Same username....same folders...one user sees different ACL permissions

[Shaggy1007]

Hi Guys,

So, I have many users logged in as the same user. We are migrated away from an old Windows Server installation. No domain. No active directory. I'm slowly rolling out usernames per each user.

Samba share. Workgroup. Just users mapping a shared drive.

I have a folder created by an HR user that has his name as the creator. The generic usergroup has read/write access.

Now me sitting in my office, logged in as GenericUser, I can read, write, and modify to this HR created folder just fine.

Another employee, logged in as GenericUser, cannot do anything to this folder.
I've logged her in and out. It's as if her windows PC doesn't want to acknowledge what the folder permissions are. I've even taken ownership of this folder as GenericUser, and she still can't read/write/modify. If I read the secuirty permissions on the folder from her computer, it refuses to acknowledge GenericUser took ownership. Still shows that HRUser is the owner.

Why?

We never had this issue on the windows server.

Platform: TRUENAS-MINI-3.0-X
Version: TrueNAS-12.0-U3.1

Any ideas? Babysitting the issues Truenas has been popping up with talking to windows 10 is turning into a full time job.

 

[Shaggy1007]

Just confirmed with co-worker.
Here's side by side screen shots. What my PC sees for permissions, versus hers
We are both logged in as the same user.

Hers at one point let her write to this folder today. But it seems to have gone back to what the ACL's were some time ago.

Yet mine still shows what is accurately there.

 

[anodos]

Just confirmed with co-worker.
Here's side by side screen shots. What my PC sees for permissions, versus hers
We are both logged in as the same user.

Hers at one point let her write to this folder today. But it seems to have gone back to what the ACL's were some time ago.

Yet mine still shows what is accurately there.

What's the underlying filesystem ACL? "getfacl /path/to/dir"

 

[anodos]

Output of testparm -s would be helpful as well. This looks like a SID-ID mapping issue.

 

[Shaggy1007]

anodos,

Code:

Load smb config files from /usr/local/etc/smb4.conf
Loaded services file OK.
Server role: ROLE_STANDALONE

# Global parameters
[global]
        aio max threads = 2
        bind interfaces only = Yes
        disable spoolss = Yes
        dns proxy = No
        enable web service discovery = Yes
        kernel change notify = No
        load printers = No
        logging = file
        max log size = 5120
        netbios name = TRUENAS
        nsupdate command = /usr/local/bin/samba-nsupdate -g
        registry shares = Yes
        restrict anonymous = 2
        server role = standalone server
        server string = TrueNAS Server
        unix extensions = No
        username map = /usr/local/etc/smbusername.map
        username map cache time = 60
        idmap config *: range = 90000001-100000000
        fruit:nfs_aces = No
        idmap config * : backend = tdb
        directory name cache size = 0
        dos filemode = Yes


[SDrive1]
        ea support = No
        kernel share modes = No
        path = /mnt/tank/SDrive
        posix locking = No
        read only = No
        vfs objects = fruit streams_xattr shadow_copy_zfs ixnas aio_fbsd
        fruit:resource = stream
        fruit:metadata = stream
        nfs4:chown = true

Output of getfacl

Code:

# owner: ims
# group: imsUG
       group:imsUG:rwxpDdaARWcCo-:fd----I:allow
            owner@:rwxpDdaARWcCo-:------I:allow
            owner@:rwxpDdaARWcCo-:fdi---I:allow
         everyone@:--------------:fd-----:allow

 

[anodos]

Can you send me a debug via PM? I'm getting ready to go on vacation for the next week, but I'd like to track down this issue if possible. Maybe also send me /var/db/system/samba4/winbindd_idmap.tdb output of "net cache list".