SMB Share - Access denied - FreeNAS 11.2-U2 & 11.2-U3

Numlock64

Cadet
Joined
Mar 30, 2019
Messages
6
Hello,

I just freshly installed FreeNAS 11.2-U2 recently.
I have configured two pools, one is mirrored and one is a Z2 pool.
I then have configured some datasets on each pool, created groups and users and gave those groups permissions on those datasets (I left the setting "user" as root and only changed the group to those I have created and which have my users as members).
The datasets have other datasets in them. The toplevel datasets are not shared, i left them perrty much to default (Share type Unix). For the child datasets I configured them with share type Windows.
After this I configured some SMB shares with no special configuration.

My problem:
I can see the shares but im only able to access them with the root user but not with the configured group.

What I have tried so far:
- I have followed exactly the documentation
- I have followed the Videos of "The Internet Monkey", which were suggested in another thread https://www.youtube.com/watch?v=RxggaE935PM
- I have checked the permissions when connected from a windows machine using the root user which has access as described above
- I have recreated the datasets
- I have reacreated the shares
- I have recreated the groups and users
- I have done an upgrade to 11.2-U3
- I have done a fresh install with 11.2-U2 and configured everything once again (this is where I am now).

Any help would be highly appreciated.

Thanks in advance :)
 

anodos

Sambassador
iXsystems
Joined
Mar 6, 2014
Messages
9,543
Hello,

I just freshly installed FreeNAS 11.2-U2 recently.
I have configured two pools, one is mirrored and one is a Z2 pool.
I then have configured some datasets on each pool, created groups and users and gave those groups permissions on those datasets (I left the setting "user" as root and only changed the group to those I have created and which have my users as members).
The datasets have other datasets in them. The toplevel datasets are not shared, i left them perrty much to default (Share type Unix). For the child datasets I configured them with share type Windows.
After this I configured some SMB shares with no special configuration.

My problem:
I can see the shares but im only able to access them with the root user but not with the configured group.

What I have tried so far:
- I have followed exactly the documentation
- I have followed the Videos of "The Internet Monkey", which were suggested in another thread https://www.youtube.com/watch?v=RxggaE935PM
- I have checked the permissions when connected from a windows machine using the root user which has access as described above
- I have recreated the datasets
- I have reacreated the shares
- I have recreated the groups and users
- I have done an upgrade to 11.2-U3
- I have done a fresh install with 11.2-U2 and configured everything once again (this is where I am now).

Any help would be highly appreciated.

Thanks in advance :)
What's the output of net groupmap list
 

Numlock64

Cadet
Joined
Mar 30, 2019
Messages
6
Hello anodos, thanks for your reply.

The following is the output of net groupmap list:

Code:
Guests (S-1-5-32-546) -> 90000005
plex_user (S-1-5-21-2918659276-2468810647-4167654567-1000) -> patrick
grp_smb_douments_patrick (S-1-5-21-624301732-3295257401-819058178-1003) -> grp_smb_documents_patrick
grp_smb_backup (S-1-5-21-624301732-3295257401-819058178-1004) -> grp_smb_plex_media
Administrators (S-1-5-32-544) -> 90000003
Streaming_Group_1 (S-1-5-21-3674969531-3127243751-3552003824-1001) -> grp_smb_backup
Users (S-1-5-32-545) -> 90000004


Following a snipped of my users:
Code:
patrick:*:1000:1000:Patrick:/nonexistent:/usr/local/bin/bash
backup_user:*:1001:1001:Backup User:/nonexistent:/usr/local/bin/bash


And a snipped of my groups:
Code:
patrick:*:1000:
grp_smb_backup:*:1001:
grp_smb_plex_media:*:1002:patrick
grp_smb_documents_patrick:*:1003:patrick
 
Last edited:

anodos

Sambassador
iXsystems
Joined
Mar 6, 2014
Messages
9,543
Okay. Show me permissions for the full path to the share:
Code:
getfacl /mnt/dozer
getfacl /mnt/dozer/subdir1
getfacl /mnt/dozer/subdir1/subdir2
getfacl /mnt/dozer/subdir1/subdir2/share


and output of net getlocalsid
 

Numlock64

Cadet
Joined
Mar 30, 2019
Messages
6
Here are the permissions of the "Backup Storage" share (Full path mnt/V01_Z2_Data/D00_Backup )
Code:
# file: /mnt/V01_Z2_Data
# owner: root
# group: wheel
            owner@:rwxp--aARWcCos:-------:allow
            group@:r-x---a-R-c--s:-------:allow
         everyone@:------a-R-c--s:-------:allow

