SMB + AD + Folder Redirection and Creator Owner problems

[beezel]

Hey guys, I am beating my head against the wall here. I've searched high and low, found some threads that were dead on to my problems (https://forums.freenas.org/index.php?threads/creator-owner-permissions-broken-wrong.22166/), but alas no solution. Others, including the ever-present cyberjock, have seemed to get this to work fine so I am hopeful to come to a resolution.

Setup is a Dell 2950 running Freenas 9.10.2-U1, fresh install, test system, raid10 disks. Freenas has been joined to the domain, and all of that portion works. IE, I have domain users in my Owner user/group drop down under Dataset Permissions, I can ping my freenas box and dcs, and wbinfo --ping-dc succeeds, etc.

I have performed these steps in order, as I believe them to be correct and best practices.

Root dataset (not nested, as I've seen this could be a potential bug), set permissions to user DOMAIN\jadmin (my admin user) and group DOMAIN\domain admins. I have used 'set permission recursively' many times, though there is no data to start with.

Share settings: I have tried with and without Apply Default Permissions

From there I move to my windows box, with Computer Management launched as my DOMAIN\jadmin user. Under advanced, I set the recommended settings as per folder redirection guidelines (https://blogs.technet.microsoft.com...s-for-redirected-folders-or-home-directories/ for reference) Everyone ends up with Create Folder/Append Data, List Folder/Read Data, Read Attribs, Traverse folder/Execute file

To be clear and make sure these are actually set, I manually set myself as owner (though I already am listed), then delete any previous settings and only leave it configured as such:

On the Windows AD side, I have a GPO that points to \\rtfserver\data2 (freenas box and share name) and create a brand new test user with that policy. I then login with my test user.

The root user folder for redirection is created, ie: \\rtfserver\data2\justin.test4, but my user that just logged in and created it has no rights to access it. As you can see, the folder is created but I cannot enter it and get this unusual message.

In fact, that user cannot reliably create any folder in data2 even though they should (as everyone) have rights to create a folder. Often, it will create 5 New Folders if you attempt to create one, named New Folder, New Folder (2), etc. That user justin.test4 will not be able to modify or view or enter those folders that I just created as him. Note I only clicked "Create New Folder" once.

However, my admin user has full rights to all folders, can create and delete. The folder that was created by justin.test4 shows as properly owned, but does not allow justin.test4 any access.

Oddly, if I manually add user justin.test4 with Full Control over This subfolder and Files, it will ALSO add an inherited Full Control for This folder Only as justin.test4 (highlighted and circled in red). Note that is done automatically and shows up as soon as I manually add the Full Control permission (denoted by Inherited from None)

Signing out as justin.test4 and relogging in and things behave better.

This isn't, however, good enough for production use. Unfortunately it isn't something we've caught, and we're pretty far down the path of integrating Freenas into our system as a low-cost replacement for Windows servers that do nothing but file share at our branch locations. This server is already on site and racked, but not in production yet. I personally love Freenas, I have been using it at home for 5 years and at work we have 5 or 6 boxes setup as iSCSI targets for our virtualization backend. We had planned on integrating Freenas at the branch level to homogenize our non-MS systems and make it entirely easier to manage. The built in reporting, ease of backup and replication, along with all other benefits of ZFS are very appealing - but if we can't get our users folder redirection working, it's all for naught.

Any help would be greatly appreciated. I am well versed in Windows and a quick study with Freenas, but do not claim to be an expert in either. I would HAPPILY learn I am doing something incorrect and change that behavior!

Let me know if any logs would help, as well as where they might be.

Thank you guys so much.

 

[anodos]

Hey guys, I am beating my head against the wall here. I've searched high and low, found some threads that were dead on to my problems (https://forums.freenas.org/index.php?threads/creator-owner-permissions-broken-wrong.22166/), but alas no solution. Others, including the ever-present cyberjock, have seemed to get this to work fine so I am hopeful to come to a resolution.

Setup is a Dell 2950 running Freenas 9.10.2-U1, fresh install, test system, raid10 disks. Freenas has been joined to the domain, and all of that portion works. IE, I have domain users in my Owner user/group drop down under Dataset Permissions, I can ping my freenas box and dcs, and wbinfo --ping-dc succeeds, etc.

