Permissions - CIFS won't pull user or group from the network.

Status
Not open for further replies.

Wallybanger

Contributor
Joined
Apr 17, 2016
Messages
150
I have been fighting with this bloody thing all afternoon now. I've read the docs, searched the forums and searched google with no luck. If the answer is out there, I can't find it.

I have a bunch of shares set up. With default FreeNAS permissions I can access them all, no problem, with the corresponding owner user and users within the owner group. I can change the specific permissions for the owner user and owner group from within windows. I can change the owner user and owner group within FreeNAS and it updates in Windows. Cool!

HOWEVER I can NOT add new users or new groups from within windows. I was following this guys guide and everything works perfect except I can't add users/groups using the windows security panel as he does. He makes it look really easy and I get a supremely irritating error:

https://youtu.be/QhwOyLtArw0?t=6m48s

Untitled-1.jpg


I get the same error regardless of whether I'm searching for a group or user BUT I can set those groups or users as the Owner Group or Owner User and those changes are easily reflected.

As far as I can tell, not being able to add other groups or users will REALLY limit my ability to set up multiple groups or users with different read/write privileges.

Is this a bug or am I screwing something up?
 

m0nkey_

MVP
Joined
Oct 27, 2015
Messages
2,739
I was following this guys guide and everything works perfect except I can't add users/groups using the windows security panel as he does.
That guy was me! :D

He makes it look really easy
It is. ;)

Have you tried using the 'Advanced' button on the 'Select Users or Groups' box, the select 'Find Now' when the advanced dialog appears? It will list all users/groups available on the FreeNAS server.
 

Wallybanger

Contributor
Joined
Apr 17, 2016
Messages
150
That guy was me! :D


It is. ;)

Have you tried using the 'Advanced' button on the 'Select Users or Groups' box, the select 'Find Now' when the advanced dialog appears? It will list all users/groups available on the FreeNAS server.
That guy definitely was you! :D Good videos!

I'm not sure what box you're talking about, I might not have it... You mean right click on network drive>Properties>Security Tab>Advanced?

I did notice that your interface for disabling inheritance was different than mine. You had a button and I have 2 check-boxes. I'm running Win7 Ultimate.
 

Wallybanger

Contributor
Joined
Apr 17, 2016
Messages
150
OK, I think I know what you're talking about. It brings up the search dialog? I wouldn't let me put anything in for the filter options so the only option appears to be hitting "Find Now". It lists a bunch of stuff but none of the users or groups that have been created in FreeNAS... which is weird because those permissions definitely appear when they are used for Owner (User) and Owner (Group).

Untitled-1.jpg
 

Wallybanger

Contributor
Joined
Apr 17, 2016
Messages
150
OK, I actually managed to add permissions for a user by way of setfacl but the instructions for FreeBSD commands are a f'ing nightmare. Anyway, it is possible to get windows to recognize that user on top of the Owner(user) and Owner(group) settings in FreeNAS. So if I can set the permissions from the FreeNAS CLI, how come I can't get the stupid windows operating system to find and use those groups and users?
 
Joined
Jul 10, 2016
Messages
521
I tried this on my share, and Search Results after doing the "Find Now" in the stupid windows popup only seem to show the FreeNAS users, when the user that is doing this in Windows is mapped/connected with a user that belongs to the "wheel" group.
 

Wallybanger

Contributor
Joined
Apr 17, 2016
Messages
150
Another irritating issue.

If I set the permissions of the parent folder to allow the group Users (of which User1 is a member) to access it with read only permissions and then use setfacl to set User1 with permission to access a subfolder, with full "special permissions" excluding only the ability to change the user permissions, when I log into the share with the User1 ID it looks like the password is accepted but kicks me out because I don't have permission to read the parent directory contents. However, if I give User1 full control without the special permissions prohibiting the modification of permissions, User1 can read-only the parent folder, modify and do stuff in the sub folder.... but that user1 can just modify parent folder permissions and gain access to the whole directory.

I'm starting to hate Windows much more than I used to. This CIFS permissions stuff is f'ing retarded. Don't understand why this can't just be easy. Honestly, I feel like modifying the permissions on the windows side is a complete waste of time and the ENTIRE process should take place on the FreeNAS side.