# file: /mnt/V01_Z2_Data/D00_Backup
# owner: root
# group: grp_smb_backup
            owner@:rwxpDdaARWcCo-:fd-----:allow
            group@:rwxpDdaARWcCo-:fd-----:allow


This are the permissions of the "Documents_Patrick" share (Full path mnt/V01_Z2_Data/D01_Documents )
Code:
# file: /mnt/V01_Z2_Data
# owner: root
# group: wheel
            owner@:rwxp--aARWcCos:-------:allow
            group@:r-x---a-R-c--s:-------:allow
         everyone@:------a-R-c--s:-------:allow

# file: /mnt/V01_Z2_Data/D01_Documents
# owner: root
# group: wheel
            owner@:rwxpDdaARWcCos:fdi----:allow
            group@:rwxpDdaARWcCos:fdi----:allow
         everyone@:r-x---a-R-c---:fdi----:allow
            owner@:rwxp--aARWcCos:-------:allow
            group@:rwxp--a-R-c--s:-------:allow
         everyone@:r-x---a-R-c--s:-------:allow

# file: /mnt/V01_Z2_Data/D01_Documents/Documents_Patrick
# owner: root
# group: grp_smb_documents_patrick
            owner@:rwxpDdaARWcCos:fd-----:allow
            group@:rwxpDdaARWcCos:fd-----:allow
         everyone@:r-x---a-R-c---:fd-----:allow         


And here are the permissions of the "Plex Media" share (Full path mnt/Media_Volume_1/Media_Dataset_1 )
Code:
# file: /mnt/Media_Volume_1
# owner: root
# group: wheel
            owner@:rwxp--aARWcCos:-------:allow
            group@:r-x---a-R-c--s:-------:allow
         everyone@:------a-R-c--s:-------:allow
        
# file: /mnt/Media_Volume_1/Media_Dataset_1
# owner: root
# group: grp_smb_plex_media
            owner@:rwxpDdaARWcCos:fd-----:allow
            group@:rwxpDdaARWcCos:fd-----:allow
         everyone@:r-x---a-R-c---:fd-----:allow
 

Numlock64

Cadet
Joined
Mar 30, 2019
Messages
6
Okay. Show me permissions for the full path to the share:
Code:
getfacl /mnt/dozer
getfacl /mnt/dozer/subdir1
getfacl /mnt/dozer/subdir1/subdir2
getfacl /mnt/dozer/subdir1/subdir2/share


and output of net getlocalsid

I just saw I've missed to include the output of net getlocalsid:
Code:
SID for domain VNAS01 is: S-1-5-21-3417272644-3790614459-1571862101
 

anodos

Sambassador
iXsystems
Joined
Mar 6, 2014
Messages
9,543
It looks like there are inconsistencies in the group_mapping tdb.
Code:
service samba_server stop
rm /var/db/samba4/group_mapping.tdb
service ix-pre-samba start
service samba_server start
 

anodos

Sambassador
iXsystems
Joined
Mar 6, 2014
Messages
9,543
Code:
# file: /mnt/V01_Z2_Data
# owner: root
# group: wheel
            owner@:rwxp--aARWcCos:-------:allow
            group@:r-x---a-R-c--s:-------:allow
         everyone@:------a-R-c--s:-------:allow


Those permissions prevent anyone who isn't a member of the wheel group from traversing to your shares. "other" needs execute permissions.
 

Numlock64

Cadet
Joined
Mar 30, 2019
Messages
6
Code:
# file: /mnt/V01_Z2_Data
# owner: root
# group: wheel
            owner@:rwxp--aARWcCos:-------:allow
            group@:r-x---a-R-c--s:-------:allow
         everyone@:------a-R-c--s:-------:allow


Those permissions prevent anyone who isn't a member of the wheel group from traversing to your shares. "other" needs execute permissions.

Ok I just saved my config and tried your solution. Unfortunately it didn't solve the issue, but I think it's my fault.
Just for clarification if I have datasets nested like below:

Code:
find /mnt/ -maxdepth 3 | grep "./" | sed -e 's/./\//' -e 's/[^-][^\/]*\//--/g' -e 's/^/   /' -e 's/-/|/'

   |-Media_Volume_1
   |---iocage
   |-----download
   |-----images
   |-----defaults.json
   |-----releases
   |-----.plugin_index
   |-----templates
   |-----jails
   |-----log
   |---Media_Dataset_1
   |-----Music
   |-----.windows
   |-----Games
   |-----Movies
   |-----Series
   |-V01_Z2_Data
   |---D01_Documents
   |-----Documents_Patrick
   |-----.windows
   |---D00_Backup
   |-----.windows
   |-md_size


Can I have the top level dataset (Media_Volume_1 /mnt/Media_Volume_1/ or V01_Z2_Data /mnt/V01_Z2_Data) configured with the share type Unix?
If I understand you correctly, I have to set "read" and "execute" permissions for "others" before switching to the share type Windows?
 
