Windows CIFS permission issues (acl) after freenas upgrade

[ghostwolf59]

After upgrading freenas from 9.2.1.8 to 9.3-STABLE-201506042008 my permissions starting to behave weird i.e no longer work.

I have one main group all users belong to (that should provide a default read only access to content)
I also have one main (super user account) held by me that provide close to root access to everything
Once I upgraded the freenas FreeNAS-9.3-STABLE-201506042008 my windows acl started to break with "Account Unknown(S-xxxx) being reported by windows
Whats really weird is that one of the two accounts always seem to be loaded properly after rebooting freenas, but it's flicking between the super user and the general group account)
My current reboot exposed the super user account, where the general account is reported as "Account Unknown (S-xxxx)
Yesterday my super user account reported "Account unknown" while the general account was ok.
So the acl being successfully recognized seem random - most annoying !

freenas also spits out messages like this to the console...
"STATUS=demon 'smbd' finished starting up on file ./..." Error = Operation not supported"

Other messages reported are: "STATUS=deamon on 'winbindd' finsihed starting up and ready to serve connections sam_sids_to_names: possible deadlock - trying to lookup SID S-XXXXXX"

I have tried to manually clear acls (as per https://forums.freenas.org/index.ph...le-deadlock-trying-to-lookup-sid.21982/page-2)
i.e
1. [root@freenas ~]# net groupmap list
Environment LOGNAME is not defined. Trying anonymous access.
xxx (S-1-5-21-2736923429-478344119-3993861682-1000) -> xxx

2.[root@freenas ~]# net groupmap delete sid="S-1-5-21-2736923429-478344119-3993861682-1000"
Environment LOGNAME is not defined. Trying anonymous access.
Sucessfully removed S-1-5-21-2736923429-478344119-3993861682-1000 from the mapping db

3. [root@freenas ~]# net groupmap add unixgroup=users rid=1000
Environment LOGNAME is not defined. Trying anonymous access. <== Error
Can't lookup UNIX group users

So even though I can delete the account, I don't seem to be able to re-create it.

... and from what I have read, unless I manage to get this account created, but acl will continue to be stuffed up after next reboot.

What is the solution to this ???? - This is driving me nuts!

Short time solution seem to allow everyone open access to everything - which I clearly don't want !:(

cheers

 

[anodos]

Post a bug report.

If it's particularly urgent, you can also try running the following commands in sequence:

***commands removed for review***

It may fix the problem. Back up your config before doing this.

 

[ghostwolf59]

This is as far as I come...

[root@freenas ~]# service samba_server stop
Stopping winbindd.
Waiting for PIDS: 2463, 2463.
Stopping smbd.
Waiting for PIDS: 2460, 2460.
Stopping nmbd.
Waiting for PIDS: 2457.
[root@freenas ~]# rm -rf /var/db/samba4/*
[root@freenas ~]# rm -rf /var/etc/private*
[root@freenas ~]# net groupmap cleanup
Environment LOGNAME is not defined. Trying anonymous access. <== Error !
[root@freenas ~]#

 

[anodos]

This is as far as I come...

[root@freenas ~]# service samba_server stop
Stopping winbindd.
Waiting for PIDS: 2463, 2463.
Stopping smbd.
Waiting for PIDS: 2460, 2460.
Stopping nmbd.
Waiting for PIDS: 2457.
[root@freenas ~]# rm -rf /var/db/samba4/*
[root@freenas ~]# rm -rf /var/etc/private*
[root@freenas ~]# net groupmap cleanup
Environment LOGNAME is not defined. Trying anonymous access. <== Error !
[root@freenas ~]#

make that "rm -rf /var/etc/private/*" left the trailing slash off.

 

[ghostwolf59]

ok - should have picket that myself as its an pretty obvious mistake - :)

Anyway, without doing anything other than you recommended me to do initially where the cleanup failed - I reverted my freenas config, rebooted, freenas run into strife and rebooted and the came back up.
While writing this all my cifs accounts is properly recognized (which again seem to point to a somewhat random pattern)

The deadlock etc no longer show up on the console - so perhaps the whole issue got resolved by the first couple of commands (including the delete without the trailing slash) ???

I am now adding some rules against one of my drives folders to see if what I successfully can add will remain once I reboot freenas again - this is what I thought I successfully did early on when I ran into cifs account issues like the ones described, and each time freenas reboots what I;ve done no longer is recognized.
I will try this first - failing that I will redo what you proposed...

One question though, the LOGNAME not defined issue - I;ve seen this message in the past when I try to clean up accounts - what/how do I resolve that one - seem to prevent me from doing things like cleaning up accounts - and I don;'t think the trailing slash in the delete would make any difference in regards to this issues.

cheers

 

[ghostwolf59]

nah, after reboot - freenas struggles again - cifs accounts is not recognized (on this occasion the general group shows up as Unknown Account S-xxxx

...and the Deadlock sam_rids_to_names: possible deadlock - trying to lookup SID S-xxx is displayed on the console

Checked the permission set on subfolders and they all have the same issues - individual user permissions seem to be ok even though they dont end up being resolved by name

The other account shows up ok - most annoying :(

 

[anodos]

PM me a debug file. "System -> Advanced -> Save Debug". I think (barring some sort of obvious misconfiguration) the best course of action may be to create a bug report and make sure this problem is still on jhixson's radar.