Here's a clarification of what I'm talking about. This is the scenario in which the User, LeaveItToCleaver can't access the directory /mnt/DirtyData/Shared even though that user is a member of the group Users and the group Users has full read access.

Code:
[root@Nassy] ~# setfacl -m g:Users:read_set::allow /mnt/DirtyData/Shared
[root@Nassy] ~# getfacl /mnt/DirtyData/Shared
# file: /mnt/DirtyData/Shared
# owner: Primo
# group: nogroup
  group:Users:r-----a-R-c---:-------:allow
  owner@:rwxpDdaARWcCo-:fd-----:allow
[root@Nassy] ~# setfacl -m g:Users:read_set:fd:allow /mnt/DirtyData/Shared
[root@Nassy] ~# getfacl /mnt/DirtyData/Shared
# file: /mnt/DirtyData/Shared
# owner: Primo
# group: nogroup
  group:Users:r-----a-R-c---:fd-----:allow
  owner@:rwxpDdaARWcCo-:fd-----:allow
[root@Nassy] ~# setfacl -m u:LeaveItToCleaver:modify_set:fd:allow /mnt/DirtyData/Shared/LeaveItToCleaver
[root@Nassy] ~# getfacl /mnt/DirtyData/Shared
# file: /mnt/DirtyData/Shared
# owner: Primo
# group: nogroup
  group:Users:r-----a-R-c---:fd-----:allow
  owner@:rwxpDdaARWcCo-:fd-----:allow
[root@Nassy] ~# getfacl /mnt/DirtyData/Shared/LeaveItToCleaver
# file: /mnt/DirtyData/Shared/LeaveItToCleaver
# owner: Primo
# group: nogroup
user:LeaveItToCleaver:rwxpDdaARWc--s:fd-----:allow
  owner@:rwxpDdaARWcCo-:fd-----:allow


I tried this on my share, and Search Results after doing the "Find Now" in the stupid windows popup only seem to show the FreeNAS users, when the user that is doing this in Windows is mapped/connected with a user that belongs to the "wheel" group.
Interesting idea but I just set the owner as root and then mapped the share with the user as root and that didn't work either. root is a default member of wheel, if I'm not mistaken.
 
Last edited:

Mirfster

Doesn't know what he's talking about
Joined
Oct 2, 2015
Messages
3,215
I'm starting to hate Windows much more than I used to. This CIFS permissions stuff is f'ing retarded. Don't understand why this can't just be easy. Honestly, I feel like modifying the permissions on the windows side is a complete waste of time and the ENTIRE process should take place on the FreeNAS side.

Here's a clarification of what I'm talking about. This is the scenario in which the User, LeaveItToCleaver can't access the directory /mnt/DirtyData/Shared even though that user is a member of the group Users and the group Users has full read access.
You're doing it wrong... Once you set the initial Permissions for the DataSet on FreeNAS; do the rest via Windows Explorer while mapped to the Share with credentials from the Server (Like: FreeNAS\UserName). Don't need to go setting rights via CLI or anything...

It really is this easy...

Just did a quick example over in this thread: https://forums.freenas.org/index.php?threads/users-and-groups-not-showing-up-in-windows-7.46023/
While not 100% exactly like @m0nkey_ 's instructions, the results are the same... *** Excuse the formatting, it got all jacked up and I am too lazy to try and sort it out.
 

Wallybanger

Contributor
Joined
Apr 17, 2016
Messages
150
Yes, I'm aware that I'm supposed to be setting the permissions from the client computer. I used setfacl to see if it would work, and it does. This is some sort of stupid windows/unix problem that probably shouldn't be an issue but it is for some reason. Is it possible that this is a bug in 9.10.1?

I just followed your instructions in the other thread and no dice.
 

