Users can't see all SMB shares they have access to

[icdadmin]

I have SMB shares set up to allow access to members of specific groups per share. I'm having a problem where some users, though they are members of multiple groups and should have access to multiple shares, only see a single share when connecting via SMB.

Another user, with the only noticeable difference being the "Permit Sudo" flag is selected, can see all of his shares that he has access to.

I'm wondering if anyone has any pointers as to what may be going on.

The shares seem to be configured correctly, as the some of the shares that the one person mentioned above can see are shares that the other users should see also. Thus, at least they are working for one user, just not for everyone.

Thank you in advance for any help.. I greatly appreciate it.

 

[icdadmin]

The users who can't see their shares were recently added to the group(s) that allow access to the shares. Is there anything I need to do to propagate those changes to the datasets/shares after adding users or should they just automatically gain access to the necessary shares by virtue of being added to the necessary group(s)?

 

[anodos]

Are you talking about share enumeration when connecting to the server directly \\server vs \\server\share in File Explorer?

Share enumeration in this case is a client-side behavior. I believe windows does some caching. Try running net view \\ip-of-server from your affected client to see if it can see the share. Otherwise, try logging out and logging back in.

 

[icdadmin]

I think I have share enumeration configured properly. In the case of the shares I'm trying to connect to, for those who cannot connect they cannot connect either via \\server or \\server\share

 

[anodos]

I think I have share enumeration configured properly. In the case of the shares I'm trying to connect to, for those who cannot connect they cannot connect either via \\server or \\server\share

Okay. That sounds more like a permissions error. Post output of testparm -s.

 

[icdadmin]

I found that I needed to re-enter one of the sharesec commands for each of the shares not showing up:

sharesec "MyShare" -a S-1-5-21-3304246306-2936721670-1852261437-1087:ALLOWED/0/FULL

I'm not entirely sure why that helped fix the issue. But after doing this, users could access their shares. Is it possible that I will need to re-enter this in the shell whenever someone has been added to a share's access group?

 

[anodos]

I found that I needed to re-enter one of the sharesec commands for each of the shares not showing up:

sharesec "MyShare" -a S-1-5-21-3304246306-2936721670-1852261437-1087:ALLOWED/0/FULL

I'm not entirely sure why that helped fix the issue. But after doing this, users could access their shares. Is it possible that I will need to re-enter this in the shell whenever someone has been added to a share's access group?

Do you have access-based share enumeration enabled for the share?

 

[icdadmin]

Yes. It it checked from the Advanced Mode section of the share config.

 

[anodos]

Yes. It it checked from the Advanced Mode section of the share config.

Then only users with a share ACL entry in the sharesec output will be able to see the share. If you're using local users and groups, then you can use net groupmap list to view the current SID mappings for your groups. In an AD environment you'll need to use wbinfo --name-to-sid

 

[icdadmin]

Thank you for your help!

 

[anodos]

In 11.3 I've put in middleware API calls to manipulate the share ACLs (which are not the same things as filesystem ACLs).

Code:

root@S49112TM[...B/.zfs/snapshot/auto-20190708.0640-1d]# midclt call smb.sharesec.getacl share | jq
{
  "share_name": "SHARE",
  "share_acl": [
    {
      "ae_who_sid": "S-1-1-0",
      "ae_type": "ALLOWED",
      "ae_perm": "FULL",
      "ae_who_name": "\\Everyone"
    }
  ]
}

I'll probably alter ae_who_name to make it a dictionary with keys for domain and user, but you should get the general idea of what it does. Basically, it will resolve the SID to name for you.

You can dump all the share ACLs via

Code:

root@S49112TM[...B/.zfs/snapshot/auto-20190708.0640-1d]# midclt call smb.sharesec._view_all | jq
[
  {
    "share_name": "MIXED",
    "share_acl": [
      {
        "ae_who_sid": "S-1-1-0",
        "ae_type": "ALLOWED",
        "ae_perm": "FULL",
        "ae_who_name": "\\Everyone"
      }
    ]
  },
  {
    "share_name": "SHARE",
    "share_acl": [
      {
        "ae_who_sid": "S-1-1-0",
        "ae_type": "ALLOWED",
        "ae_perm": "FULL",
        "ae_who_name": "\\Everyone"
      }
    ]
  },
  {
    "share_name": "TM",
    "share_acl": [
      {
        "ae_who_sid": "S-1-1-0",
        "ae_type": "ALLOWED",
        "ae_perm": "FULL",
        "ae_who_name": "\\Everyone"
      }
    ]
  },
  {
    "share_name": "TM2",
    "share_acl": [
      {
        "ae_who_sid": "S-1-1-0",
        "ae_type": "ALLOWED",
        "ae_perm": "FULL",
        "ae_who_name": "\\Everyone"
      }
    ]
  }
]