 

[Ericloewe]

nah, after reboot - freenas struggles again - cifs accounts is not recognized (on this occasion the general group shows up as Unknown Account S-xxxx

...and the Deadlock sam_rids_to_names: possible deadlock - trying to lookup SID S-xxx is displayed on the console

Checked the permission set on subfolders and they all have the same issues - individual user permissions seem to be ok even though they dont end up being resolved by name
View attachment 8060 View attachment 8059

The other account shows up ok - most annoying :(
View attachment 8059

Fixed in a veyr recent update. Update to the latest and it should start working.

 

[ghostwolf59]

baaah , freenas now refuses to boot up properly - get stuck halfway in (cifs accessible but without resolved accounts) - not sure if the "rm -rf /var/db/samba4/*" and/or "rm -rf /var/etc/private*" had something to do with this new issues (did restore the config though, but something new seem to be affected now)
Gui not accessible so I cant produce the logs you asked for

- Now decided to start from scratch again with a brand new installation - downloaded the latest stable iso (FreeNAS-9.3-STABLE-201506292332.iso) - lets see if this sorts things out - not to bothered with being forced to reinstall all plugins, setting up accounts etc - a little painful, but well worth it if it ends up working
- last resort I guess I will fall back to 9.2 that I had before (that worked !) - luckily I never proceeded with upgrading my zfs under 9.3 :p

Will let you know how it goes

cheers

 

[ghostwolf59]

new install and deadlock reappears - group accounts unresolved i.e no change - what the,,,,?

Another weird thing is that when I set the default permission at root level on my volume (me (= full access, group (read+execute only)) - show up ok if I opt for Unix Permission type, BUT as soon as I switch to Permission Type = Windows my default permission changes where the group now gets full access as well - this is weird and starts to feel somewhat painful

Worth mentioning is that whatever permission type I opt for I check the Set Permission Recursively

Accessing my share from windows also reports the group account being granted full access

Is 9.3 actually stable or ...? - Don't feel like it is! :(

- This time around nothing has been inherited from old installations i.e fully based on a brand new clean install !
- all I've done once the installation completed was to add one of my volumes and the user accounts along with setting up a group account.

 

[ghostwolf59]

hm, Just went into windows and deleted the group account that wrongly were given full access and guess what - Freenas now reports the windows account properly (with the read only permission I initially requested)
HOWEVER, windows no longer lists the group account - so freenas reports the correct user/group and permission, while windows no longer reports the group (see pic)

 

[anodos]

new install and deadlock reappears - group accounts unresolved i.e no change - what the,,,,?

If deadlock reappears, file bug report.

Another weird thing is that when I set the default permission at root level on my volume (me (= full access, group (read+execute only)) - show up ok if I opt for Unix Permission type, BUT as soon as I switch to Permission Type = Windows my default permission changes where the group now gets full access as well -

Accessing my share from windows also reports the group account being granted full access

this is the correct behavior / default permissions for 'windows' permission type. There's a reason things are greyed out. Once you switch to Windows permission type, they are managed through Windows explorer.

Is 9.3 actually stable or ...? - Don't feel like it is! :(

It is stable.

 

[ghostwolf59]

"this is the correct behavior..." - perhaps I didn't make myself clear - the issue I have is that the permission changes from what I initially set (check the two images in earlier post) - surely that cant be the correct behavior ? Worked properly with earlier versions.
Another thing I noticed was that once I deleted the account under windows and the proper permissions show up within NAS (but where the desired group no longer exists under window) is that if I decide to update (no actual changes - simply press update within nas) the permission goes back to giving the group full access again (with deadlocks, and unknown accounts reported from windows)

Not sure about the bug report - posted my issues within this forum only to receive a message stating something about me open a bug report account or something - so even though I posted this it appears it will fall onto def ears.

Sent you the logs earlier - not sure if you can see something there...?

If 9.3 is deemed stable then I wonder why these issues crops up - or is it that permission were left out from QA ? - don;'t sit well with me (also read several posts that seem to point to similar issues)
Don;t know what else to try - downloaded the latest stable release and basically no change - even went out to buy a new SAN thumb drive to rule out issues with that one (my initial one only had 4gb - my new has 32gb (overkill, I know, but at least we can rule out issue pointing to space on the flash drive)

 

[anodos]

"this is the correct behavior..." - perhaps I didn't make myself clear - the issue I have is that the permission changes from what I initially set (check the two images in earlier post) - surely that cant be the correct behavior ? Worked properly with earlier versions.
Another thing I noticed was that once I deleted the account under windows and the proper permissions show up within NAS (but where the desired group no longer exists under window) is that if I decide to update (no actual changes - simply press update within nas) the permission goes back to giving the group full access again (with deadlocks, and unknown accounts reported from windows)

Not sure about the bug report - posted my issues within this forum only to receive a message stating something about me open a bug report account or something - so even though I posted this it appears it will fall onto def ears.

Sent you the logs earlier - not sure if you can see something there...?

If 9.3 is deemed stable then I wonder why these issues crops up - or is it that permission were left out from QA ? - don;'t sit well with me (also read several posts that seem to point to similar issues)
Don;t know what else to try - downloaded the latest stable release and basically no change - even went out to buy a new SAN thumb drive to rule out issues with that one (my initial one only had 4gb - my new has 32gb (overkill, I know, but at least we can rule out issue pointing to space on the flash drive)

Submit bug reports on the bug report website, not the forums. Developers are basically never on this site.

https://bugs.freenas.org/