Wallybanger

Contributor
Joined
Apr 17, 2016
Messages
150
Code:
[global]
  server max protocol = SMB3
  encrypt passwords = yes
  dns proxy = no
  strict locking = no
  oplocks = yes
  deadtime = 15
  max log size = 51200
  max open files = 937730
  logging = file
  load printers = no
  printing = bsd
  printcap name = /dev/null
  disable spoolss = yes
  getwd cache = yes
  guest account = nobody
  map to guest = Bad User
  obey pam restrictions = yes
  directory name cache size = 0
  kernel change notify = no
  panic action = /usr/local/libexec/samba/samba-backtrace
  nsupdate command = /usr/local/bin/samba-nsupdate -g
  server string = FreeNAS Server
  ea support = yes
  store dos attributes = yes
  lm announce = yes
  hostname lookups = yes
  time server = yes
  acl allow execute always = true
  dos filemode = yes
  multicast dns register = yes
  domain logons = no
  local master = yes
  idmap config *: backend = tdb
  idmap config *: range = 90000001-100000000
  server role = standalone
  netbios name = NASSY
  workgroup = WORKGROUP
  security = user
  pid directory = /var/run/samba
  create mask = 0666
  directory mask = 0777
  client ntlmv2 auth = yes
  dos charset = CP437
  unix charset = UTF-8
  log level = 1

[Movies]
  path = /mnt/DirtyData/Movies
  printable = no
  veto files = /.snapshot/.windows/.mac/.zfs/
  writeable = yes
  browseable = yes
  vfs objects = zfs_space zfsacl aio_pthread streams_xattr
  hide dot files = yes
  guest ok = no
  nfs4:mode = special
  nfs4:acedup = merge
  nfs4:chown = true
  zfsacl:acesort = dontcare


[Shared]
  path = /mnt/DirtyData/Shared
  printable = no
  veto files = /.snapshot/.windows/.mac/.zfs/
  writeable = yes
  browseable = yes
  vfs objects = zfs_space zfsacl aio_pthread streams_xattr
  hide dot files = yes
  guest ok = no
  nfs4:mode = special
  nfs4:acedup = merge
  nfs4:chown = true
  zfsacl:acesort = dontcare


[Stuff]
  path = /mnt/DirtyData/Stuff
  printable = no
  veto files = /.snapshot/.windows/.mac/.zfs/
  writeable = yes
  browseable = no
  vfs objects = zfs_space zfsacl aio_pthread streams_xattr
  hide dot files = yes
  guest ok = no
  nfs4:mode = special
  nfs4:acedup = merge
  nfs4:chown = true
  zfsacl:acesort = dontcare


Code:
[root@Nassy] /usr/local/etc# net getlocalsid
SID for domain NASSY is: S-1-5-21-2865249077-746301568-3381525297

[root@Nassy] /usr/local/etc# net getdomainsid
SID for local machine NASSY is: S-1-5-21-2865249077-746301568-3381525297
Could not fetch domain SID

[root@Nassy] /usr/local/etc# net usersidlist
NASSY\root
S-1-5-21-2865249077-746301568-3381525297-1000
S-1-1-0
S-1-5-2
S-1-5-11
NASSY\guest
S-1-5-21-2865249077-746301568-3381525297-1002
S-1-1-0
S-1-5-2
S-1-5-11
S-1-5-21-2865249077-746301568-3381525297-1001
NASSY\leaveittocleaver
S-1-5-21-2865249077-746301568-3381525297-1004
S-1-1-0
S-1-5-2
S-1-5-11
S-1-5-21-2865249077-746301568-3381525297-1001
S-1-5-21-2865249077-746301568-3381525297-1003
NASSY\primo
S-1-5-21-2865249077-746301568-3381525297-3002
S-1-1-0
S-1-5-2
S-1-5-11
S-1-5-21-2865249077-746301568-3381525297-1001

[root@Nassy] /usr/local/etc# net groupmap list
BasicBitches (S-1-5-21-2865249077-746301568-3381525297-1003) -> BasicBitches
Users (S-1-5-21-2865249077-746301568-3381525297-1001) -> Users


