

[Cascadoo]

Ok, I deleted the test dataset I had and started fresh leaving mediashare alone. I also created a new user and group and set as the owner on the ACL of the new dataset I created, testvol. I tried accessing that share from win7 and the same problem again, I can see the testvol folder but get permission denied when trying to acess it as the new user I created.

*****
At the time I was actually working on a virtual box vm with a couple vdisks that I installed freenas 11.3 on for testing. I setup dataset/share and users in the same scenario as my original physical freenas configuration.
Dataset - storage
SMB share - storage (/mnt/pool1/storage)
Group - users
User - john
*Permissions of the dataset was setup with owner and group as john and users respectively. ACL was created with the inherit flags set to on. Basically similar to my current mediashare and testvol setup.

Now tested access to this share from the win7 machine and I have access logging in as the john user when prompted. Here is how the credential manager looks:

Now I am a bit lost. I have tried comparing the smb4.conf of the virtual box freenas to the physical freenas machine and they are basically the same. Also compared the smb4_share.conf between the 2 freenas systems and the shares have the same settings. Is there anything else I should look into comparing?

Is there a log on the freenas for when accessing the samba share?

 

[Basil Hendroff]

I'm not exactly sure what you're saying. Are you saying you're seeing the correct behaviour with the FreeNAS VM, but not with the physical system?

Is there a log on the freenas for when accessing the samba share?

This post may be useful. https://www.ixsystems.com/community...fine-now-gets-access-denied.80078/post-555129

 

[Cascadoo]

I'm not exactly sure what you're saying. Are you saying you're seeing the correct behaviour with the FreeNAS VM, but not with the physical system?


This post may be useful. https://www.ixsystems.com/community...fine-now-gets-access-denied.80078/post-555129

Yes, I am seeing the correct behavior from the Freenas VM. On the Freenas VM I have the dataset, user and shares setup similarly to my physical Freenas machine and I am able to connect to the Freenas VM shares without issue.

I have been comparing the settings between both installations but can find no difference. I have since compared both smb4.conf and the smb4_share.conf and they have the settings and parameters.

At the moment I am looking at the logs under /var/log/samba for errors, which I do see a few. Will post in a bit.

 

[Cascadoo]

Thank you sir, that post was indeed helpful, currently looking into the log.smbd when I attempt to log in from one of my clients:

Code:

root@freenas[/usr/local/etc]# tail -f /var/log/samba4/log.smbd
  daemon_ready: daemon 'smbd' finished starting up and ready to serve connections
[2018/09/19 15:33:10.107356,  0] ../../source3/smbd/server.c:1788(main)
  smbd version 4.10.12 started.
  Copyright Andrew Tridgell and the Samba Team 1992-2019
[2018/09/19 15:33:10.109828,  1] ../../source3/profile/profile_dummy.c:30(set_profile_level)
  INFO: Profiling support unavailable in this build.
[2018/09/19 15:33:10.424275,  1] ../../source3/smbd/files.c:227(file_init_global)
  file_init_global: Information only: requested 460701 open files, 59392 are available.
[2018/09/19 15:33:10.430670,  0] ../../lib/util/become_daemon.c:136(daemon_ready)
  daemon_ready: daemon 'smbd' finished starting up and ready to serve connections
[2018/09/19 15:34:30.572146,  3] ../../auth/auth_log.c:647(log_authentication_event_human_readable)
  Auth: [SMB2,(null)] user []\[] at [Wed, 19 Sep 2018 15:34:30.572006 PDT] with [No-Password] status [NT_STATUS_OK] workstation [] remote host [ipv4:192.168.2.11:60392] became [FREENAS]\[nobody] [S-1-5-21-2531957174-576608748-821182387-501]. local host [ipv4:192.168.2.100:139]
[2018/09/19 15:34:30.572508,  5] ../../auth/auth_log.c:751(log_successful_authz_event_human_readable)
  Successful AuthZ: [SMB2,NTLMSSP] user [NT AUTHORITY]\[ANONYMOUS LOGON] [S-1-5-7] at [Wed, 19 Sep 2018 15:34:30.572496 PDT] Remote host [ipv4:192.168.2.11:60392] local host [ipv4:192.168.2.100:139]
[2018/09/19 15:34:30.573439,  1] ../../source3/smbd/service.c:348(create_connection_session_info)
  create_connection_session_info: guest user (from session setup) not permitted to access this share (IPC$)
[2018/09/19 15:34:30.573544,  1] ../../source3/smbd/service.c:531(make_connection_snum)
  create_connection_session_info failed: NT_STATUS_ACCESS_DENIED
[2018/09/19 15:34:42.048930,  3] ../../auth/auth_log.c:647(log_authentication_event_human_readable)
  Auth: [SMB2,(null)] user [WORKGROUP]\[marlon] at [Wed, 19 Sep 2018 15:34:42.048898 PDT] with [NTLMv2] status [NT_STATUS_OK] workstation [MBLPC] remote host [ipv4:192.168.2.11:60394] became [FREENAS]\[marlon] [S-1-5-21-2531957174-576608748-821182387-1032]. local host [ipv4:192.168.2.100:139]
[2018/09/19 15:34:42.057469,  4] ../../auth/auth_log.c:751(log_successful_authz_event_human_readable)
  Successful AuthZ: [SMB2,NTLMSSP] user [FREENAS]\[marlon] [S-1-5-21-2531957174-576608748-821182387-1032] at [Wed, 19 Sep 2018 15:34:42.057447 PDT] Remote host [ipv4:192.168.2.11:60394] local host [ipv4:192.168.2.100:139]
[2018/09/19 15:34:42.060403,  4] ../../auth/auth_log.c:751(log_successful_authz_event_human_readable)
  Successful AuthZ: [srvsvc,ncacn_np] user [FREENAS]\[marlon] [S-1-5-21-2531957174-576608748-821182387-1032] at [Wed, 19 Sep 2018 15:34:42.060378 PDT] Remote host [ipv4:192.168.2.11:60394] local host [ipv4:192.168.2.100:139]
[2018/09/19 15:34:42.065688,  1] ../../source3/printing/printer_list.c:234(printer_list_get_last_refresh)
  Failed to fetch record!
[2018/09/19 15:34:42.065816,  1] ../../source3/smbd/server_reload.c:64(delete_and_reload_printers)
  pcap cache not loaded
[2018/09/19 15:34:46.775736,  2] ../../auth/auth_log.c:647(log_authentication_event_human_readable)
  Auth: [SMB2,(null)] user [WORKGROUP]\[Admin] at [Wed, 19 Sep 2018 15:34:46.775595 PDT] with [NTLMv2] status [NT_STATUS_NO_SUCH_USER] workstation [MBLPC] remote host [ipv4:192.168.2.11:54258] mapped to [WORKGROUP]\[Admin]. local host [ipv4:192.168.2.100:445]
[2018/09/19 15:35:13.996126,  3] ../../auth/auth_log.c:647(log_authentication_event_human_readable)
  Auth: [SMB2,(null)] user [WORKGROUP]\[marlon] at [Wed, 19 Sep 2018 15:35:13.996090 PDT] with [NTLMv2] status [NT_STATUS_OK] workstation [MBLPC] remote host [ipv4:192.168.2.11:54260] became [FREENAS]\[marlon] [S-1-5-21-2531957174-576608748-821182387-1032]. local host [ipv4:192.168.2.100:445]
[2018/09/19 15:35:13.997537,  4] ../../auth/auth_log.c:751(log_successful_authz_event_human_readable)
  Successful AuthZ: [SMB2,NTLMSSP] user [FREENAS]\[marlon] [S-1-5-21-2531957174-576608748-821182387-1032] at [Wed, 19 Sep 2018 15:35:13.997513 PDT] Remote host [ipv4:192.168.2.11:54260] local host [ipv4:192.168.2.100:445]
[2018/09/19 15:35:14.030909,  0] ../../source3/smbd/uid.c:448(change_to_user_internal)
  change_to_user_internal: chdir_current_service() failed!
[2018/09/19 15:35:14.031295,  0] ../../source3/smbd/uid.c:448(change_to_user_internal)
  change_to_user_internal: chdir_current_service() failed!
[2018/09/19 15:35:14.031695,  0] ../../source3/smbd/uid.c:448(change_to_user_internal)
  change_to_user_internal: chdir_current_service() failed!
[2018/09/19 15:35:14.032502,  0] ../../source3/smbd/uid.c:448(change_to_user_internal)
  change_to_user_internal: chdir_current_service() failed!
[2018/09/19 15:35:14.032903,  0] ../../source3/smbd/uid.c:448(change_to_user_internal)
  change_to_user_internal: chdir_current_service() failed!

