SAMBA "Permission denied" in log.smbd

[opana]

Hi

I am connecting TrueNAS SCALE to Active Directory. I am preparing a dataset with default ACL settings and creating the SMB Share with Default share parameters.
Everything works fine. Files and folders are created, edited and deleted, but...

Any operations with files or folders are recorded in the log.smbd

Code:

[2022/12/11 02:48:41.343759,  1] ../../lib/param/loadparm.c:1766(lpcfg_do_global_parameter)
  lpcfg_do_global_parameter: WARNING: The "syslog only" option is deprecated
[2022/12/11 02:48:41.347085,  0] ../../source3/smbd/service.c:168(chdir_current_service)
  chdir_current_service: vfs_ChDir(/mnt/fs01_pool01/fileshare/data) failed: Permission denied. Current token: uid=100001111, gid=100000516, 5 groups: 100001111 100000516 90000005 90000012 90000017
[2022/12/11 02:48:41.512818,  0] ../../source3/smbd/service.c:168(chdir_current_service)
  chdir_current_service: vfs_ChDir(/mnt/fs01_pool01/fileshare/data) failed: Permission denied. Current token: uid=100001111, gid=100000516, 5 groups: 100001111 100000516 90000005 90000012 90000017
[2022/12/11 02:48:56.621105,  0] ../../source3/smbd/service.c:168(chdir_current_service)
  chdir_current_service: vfs_ChDir(/mnt/fs01_pool01/fileshare/data) failed: Permission denied. Current token: uid=100001111, gid=100000516, 5 groups: 100001111 100000516 90000005 90000012 90000017

I use:
TrueNAS-SCALE-22.02.4
AD Windows Server 2019 1809 (Windows Server 2016 functional levels)
Client Windows 10 21H2

Show : testparm -s

Code:

root@fs01[~]#  testparm -s                 
Load smb config files from /etc/smb4.conf
lpcfg_do_global_parameter: WARNING: The "syslog only" option is deprecated
Loaded services file OK.
Weak crypto is allowed

Server role: ROLE_DOMAIN_MEMBER

# Global parameters
[global]
        allow trusted domains = No
        bind interfaces only = Yes
        client ldap sasl wrapping = seal
        disable spoolss = Yes
        dns proxy = No
        domain master = No
        kerberos method = secrets and keytab
        load printers = No
        local master = No
        logging = file
        max log size = 5120
        passdb backend = tdbsam:/var/run/samba-cache/passdb.tdb
        preferred master = No
        printcap name = /dev/null
        realm = OPANA.MY
        registry shares = Yes
        restrict anonymous = 2
        security = ADS
        server min protocol = SMB2
        server multi channel support = No
        server role = member server
        server string = TrueNAS Server
        template homedir = /var/empty
        template shell = /bin/sh
        winbind cache time = 7200
        winbind enum groups = Yes
        winbind enum users = Yes
        winbind max domain connections = 10
        workgroup = OPANA
        idmap config opana : backend = rid
        idmap config opana : range = 100000001 - 200000000
        idmap config opana : sssd_compat = false
        idmap config * : range = 90000001 - 100000000
        fruit:nfs_aces = false
        idmap config * : backend = tdb
        create mask = 0775
        directory mask = 0775


[data]
        ea support = No
        kernel share modes = No
        path = /mnt/fs01_pool01/fileshare/data
        posix locking = No
        read only = No
        smbd max xattr size = 2097152
        vfs objects = streams_xattr shadow_copy_zfs nfs4acl_xattr zfs_core io_uring
        tn:vuid =
        nfs4:chown = True
        nfs4acl_xattr:encoding = xdr
        nfs4acl_xattr:xattr_name = system.nfs4_acl_xdr
        nfs4acl_xattr:validate_mode = False
        nfs4acl_xattr:nfs4_id_numeric = True
        fruit:time machine max size = 0
        fruit:time machine = False
        tn:home = False
        tn:path_suffix =
        tn:purpose = DEFAULT_SHARE

Show : id

Code:

root@fs01[~]# id 100001111                 
uid=100001111(OPANA\ws01$) gid=100000516(OPANA\domain computers) groups=100000516(OPANA\domain computers),100001111(OPANA\ws01$)
root@fs01[~]# id 100000516                 
uid=100000516(OPANA\domain computers) gid=100000516(OPANA\domain computers) groups=100000516(OPANA\domain computers)
root@fs01[~]# id 90000005                 
id: ‘90000005’: no such user: No such file or directory
root@fs01[~]# id 90000012                 
id: ‘90000012’: no such user: No such file or directory

 

[anodos]

If you type in the command id 100001111 you can see which user this is. If I were to hazard a guess, it's a computer account.

 

[opana]

I gave this command in the start post. But I don't understand what needs to be done to avoid this. Do not use Windows workstations?

 

[jgreco]

Do not use Windows workstations?

The only real good reason to use Samba is to interoperate with Windows. If you weren't using Windows workstations, you could use a more rational protocol like NFS.

I'll leave the analysis here to @anodos since you've already got the attention of the resident expert.

 

[anodos]

I gave this command in the start post. But I don't understand what needs to be done to avoid this. Do not use Windows workstations?

You can review the software installed on your Windows client or what's going on there, ops as the local SYSTEM account get performed over SMB as the computer account.

Generally speaking, if you don't want to see that log message either:
1. figure out what process is trying to do ops on the SMB share as the computer account. For instance, I've seen this before with backup applications doing ops as local superuser.
2. grant "Domain Computers" access to the share.

 

[opana]

1. figure out what process is trying to do ops on the SMB share as the computer account. For instance, I've seen this before with backup applications doing ops as local superuser.

You're right. This is Microsoft Defender Antivirus.
Adding network folders to the antivirus exclusion list removes messages from the log. But this is a bad solution for some folders. For example, for redirected personal folders of users.

2. grant "Domain Computers" access to the share.

To remove the "Permission denied" message, it turned out to be sufficient to grant read&execute permissions only to the root directory

Show

But with each operation with files, messages remain
in log.smbd

Code:

[2022/12/14 21:09:13.962611,  1] ../../lib/param/loadparm.c:1767(lpcfg_do_global_parameter)
  lpcfg_do_global_parameter: WARNING: The "syslog only" option is deprecated

in log.winbindd

Code:

[2022/12/14 21:09:13.960081,  1] ../../source3/winbindd/wb_lookupsid.c:102(wb_lookupsid_recv)
  Failed with STATUS_SOME_UNMAPPED.