Code:
[root@Nassy] /usr/local/etc# pdbedit -L -v
---------------
Unix username:  root
NT username:
Account Flags:  [U  ]
User SID:  S-1-5-21-2865249077-746301568-3381525297-1000
Primary Group SID:  S-1-5-21-2865249077-746301568-3381525297-513
Full Name:  root
Home Directory:  \\nassy\root
HomeDir Drive:
Logon Script:
Profile Path:  \\nassy\root\profile
Domain:  NASSY
Account desc:
Workstations:
Munged dial:
Logon time:  0
Logoff time:  Sun, 04 Dec 219250468 07:30:07 PST
Kickoff time:  Sun, 04 Dec 219250468 07:30:07 PST
Password last set:  Mon, 22 Aug 2016 16:10:30 PDT
Password can change:  Mon, 22 Aug 2016 16:10:30 PDT
Password must change: never
Last bad password  : 0
Bad password count  : 0
Logon hours  : FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
---------------
Unix username:  Guest
NT username:
Account Flags:  [U  ]
User SID:  S-1-5-21-2865249077-746301568-3381525297-1002
Primary Group SID:  S-1-5-21-2865249077-746301568-3381525297-513
Full Name:  Guest
Home Directory:  \\nassy\guest
HomeDir Drive:
Logon Script:
Profile Path:  \\nassy\guest\profile
Domain:  NASSY
Account desc:
Workstations:
Munged dial:
Logon time:  0
Logoff time:  Sun, 04 Dec 219250468 07:30:07 PST
Kickoff time:  Sun, 04 Dec 219250468 07:30:07 PST
Password last set:  Tue, 13 Sep 2016 15:54:14 PDT
Password can change:  Tue, 13 Sep 2016 15:54:14 PDT
Password must change: never
Last bad password  : 0
Bad password count  : 0
Logon hours  : FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
---------------
Unix username:  LeaveItToCleaver
NT username:
Account Flags:  [U  ]
User SID:  S-1-5-21-2865249077-746301568-3381525297-1004
Primary Group SID:  S-1-5-21-2865249077-746301568-3381525297-513
Full Name:  Brenden Cleaver
Home Directory:  \\nassy\leaveittocleaver
HomeDir Drive:
Logon Script:
Profile Path:  \\nassy\leaveittocleaver\profile
Domain:  NASSY
Account desc:
Workstations:
Munged dial:
Logon time:  0
Logoff time:  Sun, 04 Dec 219250468 07:30:07 PST
Kickoff time:  Sun, 04 Dec 219250468 07:30:07 PST
Password last set:  Tue, 13 Sep 2016 16:26:50 PDT
Password can change:  Tue, 13 Sep 2016 16:26:50 PDT
Password must change: never
Last bad password  : 0
Bad password count  : 0
Logon hours  : FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
---------------
Unix username:  Primo
NT username:
Account Flags:  [U  ]
User SID:  S-1-5-21-2865249077-746301568-3381525297-3002
Primary Group SID:  S-1-5-21-2865249077-746301568-3381525297-513
Full Name:  Mike
Home Directory:  \\nassy\primo
HomeDir Drive:
Logon Script:
Profile Path:  \\nassy\primo\profile
Domain:  NASSY
Account desc:
Workstations:
Munged dial:
Logon time:  0
Logoff time:  Sun, 04 Dec 219250468 07:30:07 PST
Kickoff time:  Sun, 04 Dec 219250468 07:30:07 PST
Password last set:  Tue, 13 Sep 2016 14:49:04 PDT
Password can change:  Tue, 13 Sep 2016 14:49:04 PDT
Password must change: never
Last bad password  : 0
Bad password count  : 0
Logon hours  : FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF

 

m0nkey_

MVP
Joined
Oct 27, 2015
Messages
2,739
*facepalm* Don't be futzing with the CLI. You don't want to be doing that in 9.3, you'll have freedom in the CLI when 10 is released! :D
 

Ericloewe

Server Wrangler
Moderator
Joined
Feb 15, 2014
Messages
20,175
*facepalm* Don't be futzing with the CLI. You don't want to be doing that in 9.3, you'll have freedom in the CLI when 10 is released! :D
As long as you don't leave the "CLI" and end up in the Unix shell. I'd say it's about the same level of freedom you'd get at disneyland. You can go wherever you want in the park, do the stuff that's available and that's it. Things don't end well if you sneak into the tunnel network under the magic kingdom. :p
 

Wallybanger

Contributor
Joined
Apr 17, 2016
Messages
150
^I'm guessing those are jokes. If so, they went right over my head :/

Do you guys know what I'm doing wrong, if anything (but almost certainly something)?
 

