Upgrade to 9.10.2 U2 and later broke samba

[kristjank]

Hi!

Something is seriously wrong with SMB in latest version(s). In 9.10.2 everything worked fine, but after upgrade to U2 and later windows clients cannot connect to shares. Rolled back to 9.10.2 and kept using it, but now u4 is needed for SambaCry. Did reset configuration and a fresh install on boot drive - the same. Tried to change permissions every possible way - nothing. But test with fresh install on other machine worked and it seems that newer install does like the zfs volume from previous installation. Log gives one interesting and repeating message when trying to access the share from windows machine(10.66.1.254):

Code:

May 29 23:43:16 kkzfs01 mountd[21679]: mount request from 10.66.1.254 for non existent path /Data
May 29 23:43:16 kkzfs01 mountd[21679]: mount request denied from 10.66.1.254 for /Data
May 29 23:43:16 kkzfs01 mountd[21679]: mount request from 10.66.1.254 for non existent path /Data
May 29 23:43:16 kkzfs01 mountd[21679]: mount request denied from 10.66.1.254 for /Data
May 29 23:43:16 kkzfs01 mountd[21679]: mount request from 10.66.1.254 for non existent path /Data
May 29 23:43:16 kkzfs01 mountd[21679]: mount request denied from 10.66.1.254 for /Data
May 29 23:43:16 kkzfs01 mountd[21679]: mount request from 10.66.1.254 for non existent path /Data
May 29 23:43:16 kkzfs01 mountd[21679]: mount request denied from 10.66.1.254 for /Data
May 29 23:43:16 kkzfs01 mountd[21679]: mount request from 10.66.1.254 for non existent path /Data
May 29 23:43:16 kkzfs01 mountd[21679]: mount request denied from 10.66.1.254 for /Data

Mountd should be daemon for NFS and should not have any business with SMB shares?! NFS share on the same machine works fine.

Any Ideas?

 

[dlavigne]

That message is unrelated as it is an NFS error.

Which versions of clients? Are you using NTLMv1 in your SMB config? What error do you get when you try to connect to the share?

 

[kristjank]

Every repeating two lines seem to appear when I try to access the share from windows, and the from address is the ip address of the windows client machine trying to access the smb share.

Clients are Windows 7. I have done clean install on the freenas so the smb service config is default: smb maximum version is 3 and minimum is dashed line. The error message is:

And it appears on clicking on the share without asking for username and password.

New install of freenas with the exact same configuration and fresh zfs works without problems. So it seems the problem comes to new install from imported zfs volume. Also a Unix dataset on the same volume works with NFS fine. There is something wrong with the Windows dataset.

 

[dlavigne]

Sounds like a permissions problem on that dataset.

 

[kristjank]

Sounds like a permissions problem on that dataset.

That seems to me also, but what should the permissions be and how to change them? I have experimented chmod setfacl commands but no success so far.

 

[anodos]

Every repeating two lines seem to appear when I try to access the share from windows, and the from address is the ip address of the windows client machine trying to access the smb share.

Clients are Windows 7. I have done clean install on the freenas so the smb service config is default: smb maximum version is 3 and minimum is dashed line. The error message is: View attachment 18666
And it appears on clicking on the share without asking for username and password.

New install of freenas with the exact same configuration and fresh zfs works without problems. So it seems the problem comes to new install from imported zfs volume. Also a Unix dataset on the same volume works with NFS fine. There is something wrong with the Windows dataset.

On U4 try the following auxiliary parameter under services->smb ntlm auth = yes

 

[kristjank]

On U4 try the following auxiliary parameter under services->smb ntlm auth = yes

Tried that, didn't help.

 

[kristjank]

It seems that permissions are missing from samba:

Code:

root@kkzfs01:~ # sharesec Data -v
REVISION:1
CONTROL:SR|DP
OWNER:
GROUP:
ACL:S-1-1-0:ALLOWED/0x0/FULL
root@kkzfs01:~ # sharesec Media -v
REVISION:1
CONTROL:SR|DP
OWNER:
GROUP:
ACL:S-1-1-0:ALLOWED/0x0/FULL
root@kkzfs01:~ #

 

[anodos]

No. That is the default configuration for an NT ACL. ACL:S-1-1-0:ALLOWED/0x0/FULL means "everyone" -"full control". The problem is that you haven't properly configured your filesystem permissions.

Try setting permissions like in this video: https://www.youtube.com/watch?v=RxggaE935PM

 

[kristjank]

Solved the problem. It was the volumes not the datasets permissions problem. The volume's permissions need to be 775 in the /mnt/ folder, it was 770. So NFS datasets don't care about parent folders path permissions, but newer samba apparently wants to traverse the full path. Anyway case closed and thanks for suggestions!

 

[anodos]

That's correct. The execute bit is required for the full path where the samba share is located. For example:

Code:

[Samba Share]
path = "/mnt/Tank/Shares/SMB"

The user will need at e(x)ecute in
/mnt
/mnt/Tank
/mnt/Tank/Shares

@dlavigne, I can't remember if we've documented this somewhere. I believe this is expected behavior for a posix filesystem, but it wouldn't be bad to have an errata page in the documentation for this sort of thing.

 

[RiBeneke]

We have a related problem since the latest FreeNAS update of a few days ago. But it may also be a windows problem since the windows 7 update of last week. We can access FreeNAS shared folders from saved mapped drives on our windows 7 machines, but none of our windows machines can see the FreeNAS server on the network any longer using windows explorer. I have not had time to investigate. Certainly do not want to fiddle in unix permissions again. Last time I did that it took weeks to fix.

 

[anodos]

We have a related problem since the latest FreeNAS update of a few days ago. But it may also be a windows problem since the windows 7 update of last week. We can access FreeNAS shared folders from saved mapped drives on our windows 7 machines, but none of our windows machines can see the FreeNAS server on the network any longer using windows explorer. I have not had time to investigate. Certainly do not want to fiddle in unix permissions again. Last time I did that it took weeks to fix.

That means you have a name resolution problem. It's not a permissions problem. You should be able to just access the FreeNAS server by IP address until you fix your netbios name resolution problems.