Permissions not being picked up!!

[James Richardson]

Hi Guys,

Seem to have lost permission to the all the SMB shares that i set on the Freenas box I installed.

I couldn't connect with the Hostname at first but it had been a while and that issue appears to be resolved from deleting the DNS name and re-entering it but now i can't go into the shares i created before hand, just keeps saying "access denied". See attached.

I've checked the storage permissions and it's set to the same as before, tried changing them and putting them back, tried removing the share and starting again but still won't let me in. Rebooted several times, put in the AD password and saved that, also tried the "Rebuild directory Service Cache", still nothing.

It's still talking to our AD OK, so i don't understand.

Regards,
James

 

[anodos]

Hi Guys,

Seem to have lost permission to the all the SMB shares that i set on the Freenas box I installed.

I couldn't connect with the Hostname at first but it had been a while and that issue appears to be resolved from deleting the DNS name and re-entering it but now i can't go into the shares i created before hand, just keeps saying "access denied". See attached.

I've checked the storage permissions and it's set to the same as before, tried changing them and putting them back, tried removing the share and starting again but still won't let me in. Rebooted several times, put in the AD password and saved that, also tried the "Rebuild directory Service Cache", still nothing.

It's still talking to our AD OK, so i don't understand.

Regards,
James

Post following:

• /usr/local/etc/smb4.conf
• /var/log/samba4/log.wb-<DOMAIN>
• output of wbinfo --ping-dc
• verify that users are listed when executing wbinfo -u

 

[James Richardson]

Hi Anodos,

I've done the wbinfo --ping-dc and the wbinfo -u commands and both come back successful and showing users.

Tried connecting with WinSCP via SFTP to the files, tried connecting with the hostname and IP address, put in the root username and password and got Access denied??

James

 

[anodos]

Hi Anodos,

I've done the wbinfo --ping-dc and the wbinfo -u commands and both come back successful and showing users.

Tried connecting with WinSCP via SFTP to the files, tried connecting with the hostname and IP address, put in the root username and password and got Access denied??

James

SSH by default will deny authentication as 'root'. Post permissions on the root of one of your shares. getfacl /mnt/<pool>/<share>

 

[James Richardson]

Hi there,

Please see attached;

[root@Filer10 ~]# getfacl /mnt/Storage/FTP
# file: /mnt/Storage/FTP
# owner: DLL_FTP
# group: employees
owner@:rwxpDdaARWcCo-:fd-----:allow
group@:rwxpDdaARWcCo-:fd-----:allow
everyone@:r-x---a-R-c---:fd-----:allow
[root@Filer10 ~]# getfacl /mnt/Storage
# file: /mnt/Storage
# owner: administrator
# group: domain admins
owner@:rwxpDdaARWcCos:fd-----:allow
group@:rwxpDdaARWcCos:fd-----:allow
everyone@:r-x---a-R-c---:fd-----:allow
[root@Filer10 ~]# getfacl /mnt/Storage/test
# file: /mnt/Storage/test
# owner: administrator
# group: domain admins
owner@:rwxpDdaARWcCos:fd-----:allow
group@:rwxpDdaARWcCos:fd-----:allow
everyone@:r-x---a-R-c---:fd-----:allow

Thanks James

 

[anodos]

Hi there,

Please see attached;

[root@Filer10 ~]# getfacl /mnt/Storage/FTP
# file: /mnt/Storage/FTP
# owner: DLL_FTP
# group: employees
owner@:rwxpDdaARWcCo-:fd-----:allow
group@:rwxpDdaARWcCo-:fd-----:allow
everyone@:r-x---a-R-c---:fd-----:allow
[root@Filer10 ~]# getfacl /mnt/Storage
# file: /mnt/Storage
# owner: administrator
# group: domain admins
owner@:rwxpDdaARWcCos:fd-----:allow
group@:rwxpDdaARWcCos:fd-----:allow
everyone@:r-x---a-R-c---:fd-----:allow
[root@Filer10 ~]# getfacl /mnt/Storage/test
# file: /mnt/Storage/test
# owner: administrator
# group: domain admins
owner@:rwxpDdaARWcCos:fd-----:allow
group@:rwxpDdaARWcCos:fd-----:allow
everyone@:r-x---a-R-c---:fd-----:allow

Thanks James

Please encode command output in [ code ] tags. Post output of sharesec --view-all.

 

[James Richardson]

Sorry here you go, hopefully done it right;

Code:

[root@Filer10 ~]# sharesec --view-all																							   
[Data]																															 
REVISION:1																														 
CONTROL:SR|DP																													   
OWNER:																															 
GROUP:																															 
ACL:S-1-1-0:ALLOWED/0x0/FULL																										
																																	
[FTP]																															   
REVISION:1																														 
CONTROL:SR|DP																													   
OWNER:																															 
GROUP:																															 
ACL:S-1-1-0:ALLOWED/0x0/FULL																										
																																	
[Test]																															 
REVISION:1																														 
CONTROL:SR|DP																													   
OWNER:																															 
GROUP:																															 
ACL:S-1-1-0:ALLOWED/0x0/FULL

Thanks,
James

 

[anodos]

What are log.smbd and log.wb-* showing?