Mirfster

Doesn't know what he's talking about
Joined
Oct 2, 2015
Messages
3,215
Do you guys know what I'm doing wrong, if anything (but almost certainly something)?
Not sure how much more light I can shed on the matter. I did those instructions live as I was doing it on FreeNAS, so I know they work. If I think of anything else, I'll post back... :(
 

Wallybanger

Contributor
Joined
Apr 17, 2016
Messages
150
@Mirfster OK, I followed your instructions in THIS post word for word. The very first thing I discovered is that when I try to log into the share that I just set up, which is owned by "root" user and "ServerAdmins" Group with the "SuperAdminDude" user as a member of the "ServerAdmins" group, the password doesn't work. So I get the feeling that something is screwy with FreeNAS. Now, I upgraded from 9.10.? to 9.10.1 the other day, before I started playing with this stuff. Is it possible that something is f'd from the install that is messing everything up?

I just did a "Verify Install" and got this:
Code:
The following Inconsistencies were found in your Current Install:

List of Checksum Mismatches:

/conf/base/etc/local/default/grub
List of Files/Directories/Symlinks not Found:

/compat/linux/proc/.donotremove
List of Permission Errors:

/lib/libalias.so.7 Expected MODE: 0444, Got: 0775
Expected GID: 0, Got: 65533
/lib/libcrypt.so.5 Expected MODE: 0444, Got: 0775
Expected GID: 0, Got: 65533
/lib/libctf.so.2 Expected MODE: 0444, Got: 0775
Expected GID: 0, Got: 65533
/lib/libdevstat.so.7 Expected MODE: 0444, Got: 0775
Expected GID: 0, Got: 65533
/lib/libgcc_s.so.1 Expected MODE: 0444, Got: 0775
Expected GID: 0, Got: 65533
/lib/libipsec.so.4 Expected MODE: 0444, Got: 0775
Expected GID: 0, Got: 65533
/lib/libjail.so.1 Expected MODE: 0444, Got: 0775
Expected GID: 0, Got: 65533
/lib/libkiconv.so.4 Expected MODE: 0444, Got: 0775
Expected GID: 0, Got: 65533
/lib/libm.so.5 Expected MODE: 0444, Got: 0775
Expected GID: 0, Got: 65533
/lib/libmd.so.6 Expected MODE: 0444, Got: 0775
Expected GID: 0, Got: 65533
/lib/libmt.so.5 Expected MODE: 0444, Got: 0775
Expected GID: 0, Got: 65533
/lib/libncurses.so.8 Expected MODE: 0444, Got: 0775
Expected GID: 0, Got: 65533
/lib/libncursesw.so.8 Expected MODE: 0444, Got: 0775
Expected GID: 0, Got: 65533
/lib/libpcap.so.8 Expected MODE: 0444, Got: 0775
Expected GID: 0, Got: 65533
/lib/libreadline.so.8 Expected MODE: 0444, Got: 0775
Expected GID: 0, Got: 65533
/lib/libsbuf.so.6 Expected MODE: 0444, Got: 0775
Expected GID: 0, Got: 65533
/lib/libssp.so.0 Expected MODE: 0444, Got: 0775
Expected GID: 0, Got: 65533
/lib/libulog.so.0 Expected MODE: 0444, Got: 0775
Expected GID: 0, Got: 65533
/lib/libutil.so.9 Expected MODE: 0444, Got: 0775
Expected GID: 0, Got: 65533
/lib/libz.so.6 Expected MODE: 0444, Got: 0775
Expected GID: 0, Got: 65533
/usr/local/share/certs/ca-root-nss.crt Expected MODE: 0644, Got: 0775
Expected GID: 0, Got: 65533
/usr/sbin/mailwrapper Expected MODE: 0555, Got: 0775
Expected GID: 0, Got: 65533
/usr/sbin/rmt Expected MODE: 0555, Got: 0775
Expected GID: 0, Got: 65533
/usr/share/misc/termcap Expected MODE: 0444, Got: 0775
Expected GID: 0, Got: 65533
/compat/linux/proc Expected MODE: 0755, Got: 0555
/bin/pgrep Expected MODE: 0555, Got: 0775
Expected GID: 0, Got: 65533
/bin/pkill Expected MODE: 0555, Got: 0775
Expected GID: 0, Got: 65533
/lib/libavl.so.2 Expected MODE: 0444, Got: 0775
Expected GID: 0, Got: 65533
/lib/libbegemot.so.4 Expected MODE: 0444, Got: 0775
Expected GID: 0, Got: 65533
/lib/libbsdxml.so.4 Expected MODE: 0444, Got: 0775
Expected GID: 0, Got: 65533
/lib/libcam.so.6 Expected MODE: 0444, Got: 0775
Expected GID: 0, Got: 65533
/lib/libcrypto.so.7 Expected MODE: 0444, Got: 0775
Expected GID: 0, Got: 65533
/lib/libcxxrt.so.1 Expected MODE: 0444, Got: 0775
Expected GID: 0, Got: 65533
/lib/libdtrace.so.2 Expected MODE: 0444, Got: 0775
Expected GID: 0, Got: 65533
/lib/libedit.so.7 Expected MODE: 0444, Got: 0775
Expected GID: 0, Got: 65533
/lib/libgeom.so.5 Expected MODE: 0444, Got: 0775
Expected GID: 0, Got: 65533
/lib/libkvm.so.6 Expected MODE: 0444, Got: 0775
Expected GID: 0, Got: 65533
/lib/libnv.so.0 Expected MODE: 0444, Got: 0775
Expected GID: 0, Got: 65533
/lib/libnvpair.so.2 Expected MODE: 0444, Got: 0775
Expected GID: 0, Got: 65533
/lib/libthr.so.3 Expected MODE: 0444, Got: 0775
Expected GID: 0, Got: 65533
/lib/libufs.so.6 Expected MODE: 0444, Got: 0775
Expected GID: 0, Got: 65533
/lib/libumem.so.2 Expected MODE: 0444, Got: 0775
Expected GID: 0, Got: 65533
/lib/libuutil.so.2 Expected MODE: 0444, Got: 0775
Expected GID: 0, Got: 65533
/lib/libzfs.so.2 Expected MODE: 0444, Got: 0775
Expected GID: 0, Got: 65533
/lib/libzfs_core.so.2 Expected MODE: 0444, Got: 0775
Expected GID: 0, Got: 65533
/lib/libzpool.so.2 Expected MODE: 0444, Got: 0775
Expected GID: 0, Got: 65533
/libexec/ld-elf.so.1 Expected MODE: 0555, Got: 0775
Expected GID: 0, Got: 65533
/usr/sbin/nologin Expected MODE: 0555, Got: 0775
Expected GID: 0, Got: 65533
 