I have performed these steps in order, as I believe them to be correct and best practices.

Root dataset (not nested, as I've seen this could be a potential bug), set permissions to user DOMAIN\jadmin (my admin user) and group DOMAIN\domain admins. I have used 'set permission recursively' many times, though there is no data to start with.

Share settings: I have tried with and without Apply Default Permissions

From there I move to my windows box, with Computer Management launched as my DOMAIN\jadmin user. Under advanced, I set the recommended settings as per folder redirection guidelines (https://blogs.technet.microsoft.com...s-for-redirected-folders-or-home-directories/ for reference) Everyone ends up with Create Folder/Append Data, List Folder/Read Data, Read Attribs, Traverse folder/Execute file

To be clear and make sure these are actually set, I manually set myself as owner (though I already am listed), then delete any previous settings and only leave it configured as such:

On the Windows AD side, I have a GPO that points to \\rtfserver\data2 (freenas box and share name) and create a brand new test user with that policy. I then login with my test user.

The root user folder for redirection is created, ie: \\rtfserver\data2\justin.test4, but my user that just logged in and created it has no rights to access it. As you can see, the folder is created but I cannot enter it and get this unusual message.

In fact, that user cannot reliably create any folder in data2 even though they should (as everyone) have rights to create a folder. Often, it will create 5 New Folders if you attempt to create one, named New Folder, New Folder (2), etc. That user justin.test4 will not be able to modify or view or enter those folders that I just created as him. Note I only clicked "Create New Folder" once.

However, my admin user has full rights to all folders, can create and delete. The folder that was created by justin.test4 shows as properly owned, but does not allow justin.test4 any access.

Oddly, if I manually add user justin.test4 with Full Control over This subfolder and Files, it will ALSO add an inherited Full Control for This folder Only as justin.test4 (highlighted and circled in red). Note that is done automatically and shows up as soon as I manually add the Full Control permission (denoted by Inherited from None)

Signing out as justin.test4 and relogging in and things behave better.

This isn't, however, good enough for production use. Unfortunately it isn't something we've caught, and we're pretty far down the path of integrating Freenas into our system as a low-cost replacement for Windows servers that do nothing but file share at our branch locations. This server is already on site and racked, but not in production yet. I personally love Freenas, I have been using it at home for 5 years and at work we have 5 or 6 boxes setup as iSCSI targets for our virtualization backend. We had planned on integrating Freenas at the branch level to homogenize our non-MS systems and make it entirely easier to manage. The built in reporting, ease of backup and replication, along with all other benefits of ZFS are very appealing - but if we can't get our users folder redirection working, it's all for naught.

Any help would be greatly appreciated. I am well versed in Windows and a quick study with Freenas, but do not claim to be an expert in either. I would HAPPILY learn I am doing something incorrect and change that behavior!

Let me know if any logs would help, as well as where they might be.

Thank you guys so much.

Traditional Unix permissions (mode bits) and NTFS permissions are fundamentally different. NFSv4 (ZFS) ACLs are a superset that tries to encompass both of them. As a result, there are certain ACLs in ZFS that do not correspond to anything Windows (because they replicate permissions types in Unix). These ACLs have special names ( Owner@, Group@, Everyone@), and correspond roughly to Owner, Group, and Other in a traditional Unix permissions setup.

The role of Samba (in general) and the zfsacl VFS module (in particular) is to provide a way for Windows clients to interact with a Unix server. A part of this involves figuring out how to handle the "special" ACEs. Everyone@ is fairly straight-forward. Samba maps it to S-1-1-0 (world). Owner@ and Group@ are trickier. Samba has two options for how to handle them: nfs4:mode = special and nfs4:mode = simple.

nfs4:mode = special makes these special ACEs appear as regular ACEs to a windows client. In your third screenshot above (the first one where you show the advanced security settings as viewed from a windows client), the server-side permissions are something like:

• Everyone@ - Read Only
• Group@ - Full Control
• User@ - Full Control
• Creator Owner - Full Control
• System - Full Control

This can cause some confusion because Group@ and User@ don't behave exactly like "regular" ACEs on the server side. For instance, the moment that the file's owner changes, the ACE "disappears" and is replaced by the new file owner. I also believe that the "CREATOR OWNER" ACE doesn't really work properly in nfs4:mode = special

nfs4:mode = simple makes these special ACEs appear as "CREATOR OWNER" and "CREATOR OWNER GROUP" to SMB clients, and (I believe) separate non-inheriting ACEs for the user / group. So you get double ACL entries for the Unix Owner and Group.