 

[James Richardson]

Hi there,

I assume you mean via the Shell option;

Code:

[root@Filer10 ~]# getfacl /usr/local/etc/smb4.conf																				
# file: /usr/local/etc/smb4.conf																									
# owner: root																													  
# group: wheel																													
user::rw-																														  
group::r--																														
other::r--																														
[root@Filer10 ~]# getfacl /var/log/samba4/log.wb-FASUK																			
# file: /var/log/samba4/log.wb-FASUK																								
# owner: root																													  
# group: wheel																													
			owner@:rw-p--aARWcCos:-------:allow																					
			group@:r-----a-R-c--s:-------:allow																					
		 everyone@:r-----a-R-c--s:-------:allow																					
[root@Filer10 ~]#

I can't get to the log files via SFTP, what user can I use instead of the root password??

Thanks,
James

 

[anodos]

Hi there,

I assume you mean via the Shell option;

Code:

[root@Filer10 ~]# getfacl /usr/local/etc/smb4.conf																				
# file: /usr/local/etc/smb4.conf																									
# owner: root																													 
# group: wheel																													
user::rw-																														 
group::r--																														
other::r--																														
[root@Filer10 ~]# getfacl /var/log/samba4/log.wb-FASUK																			
# file: /var/log/samba4/log.wb-FASUK																								
# owner: root																													 
# group: wheel																													
			owner@:rw-p--aARWcCos:-------:allow																					
			group@:r-----a-R-c--s:-------:allow																					
		 everyone@:r-----a-R-c--s:-------:allow																					
[root@Filer10 ~]#

I can't get to the log files via SFTP, what user can I use instead of the root password??

Thanks,
James

You should be able to authenticate as any user by default as long as the "Allow password authentication" box is checked under Services->SSH. Otherwise, checking "Login as Root with Password" will also allow you to establish an SSH connection as the root user (I don't recommend leaving it this way for any length of time).

You can download the logs via SFTP, or you can read them on the server using the less command i.e. less /var/log/samba4/log.smbd. Once you've opened the file via less, you can use arrow keys and PgUp/PgDn to navigate the file. type "q" to exit less.

 

[James Richardson]

I managed to get on the server via ssh and downloaded the files but I'm not sure what I'm looking for, sorry.

I see a lot of failed messages but I've also noticed that the time is out by about 6 minutes but I've tried syncing the time with the server with the following command which worked fine before;

service ntpd stop
ntpdate ntp.(servername)
service ntpd start

But got the following back;

Code:

[root@freenas~]# service ntpd stop																								 
Stopping ntpd.																													 
Waiting for PIDS: 92303, 92303.																									 
[root@freenas ~]# ntpdate ntp.servername																			
Error resolving ntp.servername: hostname nor servname provided, or not known (8)									
15 Aug 09:10:52 ntpdate[92887]: Can't find host ntp.servername: hostname nor servname provided, or not known (8)	
15 Aug 09:10:52 ntpdate[92887]: no servers can be used, exiting																	 
[root@freenas ~]# service ntpd start																								
Starting ntpd.																													 
[root@freenas ~]#

Thanks
James

 

[James Richardson]

Ok, just discovered something after a bit of Googling, when i browse the share via the IP address instead of the hostname i can get into the shared folders no problem and permissions are also what i set.

It will let me connect via the hostname after I deleted the DNS record and created a new record but just can't get into the shares via the hostname!!

 

[anodos]

Ok, just discovered something after a bit of Googling, when i browse the share via the IP address instead of the hostname i can get into the shared folders no problem and permissions are also what i set.

It will let me connect via the hostname after I deleted the DNS record and created a new record but just can't get into the shares via the hostname!!

In an AD environment, when you navigate to a share by hostname, you use kerberos, which is a time-sensitive protocol. When you do it by ip-address, you fall back to NTLMv2, which is not time-sensitive.

 

[James Richardson]

Ok i see, well the Kerberos realm is set to the domain address and it's picked up all the AD settings.

Do you think it could be a time issue, with it being nearly 6 minutes out??

Thanks,
James

 

[anodos]

Ok i see, well the Kerberos realm is set to the domain address and it's picked up all the AD settings.

Do you think it could be a time issue, with it being nearly 6 minutes out??

Thanks,
James

Yes. That can absolutely be a problem. You really need a common time source for all servers on the domain.

You also need DNS to work correctly 100% of the time.

 

[James Richardson]

Well it was working no problem before and i ran the ntpdate servername command to sync the time before and it worked great. stop the NTP service first as instructed from a previous post.

Now that command doesn't want to work, complains the servername (host) is not reachable, the DNS server (The DC) doesn't have any errors.

Is it worth running the "clear cache" options in the DNS managment on the DC??

Thanks
James

 

[James Richardson]

OK managed to sync the time with the server but still can't get the to shares via hostname, so the possible time issue has been eliminated.

 

[James Richardson]

I've managed to get onto the share via the hostname, finally. it was via other servers rather than my PC though but i can browse other server shares from my PC just not the Freenas server, a bit strange!!

Thanks,
James