SMB Login with Active Directory Account but no Permission (11.3-RC1)

[chasewinder]

Hello!
I've been obsessed with this issue for several days, and I can't find the same case in the forum.
My freenas version is 11.3-RC1 .When I login with active directory account for SMB share ,the login is correct and the ACL is right
but tell me no permission.Please help me . The Following is troubleshooting information:
Domain User: YYY\soft
Share Folder: /mnt/YYYnas/YYY/software
1.Error log

Code:

[2019/12/27 16:06:02.911131,  2] ../../source3/smbd/service.c:851(make_connection_snum)
  shadowkiller (ipv4:172.16.0.78:63557) connect to service software initially as user YYY\soft (uid=90001112, gid=90000514) (pid 2425)
[2019/12/27 16:06:03.032346,  0] ../../source3/smbd/uid.c:448(change_to_user_internal)
  change_to_user_internal: chdir_current_service() failed!
[2019/12/27 16:06:03.034058,  0] ../../source3/smbd/uid.c:448(change_to_user_internal)
  change_to_user_internal: chdir_current_service() failed!
[2019/12/27 16:06:03.038401,  2] ../../source3/smbd/service.c:1131(close_cnum)
  shadowkiller (ipv4:172.16.0.78:63557) closed connection to service software

2. smb config

Code:

# Global parameters
[global]
    aio max threads = 2
    allow trusted domains = No
    bind interfaces only = Yes
    client ldap sasl wrapping = plain
    deadtime = 15
    disable spoolss = Yes
    dns proxy = No
    domain master = No
    enable web service discovery = Yes
    interfaces = 127.0.0.1 172.16.0.10
    kerberos method = secrets and keytab
    kernel change notify = No
    load printers = No
    local master = No
    logging = file
    map to guest = Bad User
    max log size = 51200
    nsupdate command = /usr/local/bin/samba-nsupdate -g
    preferred master = No
    realm = YYY.YYY-INC.COM
    security = ADS
    server min protocol = SMB2_02
    server role = member server
    server string = FreeNAS Server
    template shell = /bin/sh
    unix extensions = No
    username map = /usr/local/etc/smbusername.map
    username map cache time = 60
    winbind cache time = 7200
    winbind enum groups = Yes
    winbind enum users = Yes
    winbind max domain connections = 10
    winbind nss info = rfc2307
    workgroup = YYY
    idmap config *: range = 1000000001-2000000000
    idmap config yyy: range = 90000001-100000000
    idmap config yyy: backend = rid
    fruit:nfs_aces = No
    idmap config * : backend = tdb
    allocation roundup size = 0
    directory name cache size = 0
    dos filemode = Yes
    include = /usr/local/etc/smb4_share.conf

[software]
    aio write size = 0
    mangled names = illegal
    path = /mnt/YYYnas/YYY/software
    read only = No
    vfs objects = zfs_space zfsacl fruit streams_xattr
    nfs4:acedup = merge
    nfs4:chown = true
    fruit:resource = stream
    fruit:metadata = stream

3.getfacl info

Code:

root@freenas[~]# getfacl /mnt/YYYnas/YYY/software
# file: /mnt/YYYnas/YYY/software
# owner: YYY\soft
# group: YYY\domain users
            owner@:rwxp--aARWcCos:-------:allow
            group@:r-x---a-R-c--s:-------:allow
         everyone@:r-x---a-R-c--s:-------:allow
         everyone@:--------------:fd-----:allow

Thanks.

 

[anodos]

Your ACL is wrong. change_to_user_internal: chdir_current_service() failed! means that your user lacks permissions to access some path component leading to the share. Check permissions on /mnt/YYYnas, and /mnt/YYYnas/YYY. Moreover,

Code:

            owner@:rwxp--aARWcCos:-------:allow
            group@:r-x---a-R-c--s:-------:allow
         everyone@:r-x---a-R-c--s:-------:allow
         everyone@:--------------:fd-----:allow

Is not an appropriate ACL for a windows share. In 11.3-RC1 we have an ACL editor. Use it on /mnt/YYYnas/YYY, and select the "RESTRICTED" preset, this will ensure that owner@ and group@ have correct entries. Then click the "add" button and select "domain users" (make sure that "BASIC"-"MODIFY" permissions are selected). Check the "recursive" box, then the "traverse" box. and apply the ACL.

 

[chasewinder]

Solved,Thank you very much @anodos .
Use setfacl methond .

Code:

setfacl -m g:"DOMAIN\domain admins":full_set:fd:allow,g:"DOMAIN\domain users":modify_set:fd:allow,owner@:modify_set:fd:allow,group@:modify_set:fd:allow,everyone@::fd:allow /mnt/dozer/SHARE

 

[anodos]

Solved,Thank you very much @anodos .
Use setfacl methond .

Code:

setfacl -m g:"DOMAIN\domain admins":full_set:fd:allow,g:"DOMAIN\domain users":modify_set:fd:allow,owner@:modify_set:fd:allow,group@:modify_set:fd:allow,everyone@::fd:allow /mnt/dozer/SHARE

In 11.3 there is no need to use setfacl. The webui can handle this.

 

[chasewinder]

Permissions on /mnt/YYYnas are wrong, and on the webUI , It shows "Root dataset permissions cannot be edited".

 

[anodos]

Permissions on /mnt/YYYnas are wrong, and on the webUI , It shows "Root dataset permissions cannot be edited".

Oh. Sorry. I lost context on this thread. After Beta1 we introduced a change to prevent users from changing permissions on root-level datasets (to specifically help prevent this sort of issue and help prevent users from breaking jails through recursive permissions changes).