Last edited:

anodos

Sambassador
iXsystems
Joined
Mar 6, 2014
Messages
9,543
Ok I just saved my config and tried your solution. Unfortunately it didn't solve the issue, but I think it's my fault.
Just for clarification if I have datasets nested like below:

Code:
find /mnt/ -maxdepth 3 | grep "./" | sed -e 's/./\//' -e 's/[^-][^\/]*\//--/g' -e 's/^/   /' -e 's/-/|/'

   |-Media_Volume_1
   |---iocage
   |-----download
   |-----images
   |-----defaults.json
   |-----releases
   |-----.plugin_index
   |-----templates
   |-----jails
   |-----log
   |---Media_Dataset_1
   |-----Music
   |-----.windows
   |-----Games
   |-----Movies
   |-----Series
   |-V01_Z2_Data
   |---D01_Documents
   |-----Documents_Patrick
   |-----.windows
   |---D00_Backup
   |-----.windows
   |-md_size


Can I have the top level dataset (Media_Volume_1 /mnt/Media_Volume_1/ or V01_Z2_Data /mnt/V01_Z2_Data) configured with the share type Unix?
If I understand you correctly, I have to set "read" and "execute" permissions for "others" before switching to the share type Windows?

chmod 755 /mnt/V01_Z2_Data
 

Numlock64

Cadet
Joined
Mar 30, 2019
Messages
6
chmod 755 /mnt/V01_Z2_Data

Thanks for your quick replys and your help!
As I suspected it was my fault and you got me on the right direction.
The problem was, that I had removed read & execute permissions on the top level dataset and then switched to the share type Windows, which resulted in a lack of permissions.

I have now solved the problem and everything works like a charm.

Again thanks a lot for your time and help :)
 

RiBeneke

Dabbler
Joined
Nov 18, 2013
Messages
37
We had a similar problem after a recent update from FreeNAS 11.2 U2 to U7. Most of the previously set Windows ACLs were lost/corrupted/invisible.
Our staff were locked out of FreeNAS shares for 3 days while I fixed the problem. But we issues from years back that were never properly resolved. Our config file started with FreeNAS 0.8 and then at some stage there was Corral. So it was time to do a full rebuild of all users, groups and Windows ACLs.

I am posting additional notes here to help others who may be having problems.

Ensure that Windows is is set to use the correct authentication, here Win 7 : Run Windows secpol.msc.
Navigate to Security Settings / Local Policies / Security Options.
Set LAN Manager authentication level = NTLMv2 only.

Clearing corrupted or wrong-location Samba databases as suggested by Anodos above
service samba_server stop
rm /var/db/samba4/group_mapping.tdb
service ix-pre-samba start
service samba_server start
was a very useful starting point.
It revealed several Windows ACL users and groups that had become unknown or duplicated and these could be deleted.

Trying (in FreeNAS shell) to set permissions on the Shared directories to drwxrwxrwx was frustrating and eventually fruitless.
The settings are locked (I think by Samba) when (under Storage / Pools / Pool options) the pool is set as an SMB share.
Using chmod to change permissions gives the response of 'Operation not permitted.'
Using the workaround mentioned by Anodos above, where the pool is changed to a Unix share, then permissions are changed using chmod, and then the pool is changed back to SMB share, did work.
But it had the effect of deleting some Windows ACLs users and groups.
And finally, when those Windows ACL users and groups were reinstalled, the Windows Security process
reset the permissions to drwxrwx---+ on the shares.
So for us that was not the way to do it and Windows actually wants no permissions under Others.

Set the permissions and access by creating groups and users on FreeNAS GUI.
Ensure that the same user accounts and passwords are set up on Windows devices.
It may be useful to set up a Windows account called root (as default FreeNAS user) with the same password.
Then from a Windows device set the security properties on each shared folder (directory).
In Windows explorer, right click on the folder, Properties and Security tab. Latest Windows does not have the Sharing tab, so use Security.

If, like our setup, you have a number of shares, each on a folder within one pool,
then you may need to create a temporary share at the root of that pool in order to navigate correctly and set things up in Windows explorer.
When setting ACLs using the Windows security dialogue, the folder that you right-click should be in the main right-hand pane of Windows explorer.
In the left-hand pane Windows thinks you are setting permissions at the root of a drive and can mess things up.

