TrueNAS Core 12.0 Nightly Snapshots Available

alex992

Explorer
Joined
Jul 6, 2017
Messages
65
Yep. I dunno why I get those errors. I checked up DNS, gateway, etc and still have them. Moreover SMB shares are unusable. Much better I rollback and wait some months to give it a try.
SMB shares are unusable for me too
 

Patrick M. Hausen

Hall of Famer
Joined
Nov 25, 2013
Messages
7,740
Code:
26352    Update Netdata to 1.8.0

The return of Netdata?

Kind regards,
Patrick
 

anodos

Sambassador
iXsystems
Joined
Mar 6, 2014
Messages
9,545
I just merged in some SMB changes that fix shadow copies in 12.0. Basically in 12.0 we're being super-careful to only canonicalize names once (converting paths with @GMT-foo). We're doing this by stripping the @GMT string and storing a corresponding timestamp in struct smb_filename along with a flag that the name has already been canonicalized. This should significantly reduce amount of string manipulation we do when shadow copies are enabled.
 

anodos

Sambassador
iXsystems
Joined
Mar 6, 2014
Messages
9,545
There are also three new SMB-related groups `builtin_users`, `buildin_administrators`, `builtin_guests`. New local users in the UI will be automatically added to builtin_users. When joined to AD, "DOMAIN\domain users" are automatically added as foreign members of builtin_users as well. This means that you can grant access to all (local and AD) users by just adding permissions for "builtin_users" through the ACL manager.
 

ornias

Wizard
Joined
Mar 6, 2020
Messages
1,458
There are also three new SMB-related groups `builtin_users`, `buildin_administrators`, `builtin_guests`. New local users in the UI will be automatically added to builtin_users. When joined to AD, "DOMAIN\domain users" are automatically added as foreign members of builtin_users as well. This means that you can grant access to all (local and AD) users by just adding permissions for "builtin_users" through the ACL manager.
Interesting, that uniformity makes integrating into most LDAP/AD systems a lot more uniform across deployments... :)
 

anodos

Sambassador
iXsystems
Joined
Mar 6, 2014
Messages
9,545
Interesting, that uniformity makes integrating into most LDAP/AD systems a lot more uniform across deployments... :)
LDAP in FreeNAS is typically in a different situation. In this case we 100% rely on what's on the remote LDAP server (using the ldapsam passdb backend). If people deploy with IDMAP_AUTORID in AD this may also introduce interesting compatibility issues.

I also added an SSSD compatibility option to IDMAP_RID where we calculate the idmap_low range to be identical to the first slice automatically allocated by SSSD.
 

Patrick M. Hausen

Hall of Famer
Joined
Nov 25, 2013
Messages
7,740
I have never used FreeNAS with LDAP. In environments where I integrate FreeBSD and/or Linux with AD I prefer to activate MS Services For Unix and specify UIDs, GIDs etc. explicitly. Then use nss_ldap for lookup. That way you don't need an idmap.
Would FreeNAS support that?

KInd regards,
Patrick
 

anodos

Sambassador
iXsystems
Joined
Mar 6, 2014
Messages
9,545
I have never used FreeNAS with LDAP. In environments where I integrate FreeBSD and/or Linux with AD I prefer to activate MS Services For Unix and specify UIDs, GIDs etc. explicitly. Then use nss_ldap for lookup. That way you don't need an idmap.
Would FreeNAS support that?

KInd regards,
Patrick
Yes, if you join AD with the "AD" idmap backend, then everything should just work correctly. The primary gotcha is that you need to adjust the low and high ranges for the domain to match what you've configured in your AD's LDAP. In this case you'll be using winbindd rather than nss_ldap.
 

Patrick M. Hausen

Hall of Famer
Joined
Nov 25, 2013
Messages
7,740
But won't winbindd still generate UIDs locally to the system it is running on instead of just taking the right attribute directly from AD?
Like so:
Code:
nss_map_attribute uid msSFU30Name
nss_map_attribute gecos name
nss_map_attribute userPassword unixUserPassword
nss_map_attribute homeDirectory unixHomeDirectory
nss_map_attribute uniqueMember member
nss_map_attribute cn sAMAccountName
nss_map_attribute uniquemember msSFU30PosixMember

I even put the login shell into AD ...

Patrick
 

anodos

Sambassador
iXsystems
Joined
Mar 6, 2014
Messages
9,545
But won't winbindd still generate UIDs locally to the system it is running on instead of just taking the right attribute directly from AD?
Like so:
Code:
nss_map_attribute uid msSFU30Name
nss_map_attribute gecos name
nss_map_attribute userPassword unixUserPassword
nss_map_attribute homeDirectory unixHomeDirectory
nss_map_attribute uniqueMember member
nss_map_attribute cn sAMAccountName
nss_map_attribute uniquemember msSFU30PosixMember

I even put the login shell into AD ...

Patrick
No, it takes them from AD.
 

alex992

Explorer
Joined
Jul 6, 2017
Messages
65
Is there any documentation (manual) for ACL SMB share configuration for 12.0 ?
 

anodos

Sambassador
iXsystems
Joined
Mar 6, 2014
Messages
9,545
Is there any documentation (manual) for ACL SMB share configuration for 12.0 ?
The filesystem ACL manager is in 11.3. Documentation still applies. The SMB Share ACL manager is a thin wrapper around the `sharesec` command. Generally speaking, stick to filesystem ACLs unless you have good reason to do otherwise. (Same as general convention with Windows regarding these ACLs).
 

alex992

Explorer
Joined
Jul 6, 2017
Messages
65
In 11.3 I did create simple pool dataset root SMB share for user "root" W/O ACL settings. After update to 12.0 root SMB share not accessible. Is there any changes to root dataset default ACL?
 

anodos

Sambassador
iXsystems
Joined
Mar 6, 2014
Messages
9,545
In 11.3 I did create simple pool dataset root SMB share for user "root" W/O ACL settings. After update to 12.0 root SMB share not accessible. Is there any changes to root dataset default ACL?
We never change your data (including ACLs) on upgrade. Do you see the user "root" in the output of midclt call smb.passdb_list.
 

Yorick

Wizard
Joined
Nov 4, 2018
Messages
1,912
"Here be dragons" with regards to SMB. I have three shares, all with a simple File ACL and simple Windows ACL, and two of those are still accessible, the third isn't. I still see the group "shared" (UID 1000) set, with full access for group, so I'm not sure where the issue is. I'll open a ticket, and let's chase it from there?

Ticket is at https://jira.ixsystems.com/projects/NAS/issues/NAS-105392
 

alex992

Explorer
Joined
Jul 6, 2017
Messages
65
If you add an auxiliary parameter under Services->SMB log level=1 auth_audit:5, you can tail /var/log/samba4/log.smbd and watch the auth attempts to see what's breaking down.
truenas kernel: pid 21152 (smbd), jid 0, uid 0: exited on signal 6
 
Top