For reasons like you're detailing, in a pure Samba environment nfs4:mode = simple is preferable to nfs4:mode = special. Things get more complicated in an environment where the files are accessed by other UNIX applications/services because they may not like it if you delete the "CREATOR OWNER" and "CREATOR OWNER GROUP" ACEs from a windows client (because it will remove all permissions for Owner@.

I think that FreeNAS should support changing the nfsf4:mode on samba shares, but I can also see where it would lead to a more complicated UI / user confusion.

 

[anodos]

Created a feature request here: https://bugs.freenas.org/issues/21603

 

[anodos]

FYI, you can experiment with nfs4:mode = simple by manually editing /usr/local/etc/smb4.conf on your FreeNAS server nano /usr/local/etc/smb4.conf

Then scroll down to a test share, comment out nfs4:mode = special and add nfs4:mode = simple.

Code:

[test share]
#nfs4:mode = special
nfs4:mode = simple

Then restart samba server from the CLI.
service samba_server restart

Note that this is for testing. The setting change will not persist through reboots / reloading samba from the WebUI.

 

[beezel]

FYI, you can experiment with nfs4:mode = simple by manually editing /usr/local/etc/smb4.conf on your FreeNAS server nano /usr/local/etc/smb4.conf

Then scroll down to a test share, comment out nfs4:mode = special and add nfs4:mode = simple.

Code:

[test share]
#nfs4:mode = special
nfs4:mode = simple

Then restart samba server from the CLI.
service samba_server restart

Note that this is for testing. The setting change will not persist through reboots / reloading samba from the WebUI.

Thanks anodos, I actually ran into an old thread you had helped another person out with and tried nsf4:mode = simple in the aux parameters. It worked great and I went to bed before updating this thread.

I am, however, now having another problem. Two nights in a row SMB has become unresponsive. You cannot restart it via GUI (says Cannot restart Samba while connected to Active Directory). Only a reboot fixes it. There isn't any info I can easily find, no obvious errors. Should I create a new thread as this is probably unrelated? Any suggestions on which logs to grab and post?

In my daily security log I am seeing these:

> pid 45556 (smbd), uid 0: exited on signal 6 (core dumped)
> pid 53958 (smbd), uid 0: exited on signal 6 (core dumped)
> pid 57314 (smbd), uid 0: exited on signal 6 (core dumped)

 

[beezel]

I found this in the log.smbd file. Note that /rtfserver-r10/fiat does not exist, it was a directory that was created and tested then deleted. It doesn't exist in physical form, or in the smb configuration area. The first line (make connection snum..path failed for service fiat), repeats for about 30 minutes until at 1:58 it changes and crashes.

Code:

[2017/03/01 01:56:18.892867,  0] ../source3/smbd/service.c:808(make_connection_snum)
  canonicalize_connect_path failed for service fiat, path /mnt/rtfserver-r10/fiat
[2017/03/01 01:58:20.304198,  0] ../source3/smbd/service.c:199(set_current_service)
  chdir (/mnt/rtfserver-r10/data2) failed, reason: No such file or directory
[2017/03/01 01:58:20.304305,  0] ../source3/smbd/smbXsrv_tcon.c:978(smbXsrv_tcon_disconnect)
  smbXsrv_tcon_disconnect(0x65501c1c, 'data2'): set_current_service() failed: NT_STATUS_INTERNAL_ERROR
[2017/03/01 01:58:20.304545,  0] ../source3/smbd/service.c:199(set_current_service)
  chdir (/mnt/rtfserver-r10/fiat) failed, reason: No such file or directory
[2017/03/01 01:58:20.304584,  0] ../source3/smbd/smbXsrv_tcon.c:978(smbXsrv_tcon_disconnect)
  smbXsrv_tcon_disconnect(0xf72d9183, 'fiat'): set_current_service() failed: NT_STATUS_INTERNAL_ERROR
[2017/03/01 01:58:20.304622,  0] ../source3/smbd/smbXsrv_tcon.c:1027(smbXsrv_tcon_disconnect_all)
  smbXsrv_tcon_disconnect_all: count[3] errors[2] first[NT_STATUS_INTERNAL_ERROR]
[2017/03/01 01:58:20.304659,  0] ../source3/smbd/smbXsrv_session.c:1711(smbXsrv_session_logoff)
  smbXsrv_session_logoff(0x12776843): smb2srv_tcon_disconnect_all() failed: NT_STATUS_INTERNAL_ERROR
[2017/03/01 01:58:20.312821,  0] ../source3/smbd/smbXsrv_session.c:1761(smbXsrv_session_logoff_all)
  smbXsrv_session_logoff_all: count[1] errors[1] first[NT_STATUS_INTERNAL_ERROR]
[2017/03/01 01:58:20.312921,  0] ../source3/smbd/server_exit.c:159(exit_server_common)
  Server exit (NT_STATUS_IO_TIMEOUT)
[2017/03/01 01:58:20.312957,  0] ../source3/smbd/server_exit.c:162(exit_server_common)
  exit_server_common: smbXsrv_session_logoff_all() failed (NT_STATUS_INTERNAL_ERROR) - triggering cleanup
[2017/03/01 01:58:20.313437,  0] ../source3/lib/util.c:791(smb_panic_s3)
  PANIC (pid 45556): smbXsrv_session_logoff_all failed
[2017/03/01 01:58:20.314040,  0] ../source3/lib/util.c:902(log_stack_trace)
  BACKTRACE: 20 stack frames:
   #0 0x80345afa8 <smb_panic_s3+152> at /usr/local/lib/libsmbconf.so.0
   #1 0x800a81b95 <smb_panic+53> at /usr/local/lib/libsamba-util.so.0
   #2 0x8010278c1 <smbd_exit_server+2273> at /usr/local/lib/samba/libsmbd-base-samba4.so
   #3 0x8010279ec <smbd_exit_server_cleanly+28> at /usr/local/lib/samba/libsmbd-base-samba4.so
   #4 0x803af7baa <exit_server_cleanly+42> at /usr/local/lib/samba/libsmbd-shim-samba4.so
   #5 0x800fdb7ed <smbd_server_connection_terminate_ex+557> at /usr/local/lib/samba/libsmbd-base-samba4.so
   #6 0x800fe786f <smbd_smb2_process_negprot+14319> at /usr/local/lib/samba/libsmbd-base-samba4.so
   #7 0x80347e966 <run_events_poll+1718> at /usr/local/lib/libsmbconf.so.0
   #8 0x80347f7b4 <event_add_idle+2452> at /usr/local/lib/libsmbconf.so.0
   #9 0x804e678e2 <_tevent_loop_once+114> at /usr/local/lib/libtevent.so.0
   #10 0x804e67b1b <tevent_common_loop_wait+59> at /usr/local/lib/libtevent.so.0
   #11 0x800fbecfa <smbd_process+3738> at /usr/local/lib/samba/libsmbd-base-samba4.so
   #12 0x40d1d4 <main+20180> at /usr/local/sbin/smbd
   #13 0x80347e966 <run_events_poll+1718> at /usr/local/lib/libsmbconf.so.0
   #14 0x80347f7b4 <event_add_idle+2452> at /usr/local/lib/libsmbconf.so.0
   #15 0x804e678e2 <_tevent_loop_once+114> at /usr/local/lib/libtevent.so.0
   #16 0x804e67b1b <tevent_common_loop_wait+59> at /usr/local/lib/libtevent.so.0
   #17 0x40bcbf <main+14783> at /usr/local/sbin/smbd
   #18 0x40a364 <main+8292> at /usr/local/sbin/smbd
   #19 0x406b6f <_start+367> at /usr/local/sbin/smbd
[2017/03/01 01:58:20.314413,  0] ../source3/lib/util.c:803(smb_panic_s3)
  smb_panic(): calling panic action [/usr/local/libexec/samba/samba-backtrace]

 

[beezel]

The crash from the night before reveals the same events, but this time /rtfserver-r10/userdata does in fact exist.

