SMB Access problems

A

AMiGAmann

Contributor
Joined
Jun 4, 2015
Messages
106
Hi there,

I have a TrueNAS Scale 22.02.3 installation on a brand new system and want to migrate all data from my running FreeNAS 11.2-U8 server.

But I am having problems creating the SMB shares in a correct way. I have a local user "myUser". I have a dataset with ACL Type NFSv4. I viewed the permissions of the dataset, edited them, changed them to ACL and set the user "myUser" to the owner (and checked "apply User"). I added an ACL of type "Allow" and the basic permission "Full Control".

I created a SMB share wit default share parameters, started SMB service and tried to access the share from a Windows 10 system.

But I cannot access the share. When I change the ACL on the dataset and add additionally the group "@Everyone" with full permission I am able to access the share. Windows explorer shows me the permissions for "myUser" and "Everyone", both with full access. When removing "Everyone" in Windows explorer, the access is gone again.

I then tried to enable some logging. But even with log level "Debug" of SMB service, I cannot find anything in /var/log/messages. The file /var/log/samba4/log.smbd (as seen in the tooltip of the option "Use Syslog Only") is not existing.

Does anybody know what I might do wrong or how I can enable some debug logging?

Thanks in advance!

Best regards,
AMiGAmann
 
A

AMiGAmann

Contributor
Joined
Jun 4, 2015
Messages
106
Some additional information: I have a local user "myUser" and a local group "myGroup", which is the primary group of that user. On both the user and the group "Samba authentication" is enabled.

When changing the ACL to the group "myGroup" instead of the user "myUser" the access is working, even if "Samba authentication" is disabled for that group.

Very strange to me.

In the past (FreeNAS 11.2) I configured a user and a group in the permissions of a dataset and then finetuned the permissions by accessing the SMB share with Windows Explorer.

I tried to do a similar process in TrueNAS SCALE by configuring the owner and the owner group and then setting an ACL for both. I know that using NFSv4 ACL type is probably very different to FreeNAS 11.2. But I would have expected it at least to work.

Why aren't the ACL rights configured for a user not working, but the ACL rights configured for the group are working? Is that a normal behaviour or am I doing/understanding something wrong?
 
A

AMiGAmann

Contributor
Joined
Jun 4, 2015
Messages
106
I still have no idea what I am doing wrong.

TL;DR:
(1) User "myUser" belonging to group "myGroup" cannot access SMB share, although ACL grants full access to user "myUser". When changing that grant to group "myGroup", user is able to access.

(2) How can I enable and see debug logging to get some information why an access to the SMB share is denied?
 
homer27081990

homer27081990

Patron
Joined
Aug 9, 2022
Messages
321
AMiGAmann said:
I have a dataset with ACL Type NFSv4. I viewed the permissions of the dataset, edited them, changed them to ACL and set the user "myUser" to the owner (and checked "apply User").
Click to expand...
When you say NFSv4 you mean the standard, *nix type ACL?
AMiGAmann said:
I added an ACL of type "Allow" and the basic permission "Full Control".
Click to expand...
Read the muse pointer help balloon on this: ACL type allow means it denies everything except what you explicitly allow, and type denied vice-versa, eg allows everything until you deny.

Ok. There are multiple types of "ACL". Witch are actually different things.

1660325541802.png
1660325610476.png
1660325756985.png
1660327222175.png
1660326287020.png
1660326504241.png
1660326866941.png
1660327008018.png
1660327726867.png

1. SMB - Windows ACL (image1):
Do not tinker with that, only defaults. Unless you have Windows Server ADDCs in charge... For simple client connectivity, leave it alone.

2. Local filesystem Directory Ownership and Permissions (image2)
Those with Linux experience are familiar with this. This is a fancy GUI for the *nix x xxx xxx xxx filesystem security model, eg, the left column on image3. So... it is not NFS specific, NFS is *nix specific.

This needs to be done in a specific order to work.

1. First, create (or edit) a user. Do not check MS Account. Only check connect on SMB, if it is not checked.
2. If it does not exist, create a new dataset from the 3 dots next to the pool (or dataset) you want to put the share dataset in.(image4). Set the name you want and only change type from generic to SMB.
3. Edit the Local FS Directory Ownership and Permissions (image5) of the dataset you want to share. Make sure the group (with the name of the user you want to be able to connect) can read, write, execute (tick the boxes under Group).
4. Set the user you want to connect as Owner. Set Group the same name as the user. Tick the boxes apply user and apply group (image6). Select ACL preset 'RESTRICTIVE'.
5. If you have more users, make them members of the group with the name of the first user (image7), the one owning the dataset. They do not need separate ACLs (and they can't have them anyway).
6. Create a new share and select the dataset you want. It should have a small ACL tag on the right. Do not change anything else. (image8)
7. Go to Services->find SMB and select 'edit' (little pencil on the right)->Tick NTLMv1 auth and allow SMBv1. There is a bug for now, when that is address (either by MS or TrueNAS) we turn those off. image9.
 