Finally, if you wish to set read/traverse access at the level of the shared folders, with finer control of permissions at the lower levels,
then at the shared folder level (rt pane in Win explorer)
right-click / Properties / Security tab / Advanced / Change permissions / Add/ find or enter the group name that will allows everyone read access.
In the permissions details list set the flags for :
Traverse folder / execute file
List folder / read data
Read attributes
Read extended attributes and
Read permissions.

I hope this helps someone.
 

RiBeneke

Dabbler
Joined
Nov 18, 2013
Messages
37
Some things I should have mentioned in the last paragraph :

After clicking Change permissions, unset the checkbox for Inherit properties.
After clicking add, remember that Windows uses a backslash (\) in the path to the user or group.
When setting the permissions flags, you may wish to select to Apply to this folder only
instead of propagating the read permission to all lower folders.
Then visibility of lower folders will be determined only by the permissions on those lower folders.
 

RiBeneke

Dabbler
Joined
Nov 18, 2013
Messages
37
Later ... it seems we also had some corruptions in the database.
During a previous sessions of configuring permissions, I was creating groups using FreeNAS GUI and received a message that no more than 64 groups may be created. There were already more than 64 when the message arrived.
Then re-planned our permissions layout and deleted groups in the GUI to get down to about 40. But things were still not working properly.
Later logged on to GUI, and using shell command net sam list localgroups it showed about 80 groups including ones that had been deleted plus duplicate group names.
Used net sam deletelocalgroup <Name> to delete unwanted groups, but some reappeared in the GUI and needed a second cycle to remove them.
FreeNAS 11.2-U7 STABLE up to date 2020-01-23.
 

peter boos

Dabbler
Joined
Sep 21, 2020
Messages
35
For a storage product it amazes me how poor it handles windows smb clients, I am asthonished as like frozen to death,... WHAT TF !
 

peter boos

Dabbler
Joined
Sep 21, 2020
Messages
35
Well several cases, currently working on a domain group who should get access to a specific subdir.
Started with user:"DOMAINXXXX\\some.user":full_set:fd:allow ./ on the subdir. windows shares can handle such not freenas.

So then a group was made for these kind of users .
setfacl -m group:"DOMAINXXXX\\projects_folder":full_set:fd:allow ./the specificsubdir
Then for each above directory the same was done.
Also in the GUI the the group was given modify access.

To no effect at all.
 

anodos

Sambassador
iXsystems
Joined
Mar 6, 2014
Messages
9,543
Well several cases, currently working on a domain group who should get access to a specific subdir.
Started with user:"DOMAINXXXX\\some.user":full_set:fd:allow ./ on the subdir. windows shares can handle such not freenas.

So then a group was made for these kind of users .
setfacl -m group:"DOMAINXXXX\\projects_folder":full_set:fd:allow ./the specificsubdir
Then for each above directory the same was done.
Also in the GUI the the group was given modify access.

To no effect at all.
Did you check ACLs across the full path to that share? For instance, if domain users are trying to access /mnt/tank/share and you chmod 770 /mnt/tank, they will have no access because they cannot traverse /mnt/tank.
 

peter boos

Dabbler
Joined
Sep 21, 2020
Messages
35
how does your chmod command look like if you add an extra domain group to the folder ?. (as getfacl shows the group has permissions).

Or rather to make it a bit more clear say you have a few groups, some may see al, others may only modify specific folders+files what would you do
In the web GUI the extra groups need to be added and then what ?.
 
Last edited:

anodos

Sambassador
iXsystems
Joined
Mar 6, 2014
Messages
9,543
how does your chmod command look like if you add an extra domain group to the folder ?. (as getfacl shows the group has permissions).

Or rather to make it a bit more clear say you have a few groups, some may see al, others may only modify specific folders+files what would you do
In the web GUI the extra groups need to be added and then what ?.
I'm sorry, but I'm not quite following what you're describing. The webui allows setting ACLs on the root of the share.
Suppose you have a share \\server\share where [share] is of a local path of /mnt/tank/share
Then you do the following:
1) you set an ACL on /mnt/tank/share that grants "Domain Admins" full control and no one else access
2) then create a directory /mnt/tank/share/dir1, and set an ACL on it granting "Domain Users" full control

Domain users will not have access to /mnt/tank/share/dir1 because they lack rights to traverse /mnt/tank/share. To accomplish this, you need to grant "domain users" the TRAVERSE permission set (in the webui) on /mnt/tank/share.

At the end of the day, changing permissions through the webui (or through File Explorer / Computer Management) are the only supported methods to do this. I asked specifically about chmod 770 on /mnt/tank because there are unfortunately online how-to videos that state one should do this (which breaks access for all users).
 
Top