Code:

[2017/02/27 23:40:44.936096,  0] ../source3/smbd/service.c:199(set_current_service)
  chdir (/mnt/rtfserver-r10/userdata) failed, reason: No such file or directory
[2017/02/27 23:40:44.936180,  0] ../source3/smbd/smbXsrv_tcon.c:978(smbXsrv_tcon_disconnect)
  smbXsrv_tcon_disconnect(0x31cbd517, 'userdata'): set_current_service() failed: NT_STATUS_INTERNAL_ERROR
[2017/02/27 23:40:44.936321,  0] ../source3/smbd/smbXsrv_tcon.c:1027(smbXsrv_tcon_disconnect_all)
  smbXsrv_tcon_disconnect_all: count[2] errors[1] first[NT_STATUS_INTERNAL_ERROR]
[2017/02/27 23:40:44.936361,  0] ../source3/smbd/smbXsrv_session.c:1711(smbXsrv_session_logoff)
  smbXsrv_session_logoff(0x7671548d): smb2srv_tcon_disconnect_all() failed: NT_STATUS_INTERNAL_ERROR
[2017/02/27 23:40:44.940455,  0] ../source3/smbd/smbXsrv_session.c:1761(smbXsrv_session_logoff_all)
  smbXsrv_session_logoff_all: count[1] errors[1] first[NT_STATUS_INTERNAL_ERROR]
[2017/02/27 23:40:44.940499,  0] ../source3/smbd/server_exit.c:159(exit_server_common)
  Server exit (NT_STATUS_CONNECTION_RESET)
[2017/02/27 23:40:44.940535,  0] ../source3/smbd/server_exit.c:162(exit_server_common)
  exit_server_common: smbXsrv_session_logoff_all() failed (NT_STATUS_INTERNAL_ERROR) - triggering cleanup
[2017/02/27 23:40:44.940940,  0] ../source3/lib/util.c:791(smb_panic_s3)
  PANIC (pid 22346): smbXsrv_session_logoff_all failed
[2017/02/27 23:40:44.941526,  0] ../source3/lib/util.c:902(log_stack_trace)
  BACKTRACE: 20 stack frames:
   #0 0x80345afa8 <smb_panic_s3+152> at /usr/local/lib/libsmbconf.so.0
   #1 0x800a81b95 <smb_panic+53> at /usr/local/lib/libsamba-util.so.0
   #2 0x8010278c1 <smbd_exit_server+2273> at /usr/local/lib/samba/libsmbd-base-samba4.so
   #3 0x8010279ec <smbd_exit_server_cleanly+28> at /usr/local/lib/samba/libsmbd-base-samba4.so
   #4 0x803af7baa <exit_server_cleanly+42> at /usr/local/lib/samba/libsmbd-shim-samba4.so
   #5 0x800fdb7ed <smbd_server_connection_terminate_ex+557> at /usr/local/lib/samba/libsmbd-base-samba4.so
   #6 0x800fe786f <smbd_smb2_process_negprot+14319> at /usr/local/lib/samba/libsmbd-base-samba4.so
   #7 0x80347e966 <run_events_poll+1718> at /usr/local/lib/libsmbconf.so.0
   #8 0x80347f7b4 <event_add_idle+2452> at /usr/local/lib/libsmbconf.so.0
   #9 0x804e678e2 <_tevent_loop_once+114> at /usr/local/lib/libtevent.so.0
   #10 0x804e67b1b <tevent_common_loop_wait+59> at /usr/local/lib/libtevent.so.0
   #11 0x800fbecfa <smbd_process+3738> at /usr/local/lib/samba/libsmbd-base-samba4.so
   #12 0x40d1d4 <main+20180> at /usr/local/sbin/smbd
   #13 0x80347e966 <run_events_poll+1718> at /usr/local/lib/libsmbconf.so.0
   #14 0x80347f7b4 <event_add_idle+2452> at /usr/local/lib/libsmbconf.so.0
   #15 0x804e678e2 <_tevent_loop_once+114> at /usr/local/lib/libtevent.so.0
   #16 0x804e67b1b <tevent_common_loop_wait+59> at /usr/local/lib/libtevent.so.0
   #17 0x40bcbf <main+14783> at /usr/local/sbin/smbd
   #18 0x40a364 <main+8292> at /usr/local/sbin/smbd
   #19 0x406b6f <_start+367> at /usr/local/sbin/smbd
[2017/02/27 23:40:44.941892,  0] ../source3/lib/util.c:803(smb_panic_s3)
  smb_panic(): calling panic action [/usr/local/libexec/samba/samba-backtrace]
ptrace: Device busy.