Wallybanger

Contributor
Joined
Apr 17, 2016
Messages
150
Hey @cyberjock, would you be kind enough to assist me with this problem? It seems as though a lot of people are having it and, if we can find a solutions, I would be happy to document it. It is entirely possible that this is a n00b issue but I am totally stumped. I feel like this is something that should just work :/
 

Mirfster

Doesn't know what he's talking about
Joined
Oct 2, 2015
Messages
3,215
My concern is that this is being tried on a system I would consider "unclean" since you used the CLI and may have convoluted everything.

You could always try it out on a FreeNAS VM (if you have that ability). Most of us do run at least one instance of FreeNAS as a VM mainly for being able to run tests and updates in a non-productive environment.
 

Wallybanger

Contributor
Joined
Apr 17, 2016
Messages
150
My concern is that this is being tried on a system I would consider "unclean" since you used the CLI and may have convoluted everything.

You could always try it out on a FreeNAS VM (if you have that ability). Most of us do run at least one instance of FreeNAS as a VM mainly for being able to run tests and updates in a non-productive environment.
I only used the CLI after all of the other stuff didn't work. I don't see how adding permissions for a single folder via CLI could mess the whole system up....

Yes, I can install freeNAS on a VM.
 

Wallybanger

Contributor
Joined
Apr 17, 2016
Messages
150
OK, I just did a fresh install of FreeNAS 9.10.1 as a virtual machine, didn't mess with anything. Got it up and running on the network, created a new user and group.... SAME PROBLEM. I still can't retrieve users or groups from the FreeNAS server on my Windows 7 machine. Can someone help me with this, please??
 

Wallybanger

Contributor
Joined
Apr 17, 2016
Messages
150
Hey @m0nkey_ , do you have a Domain Controller set up? Is that why you're able to search for Users/Groups on the network and I'm not?
 
Status
Not open for further replies.
Top