Attachments

  • 1660326218678.png
    1660326218678.png
    268.5 KB · Views: 418
homer27081990

homer27081990

Patron
Joined
Aug 9, 2022
Messages
321
It goes without saying, delete the problematic share, if you have data in the share dataset move it to a new dataset, delete the old (empty now) dataset, recreate it, move data back. Follow the whole procedure, do not reuse the tinkered-with datasets and shares. (if you can, even users).
 
homer27081990

homer27081990

Patron
Joined
Aug 9, 2022
Messages
321
Also: when you try to access the share, do not go from windows explorer. Go to My Computer, right click the void, (if on win11 select more options) select map network drive (location? depends on the version), and, in share path, enter: \\<TrueNAS NetBIOS Name>\<Share Name>.
NetBIOS name is in services->SMB(edit)
1660328836220.png

Almost always, workgroup should be WORKGROUP. NetBIOS name must not have spaces or characters.
 
A

AMiGAmann

Contributor
Joined
Jun 4, 2015
Messages
106
Thanks for all the information. Sadly I cannot enlarge the screenshots.

When you say NFSv4 you mean the standard, *nix type ACL?
Click to expand...
No. I mean I changed "ACL Type" in the advanced options of the dataset from "POSIX" to "NFSv4".

I am in general able to access all the shares as I need to. But the behaviour is strange:

- I can access SMB shares if the dataset permissions (NFSv4 ACL) contain corresponding permissions for the group of the accessing (Windows) user. When the same permissions are configured directly for the user, I cannot access the share.

- Strangely I can access Unix-NFS shares only when the permissions are configured for the user. When the same permissions are configured for the group only, I cannot mount the share.

Very strange, but I can live with it...
 
homer27081990

homer27081990

Patron
Joined
Aug 9, 2022
Messages
321
AMiGAmann said:
- I can access SMB shares if the dataset permissions (NFSv4 ACL) contain corresponding permissions for the group of the accessing (Windows) user. When the same permissions are configured directly for the user, I cannot access the share.
Click to expand...
Windows sees users via SID. Not by username. The internal representation of someone@something.duh is \\<SID of domain>\<SID of user>
 
homer27081990

homer27081990

Patron
Joined
Aug 9, 2022
Messages
321
AMiGAmann said:
Strangely I can access Unix-NFS shares only when the permissions are configured for the user. When the same permissions are configured for the group only, I cannot mount the share
Click to expand...
The problem with NFS and Linux shares in general is that if you are not logged on at the server, your clients groups are local only, even if they have the same name. The difference from windows is you don't have to deal with SIDs, but can specify groups like this.
 
A

AMiGAmann

Contributor
Joined
Jun 4, 2015
Messages
106
The problem with NFS and Linux shares in general is that if you are not logged on at the server, your clients groups are local only, even if they have the same name.
Click to expand...
But I am using mapall-parameter in the NFS share to map all access to myUser/myGroup. So it should also work with permissions on the share only for myGroup, shouldn't it?
 
homer27081990

homer27081990

Patron
Joined
Aug 9, 2022
Messages
321
AMiGAmann said:
But I am using mapall-parameter in the NFS share to map all access to myUser/myGroup. So it should also work with permissions on the share only for myGroup, shouldn't it?
Click to expand...
In order for the mapping to work, the client must be connected to the server, linux network style.
 
ewhac

ewhac

Contributor
Joined
Aug 20, 2013
Messages
177
homer27081990 said:
It goes without saying, delete the problematic share, if you have data in the share dataset move it to a new dataset, delete the old (empty now) dataset, recreate it, move data back. Follow the whole procedure, do not reuse the tinkered-with datasets and shares. (if you can, even users).
Click to expand...
Could you expand on this "obvious" step, please? Why is it necessary? How should the temporary dataset be set up to avoid loss of metadata?
 
You must log in or register to reply here.

Similar threads

K
Home shares ACL nightmare
Replies
3
Views
1K
nutrient2314
nutrient2314
A
SOLVED Problem with SMB.
Replies
2
Views
270
andry
A
E
Changing SMB NetBIOS name disables share access
Replies
5
Views
2K
extremesurf
E
H
SMB + NFSv4 does not allow access for User entries (non-@)
Replies
3
Views
684
usernamesareforchumps
U
Dudenell
ACLs keep defaulting back to root/root, cannot set proper ownership SMB Share
Replies
1
Views
1K
MisterE2002
M
Top