 

[anodos]

Looks like you made samba really unhappy. Post testparm output (feel free to redact your domain name / any sensitive information). Did this happen immediately after testing the nfsv4:mode changes?

I've seen Samba panics before in FreeNAS (usually clears up if FreeNAS is reinstalled & backup of config applied), but it's a hard to say if a corrupt install is to blame since you've been experimenting a bit with changes via the CLI.

 

[beezel]

Thanks so much anodos.

To be clear, I haven't done anything in CLI other than read log files. All the changes were made via gui, and on the freenas side I actually didn't do too much. Most of my troubleshooting was attempting to apply different ACLs on the windows side. I blew away both my data and shares each time, and after finding nfs4:mode = simple, I recreated everything again.

It should also be noted that the Samba crash happened the night before I started working on this problem. 2/27/16 at 1130pm was the first crash, I worked on this folder redirection issue yesterday the 28th, and at 158am 3/1 it crashed again.

Code:

Load smb config files from /usr/local/etc/smb4.conf
Processing section "[fiat share]"
Processing section "[userdata$]"
Loaded services file OK.
Server role: ROLE_DOMAIN_MEMBER

Press enter to see a dump of your service definitions

# Global parameters
[global]
		dos charset = CP437
		realm = DOMAIN.COM
		server string = FreeNAS Server
		workgroup = DOMAIN
		domain master = No
		lm announce = Yes
		local master = No
		preferred master = No
		nsupdate command = /usr/local/bin/samba-nsupdate -g
		client ldap sasl wrapping = plain
		logging = file
		max log size = 51200
		cache directory = /var/tmp/.cache/.samba
		kernel change notify = No
		panic action = /usr/local/libexec/samba/samba-backtrace
		pid directory = /var/run/samba
		disable spoolss = Yes
		load printers = No
		printcap name = /dev/null
		time server = Yes
		allow trusted domains = No
		map to guest = Bad User
		obey pam restrictions = Yes
		security = ADS
		server role = member server
		deadtime = 15
		hostname lookups = Yes
		max open files = 470837
		template shell = /bin/sh
		winbind cache time = 7200
		winbind enum groups = Yes
		winbind enum users = Yes
		winbind offline logon = Yes
		winbind refresh tickets = Yes
		dns proxy = No
		idmap config tonkin: range = 20000-90000000
		idmap config tonkin: backend = rid
		idmap config *: range = 90000001-100000000
		idmap config * : backend = tdb
		store dos attributes = Yes
		strict locking = No
		directory name cache size = 0
		dos filemode = Yes
		acl allow execute always = Yes
		ea support = Yes
		create mask = 0666
		directory mask = 0777

[fiat share]
		path = /mnt/rtfserver-r10/fiat-main
		veto files = /.snapshot/.windows/.mac/.zfs/
		read only = No
		vfs objects = zfs_space zfsacl aio_pthread
		zfsacl:acesort = dontcare
		nfs4:chown = true
		nfs4:acedup = merge
		nfs4:mode = simple


[userdata$]
		comment = userdata
		path = /mnt/rtfserver-r10/userdata
		veto files = /.snapshot/.windows/.mac/.zfs/
		read only = No
		vfs objects = zfs_space zfsacl aio_pthread
		zfsacl:acesort = dontcare
		nfs4:chown = true
		nfs4:acedup = merge
		nfs4:mode = simple

.

As this server is off site, a reinstall isn't super ideal, but could be performed if absolutely necessary.

 

[anodos]

Thanks so much anodos.
It should also be noted that the Samba crash happened the night before I started working on this problem. 2/27/16 at 1130pm was the first crash,...
As this server is off site, a reinstall isn't super ideal, but could be performed if absolutely necessary.

In this case, it might be a good idea to file a bug report here: https://bugs.freenas.org/projects/freenas
Attach a debug tarball "system" -> "advanced" -> "save debug". Be sure to make the report private as it may contain sensitive information about your network / systems.