SMB User or Group

Mattia3rd

Mattia3rd

Explorer
Joined
May 13, 2014
Messages
57
Hi,

I'd like your feedback on this issue.
I created a Windows Dataset and I exported it with SMB.
Primary user and group are applied and everything is working properly.

Now the issue:
I need to give access this share to a new user.
I created a new Group: nasArchive
I added the new user veeam to this group.
I gave the nasArchive group the SMB rights from GUI like this
1695375989669.png


But when I login to the NAS with the veeam user i receive
1695376072021.png


ACL are correctly configured
1695376196408.png


What am I missing?

Thank you
 
Mattia3rd

Mattia3rd

Explorer
Joined
May 13, 2014
Messages
57
Hi, no help? :O
 
Mattia3rd

Mattia3rd

Explorer
Joined
May 13, 2014
Messages
57
anodos said:
Your user need execute permissions via some ACL entry for every parent path of the share.
Click to expand...
Ok, but how I set that?
Do I need to change directly on the shell the rights for "others" and set something like --x or r-x ?
This is the current configuration
1695628753249.png
 
Mattia3rd

Mattia3rd

Explorer
Joined
May 13, 2014
Messages
57
I also run this command

root@NAS:/ # getfacl /mnt/Pool/Samba/DataArchive/
# file: /mnt/Pool/Samba/DataArchive/
# owner: ABC
# group: nas
group:nas:rwxpDdaARWcCos:fd-----:allow
user:ABC:rwxpDdaARWcCos:fd-----:allow
group:nasArchive:rwxpDdaARWc--s:fd-----:allow
user:veeam:rwxpDdaARWc--s:fd-----:allow
everyone@:--------------:fd-----:allow
Click to expand...


I can add more details taken from logs

log.smbd
check_ntlm_password: authentication for user [veeam] -> [veeam] -> [veeam] succeeded
d18031d3-343d-4 (ipv4:192.168.X.Z:50415) connect to service Archive initially as user veeam (uid=1005, gid=1006) (pid 40075)
Click to expand...

auth_audit.log
{"timestamp": "2023-09-25T13:58:47.952364+0200", "type": "Authentication", "Authentication": {"version": {"major": 1, "minor": 2}, "eventId": 4624, "logonId": "0", "logonType": 3, "status": "NT_STATUS_OK", "localAddress": "ipv4:192.168.X.Y:445", "remoteAddress": "ipv4:192.168.X.Z:50415", "serviceDescription": "SMB2", "authDescription": null, "clientDomain": "D18031D3-343D-4", "clientAccount": "veeam", "workstation": "D18031D3-343D-4", "becameAccount": "veeam", "becameDomain": "NASXYZ", "becameSid": "S-1-5-21-1909120653-2637104421-1922714665-20043", "mappedAccount": "veeam", "mappedDomain": "D18031D3-343D-4", "netlogonComputer": null, "netlogonTrustAccount": null, "netlogonNegotiateFlags": "0x00000000", "netlogonSecureChannelType": 0, "netlogonTrustAccountSid": null, "passwordType": "NTLMv2", "duration": 3871}}
Click to expand...
 
Last edited:
Mattia3rd

Mattia3rd

Explorer
Joined
May 13, 2014
Messages
57
anodos said:
You should also look at ACL on /mnt/Pool/ and /mnt/Pool/Samba/
Click to expand...
I don't get this point.
I'm exporting the smb share the /mnt/Pool/Samba/DataArchive dataset.
The upper dataset isn't exported nor configured for SMB access.

I don't know if I'm missing something but I don't think that this matters, Am I wrong?
 
anodos

anodos

Sambassador
iXsystems
Joined
Mar 6, 2014
Messages
9,554
Mattia3rd said:
I don't know if I'm missing something but I don't think that this matters, Am I wrong?
Click to expand...
Yes, this is how POSIX-compliant filesystems work. There is strict traverse checking. The execute bit does similar in Windows, but interactive sessions typically have a privilege that allows bypassing traverse checking. So Linux, FreeBSD, MacOS, and Windows to some extent all do this.
 
Mattia3rd

Mattia3rd

Explorer
Joined
May 13, 2014
Messages
57
anodos said:
Yes, this is how POSIX-compliant filesystems work. There is strict traverse checking. The execute bit does similar in Windows, but interactive sessions typically have a privilege that allows bypassing traverse checking. So Linux, FreeBSD, MacOS, and Windows to some extent all do this.
Click to expand...
OK
So to solve the issue which setup do I need to implement?
How do I configure the "traverse" on all the parent datasets for the group nasArchive ?
 
anodos

anodos

Sambassador
iXsystems
Joined
Mar 6, 2014
Messages
9,554
Mattia3rd said:
OK
So to solve the issue which setup do I need to implement?
How do I configure the "traverse" on all the parent datasets for the group nasArchive ?
Click to expand...
There's a TRAVERSE basic permission in the ACL editor. You assign it to a group your user is a member of on each of parent datasets (doesn't need inheritance set). Or you just grant "other" execute on each of them.
 
Mattia3rd

Mattia3rd

Explorer
Joined
May 13, 2014
Messages
57
anodos said:
There's a TRAVERSE basic permission in the ACL editor. You assign it to a group your user is a member of on each of parent datasets (doesn't need inheritance set). Or you just grant "other" execute on each of them.
Click to expand...
I gave to @Everyone the "traverse" grant on the parent dataset /mnt/Pool/Samba.
I tried to access with the veeam user and now it works!

Thank you great man :cool:
 
You must log in or register to reply here.

Important Announcement for the TrueNAS Community.

The TrueNAS Community has now been moved. This forum will now become READ-ONLY for historical purposes. Please feel free to join us on the new TrueNAS Community Forums.

Related topics on forums.truenas.com for thread: "SMB User or Group"

Similar threads

P
can't access smb share
Replies
12
Views
7K
WN1X
WN1X
H
ACL Permissions for new files in SMB share
Replies
2
Views
2K
hbhave
H
C
SMB with active directory: cannot see user and group in GUI
Replies
2
Views
870
Chapo
C
D
SMB, owner/group inheritance, exception for subdirectory
Replies
0
Views
319
Daneel_
D
S
Allow one user to rwx in SMB:WORM
Replies
11
Views
1K
Hansi
H
Top