yet another SMB share permissions question

[charvey]

I just upgraded to TrueNAS 12 from freenas. I was using root as a SMB user. I added a new user "chris" to replace the root usage. Some of my shares are working as expected, but there is a troublesome one I can't seem to figure out.

I pasted some log.smdb and getfacl info below:


[2021/03/26 09:56:54.326134, 0] ../../source3/smbd/service.c:183(chdir_current_service)
chdir_current_service: vfs_ChDir(/mnt/v1/main/aaaaa) failed: Permission denied. Current token: uid=65534, gid=65534, 4 groups: 65534 90000004 90000005 546

cat /etc/passwd:
nobody:*:65534:65534:Unprivileged user:/nonexistent:/usr/sbin/nologin

client fstab:
//172.24.1.10/aaaaa /mnt/aaaaa cifs credentials=/root/smbcredentials,uid=root,gid=root 0 0

root@freenas[/var/log/samba4]# getfacl /mnt/v1/main/aaaaa/
# file: /mnt/v1/main/aaaaa/
# owner: root
# group: builtin_users
owner@:rwxpDdaARWcCos:fd----I:allow
group@:rwxpDdaARWcCos:fd----I:allow
everyone@:--------------:fd----I:allow


client /root/smbcredentials
username=chris
password=***********

Since user "chris" is a member of "builtin_users" I would expect to have access to "/mnt/v1/main/aaaaa/", as per the getfacl output.

I'm suspicious of the "uid=65534, gid=65534" output in the smdb logs. Is smdb trying to use the wrong user to chmod?

 

[anodos]

That's `chdir` change directory. `chdir_current_service` means that during the SMB tree connect your smbd process is trying to chdir into the share's root path and failing. "Permission denied" means that permissions failed. uid 65534 means that your user is getting a guest session (nobody), and since "nobody" does not have rights to the share, you are getting access denied.

 

[charvey]

sudo mount -t cifs //172.24.1.10/aaaaa /mnt/aaaaa -o user=chris
Password for chris@//172.24.1.10/aaaaa: ******
mount error(13): Permission denied

exact same log.smdb output
If I give an incorrect password the log.smbd output says invalid password.

So, I've specified a user, and the password is correct. How is chris getting mapped to nobody?

in TrueNAS /etc/passwd:
chris:*:1001:1001:chris:/nonexistent:/bin/sh

The user exists.

 

[anodos]

You can also view more info about the auth attempt by running the command midclt call smb.status AUTH_LOG | jq.

 

[charvey]

freenas# midclt call smb.status
{"sessions": {"23112": {"uid": 1001, "gid": 1001, "username": "chris", "groupname": "chris", "remote_machine": "172.24.1.48", "hostname": "ipv4:172.24.1.48:33092", "session_dialect": "SMB3_11", "encryption": "-", "signing": "AES-128-CMAC"}, "23113": {"uid": 1001, "gid": 1001, "username": "chris", "groupname": "chris", "remote_machine": "172.24.1.7", "hostname": "ipv4:172.24.1.7:47020", "session_dialect": "SMB3_11", "encryption": "-", "signing": "AES-128-CMAC"}, "23111": {"uid": 1001, "gid": 1001, "username": "chris", "groupname": "chris", "remote_machine": "172.24.1.48", "hostname": "ipv4:172.24.1.48:33090", "session_dialect": "SMB3_11", "encryption": "-", "signing": "AES-128-CMAC"}}, "shares": [], "locked_files": []}

freenas# midclt call smb.status AUTH_LOG
Expecting value: line 1 column 1 (char 0)
Traceback (most recent call last):
File "/usr/local/lib/python3.8/site-packages/middlewared/main.py", line 137, in call_method
result = await self.middleware._call(message['method'], serviceobj, methodobj, params, app=self,
File "/usr/local/lib/python3.8/site-packages/middlewared/main.py", line 1195, in _call
return await methodobj(*prepared_call.args)
File "/usr/local/lib/python3.8/site-packages/middlewared/schema.py", line 973, in nf
return await f(*args, **kwargs)
File "/usr/local/lib/python3.8/site-packages/middlewared/plugins/smb_/status.py", line 63, in status
ret.append(json.loads(e.strip()))
File "/usr/local/lib/python3.8/json/__init__.py", line 357, in loads
return _default_decoder.decode(s)
File "/usr/local/lib/python3.8/json/decoder.py", line 337, in decode
obj, end = self.raw_decode(s, idx=_w(s, 0).end())
File "/usr/local/lib/python3.8/json/decoder.py", line 355, in raw_decode
raise JSONDecodeError("Expecting value", s, err.value) from None
json.decoder.JSONDecodeError: Expecting value: line 1 column 1 (char 0)

That existing session is for an SMB share on the following:
freenas# getfacl /mnt/v1/main/aaaaa/bbbbb
# file: /mnt/v1/main/aaaaa/bbbbb
# owner: root
# group: builtin_users
owner@:rwxpDdaARWcCos:fd----I:allow
group@:rwxpDdaARWcCos:fd----I:allow
everyone@:--------------:fd----I:allow

ACL looks the same. Is it a problem to share both /aaaaa and /aaaaa/bbbbb at the same time? It used to work...