Yet another SMB permissions problem

Status
Not open for further replies.

chaos85

Cadet
Joined
Jul 2, 2015
Messages
3
I'm having an issue with FreeNAS 11.0-U3 where my SMB shares are not allowing guest connections to write data. Reading is no problem, and this hasn't previously been an issue, but suddenly here I am, scratching my head as to why Windows is telling me I need to get permission from FREENAS\root in order to move files around, change names, etc. Can anyone provide a bit of guidance here as to how I can force this share to allow anyone on the network to have full access again?
 

joeschmuck

Old Man
Moderator
Joined
May 28, 2011
Messages
10,970
Odds are your permissions for the dataset are incorrect to allow anyone to write.
 

zoomzoom

Guru
Joined
Sep 6, 2015
Messages
677
You need to enable guest access under the SMB service, then create a group for users with write permissions, add guest to that group, and finally change ownership of the share root to the name of the new group.
  • If you only want guest to be able to write to certain directories/files, only change ownership on those specific directories/files to the new group.
  • You can change ownership recursively via chown -R <user>:<new group>
    • Where <user> is the main user that owns the file(s)/directories
 

chaos85

Cadet
Joined
Jul 2, 2015
Messages
3
You need to enable guest access under the SMB service, then create a group for users with write permissions, add guest to that group, and finally change ownership of the share root to the name of the new group.
  • If you only want guest to be able to write to certain directories/files, only change ownership on those specific directories/files to the new group.
  • You can change ownership recursively via chown -R <user>:<new group>
    • Where <user> is the main user that owns the file(s)/directories
Ok I must still be missing something here. Guest access is enabled, I tried added a guest user and setting it as owner, but all it's doing is changing who windows is telling me I need to get permissions from. When I'm viewing the security settings in windows I'm seeing the new guest user and the new group with all permissions, but the "Everyone" group that Windows uses for guests is locked to List/Read/Execute and I'm not seeing any way to change the permissions.
 

zoomzoom

Guru
Joined
Sep 6, 2015
Messages
677
Guest access is enabled, I tried added a guest user and setting it as owner, but all it's doing is changing who windows is telling me I need to get permissions from.
  • Guest should not be the user owner, but the group owner, i.e. chown -R user1:guest /path/to/share/dir && chmod 660 /path/to/share/dir (may need to be 666)
    • Create a user that will be owner of the files/directories (user1 above)
When I'm viewing the security settings in windows I'm seeing the new guest user and the new group with all permissions, but the "Everyone" group that Windows uses for guests is locked to List/Read/Execute and I'm not seeing any way to change the permissions
  • In Windows, the "Everyone" group is not the guest account for guest access, but the group for all users under the "Users" group.
    • In Windows, please post the output of icacls \\share\path
    • In FreeNAS, please post the output of your smb.conf
 

chaos85

Cadet
Joined
Jul 2, 2015
Messages
3
I ended up finding the fix... well, more like stumbling into it... by going back through the storage permissions and resetting the user and group owners and then checking the set permissions recursively box. I used this video https://www.youtube.com/watch?v=RxggaE935PM as a guide, however when configuring the SMB share I checked the allow guest access box.

zoomzoom, you stated that you wanted the output of smb.conf however I could only find smb4.conf located in /usr/local/etc. Are these the same files?

And here's the Windows output before and after the fix if you're curious:
Before:
icacls \\FREENAS\media
\\FREENAS\media S-1-22-1-1001:(OI)(CI)(F)
S-1-5-21-3774390300-2053483847-1127691106-1003:(OI)(CI)(F)
Everyone:(OI)(CI)(RX)

After:
icacls \\FREENAS\media
\\FREENAS\media S-1-5-21-3774390300-2053483847-1127691106-501:(OI)(CI)(F)
S-1-5-21-3774390300-2053483847-1127691106-1004:(OI)(CI)(F)
Everyone:(OI)(CI)(RX)
 

zoomzoom

Guru
Joined
Sep 6, 2015
Messages
677
@zoomzoom, you stated that you wanted the output of smb.conf however I could only find smb4.conf located in /usr/local/etc. Are these the same files?

And here's the Windows output before and after the fix if you're curious:
Before:
icacls \\FREENAS\media
\\FREENAS\media S-1-22-1-1001:(OI)(CI)(F)
S-1-5-21-3774390300-2053483847-1127691106-1003:(OI)(CI)(F)
Everyone:(OI)(CI)(RX)

After:
icacls \\FREENAS\media
\\FREENAS\media S-1-5-21-3774390300-2053483847-1127691106-501:(OI)(CI)(F)
S-1-5-21-3774390300-2053483847-1127691106-1004:(OI)(CI)(F)
Everyone:(OI)(CI)(RX)
Those are the same, the 4 stands for the version of Samba being utilized

For the permissions:
  • Before:
    • SIDs S-1-22-1-1001 (Samba) & S-1-5-21-*-*-*-1003 (Samba or Windows) are the SIDs that have Full access permissions (inherited, i.e. the "I")
  • After:
    • SIDs S-1-5-21-*-*-*-501 (Samba or Windows) & S-1-5-21-*-*-*-1004 (Samba or Windows) have Full access permissions
More likely than not, either the share was initially created with the wrong user/group permissions set, or the wrong group/user permissions were set on the directories and/or files within the share directory.
 
Status
Not open for further replies.
Top