 

[Cascadoo]

Also, here is the getfacl which is reflected on the GUI, r+w+x for group and owner:

Code:

root@freenas[/usr/local/etc]# getfacl /mnt/Storage/Mediaset   
# file: /mnt/Storage/Mediaset
# owner: marlon
# group: mediashare
            owner@:rwxp--aARWcCos:fd-----:allow
            group@:rwxpDdaARWcCos:fd-----:allow
         everyone@:r-x---a-R-c--s:fd-----:allow
         everyone@:--------------:fd-----:allow

 

[Basil Hendroff]

We're now in the realm of the black arts as far as I'm concerned and I need to bow out to a higher authority. Good luck with progressing this. I'll be watching this thread with interest.

 

[Cascadoo]

We're now in the realm of the black arts as far as I'm concerned and I need to bow out to a higher authority. Good luck with progressing this. I'll be watching this thread with interest.

Thank you for all the assistance thus far. Below I have broken up the log based on the individual steps taken with trying to establish the connection for anyone who might want to chime in.

Output of tail -f /var/log/samba4/log.smbd
*This is after setting "log level =1 auth_audit:5" under services->SMB. This connection is taking place from an Ubuntu client.

Before establishing connection:

Code:

root@freenas[/usr/local/etc]# tail -f /var/log/samba4/log.smbd
  daemon_ready: daemon 'smbd' finished starting up and ready to serve connections
[2018/09/19 20:29:48.473101,  0] ../../source3/smbd/server.c:1788(main)
  smbd version 4.10.12 started.
  Copyright Andrew Tridgell and the Samba Team 1992-2019
[2018/09/19 20:29:48.475589,  1] ../../source3/profile/profile_dummy.c:30(set_profile_level)
  INFO: Profiling support unavailable in this build.
[2018/09/19 20:29:48.814326,  1] ../../source3/smbd/files.c:227(file_init_global)
  file_init_global: Information only: requested 460701 open files, 59392 are available.
[2018/09/19 20:29:48.820149,  0] ../../lib/util/become_daemon.c:136(daemon_ready)
  daemon_ready: daemon 'smbd' finished starting up and ready to serve connections

After establishing connection to Freenas (smb://192.168.2.100) where the media share folder now appears browsable:

Code:

[2018/09/19 20:31:59.350689,  3] ../../auth/auth_log.c:647(log_authentication_event_human_readable)
  Auth: [SMB2,(null)] user [WORKGROUP]\[marlon] at [Wed, 19 Sep 2018 20:31:59.350657 AST] with [NTLMv2] status [NT_STATUS_OK] workstation [MBLPC] remote host [ipv4:192.168.2.11:60848] became [FREENAS]\[marlon] [S-1-5-21-2531957174-576608748-821182387-1032]. local host [ipv4:192.168.2.100:139]
[2018/09/19 20:31:59.354052,  4] ../../auth/auth_log.c:751(log_successful_authz_event_human_readable)
  Successful AuthZ: [SMB2,NTLMSSP] user [FREENAS]\[marlon] [S-1-5-21-2531957174-576608748-821182387-1032] at [Wed, 19 Sep 2018 20:31:59.354032 AST] Remote host [ipv4:192.168.2.11:60848] local host [ipv4:192.168.2.100:139]
[2018/09/19 20:31:59.356957,  4] ../../auth/auth_log.c:751(log_successful_authz_event_human_readable)
  Successful AuthZ: [srvsvc,ncacn_np] user [FREENAS]\[marlon] [S-1-5-21-2531957174-576608748-821182387-1032] at [Wed, 19 Sep 2018 20:31:59.356932 AST] Remote host [ipv4:192.168.2.11:60848] local host [ipv4:192.168.2.100:139]
[2018/09/19 20:31:59.359883,  1] ../../source3/printing/printer_list.c:234(printer_list_get_last_refresh)
  Failed to fetch record!
[2018/09/19 20:31:59.359994,  1] ../../source3/smbd/server_reload.c:64(delete_and_reload_printers)
  pcap cache not loaded

Attempting to open mediashare folder when it prompts for login authentication:

Code:

[2018/09/19 20:32:55.156599,  4] ../../auth/auth_log.c:751(log_successful_authz_event_human_readable)
  Successful AuthZ: [srvsvc,ncacn_np] user [FREENAS]\[marlon] [S-1-5-21-2531957174-576608748-821182387-1032] at [Wed, 19 Sep 2018 20:32:55.156580 AST] Remote host [ipv4:192.168.2.11:60848] local host [ipv4:192.168.2.100:139]
[2018/09/19 20:32:55.157247,  1] ../../source3/printing/printer_list.c:234(printer_list_get_last_refresh)
  Failed to fetch record!
[2018/09/19 20:32:55.157316,  1] ../../source3/smbd/server_reload.c:64(delete_and_reload_printers)
  pcap cache not loaded
[2018/09/19 20:32:55.289971,  2] ../../auth/auth_log.c:647(log_authentication_event_human_readable)
  Auth: [SMB2,(null)] user [WORKGROUP]\[Admin] at [Wed, 19 Sep 2018 20:32:55.289829 AST] with [NTLMv2] status [NT_STATUS_NO_SUCH_USER] workstation [MBLPC] remote host [ipv4:192.168.2.11:54712] mapped to [WORKGROUP]\[Admin]. local host [ipv4:192.168.2.100:445] 

After login failure (failed to mount windows share: permission denied)

Code:

[2018/09/19 20:33:50.085482,  3] ../../auth/auth_log.c:647(log_authentication_event_human_readable)
  Auth: [SMB2,(null)] user [WORKGROUP]\[marlon] at [Wed, 19 Sep 2018 20:33:50.085447 AST] with [NTLMv2] status [NT_STATUS_OK] workstation [MBLPC] remote host [ipv4:192.168.2.11:54718] became [FREENAS]\[marlon] [S-1-5-21-2531957174-576608748-821182387-1032]. local host [ipv4:192.168.2.100:445]
[2018/09/19 20:33:50.087034,  4] ../../auth/auth_log.c:751(log_successful_authz_event_human_readable)
  Successful AuthZ: [SMB2,NTLMSSP] user [FREENAS]\[marlon] [S-1-5-21-2531957174-576608748-821182387-1032] at [Wed, 19 Sep 2018 20:33:50.087012 AST] Remote host [ipv4:192.168.2.11:54718] local host [ipv4:192.168.2.100:445]
[2018/09/19 20:33:50.118213,  0] ../../source3/smbd/uid.c:448(change_to_user_internal)
  change_to_user_internal: chdir_current_service() failed!
[2018/09/19 20:33:50.118595,  0] ../../source3/smbd/uid.c:448(change_to_user_internal)
  change_to_user_internal: chdir_current_service() failed!
[2018/09/19 20:33:50.118855,  0] ../../source3/smbd/uid.c:448(change_to_user_internal)
  change_to_user_internal: chdir_current_service() failed!
[2018/09/19 20:33:50.119320,  0] ../../source3/smbd/uid.c:448(change_to_user_internal)
  change_to_user_internal: chdir_current_service() failed!
[2018/09/19 20:33:50.119539,  0] ../../source3/smbd/uid.c:448(change_to_user_internal)
  change_to_user_internal: chdir_current_service() failed!

 

[Cascadoo]

I am looking at a particular line when it prompts for login authentication:

Code:

[2018/09/19 20:32:55.289971,  2] ../../auth/auth_log.c:647(log_authentication_event_human_readable)
  Auth: [SMB2,(null)] user [WORKGROUP]\[Admin] at [Wed, 19 Sep 2018 20:32:55.289829 AST] with [NTLMv2] status [NT_STATUS_NO_SUCH_USER] workstation [MBLPC] remote host [ipv4:192.168.2.11:54712] mapped to [WORKGROUP]\[Admin]. local host [ipv4:192.168.2.100:445]

"workstation [MBLPC] remote host [ipv4:192.168.2.11:54712] mapped to [WORKGROUP]\[Admin]"
Is this normal operation when trying to access a samba share? I don't have an Admin user at the moment, trying to recall if I ever created a user named admin on Freenas initially.

 

[Cascadoo]

I just fired up my virtual box Freenas and looked at the output of the log.smbd file to compare with my physical freenas. At no point on the virtual freenas does it try to map the remote host/ client to WORKGROUP\Admin. I have no idea why this is happening on the physical freenas, which I am assuming maybe part of the problem.

 

[Yorick]

What's in /usr/local/etc/smbusername.map?

The only mapping I'm aware of that should be happening is the "Microsoft account" one that handles email. And, I'm no SMB expert.

༼ つ ◕_◕ ༽つ༼ つ ◕_◕ ༽つ Summoning @anodos ༼ つ ◕_◕ ༽つ༼ つ ◕_◕ ༽つ