Setting up/configuring SMB/SIFS shares in napp-it

knubbze

Member
Jun 13, 2013
35
0
6
I have recently installed napp-it onto a Solaris 11 system running on a HP N40L Microserver. It all works great, but I am having a little trouble setting up SMB shares. I have migrated from FreeNAS, which is similar to napp-it, but the menus and terminology are a bit different.

I have two datasets on my pool, one called 'private', and one called 'public'. I want to be able to setup both of these as two separate shares, and I want to be able to read and write to BOTH shares with a specified user (requiring username/password credentials), but also allowing read-only 'guest' access to the 'public' share.

The way I did this in FreeNAS was as follows:

  1. Create pool
  2. Create ZFS datasets ('private' and 'public')
  3. Create an 'admin' user (that will have read/write access to both datasets)
  4. Edit ownership of datasets, giving the 'admin' user ownership with rwx permissions, and setting the 'guest' group as the group owner,with read-only access
  5. Add SMB/CIFS shares, adding a separate share for each dataset

This way, when I accessed the shares from a Windows machine which I was logged into with the same credentials as the 'admin' user, I could see and read/write to both shares, but when I accessed the shares from a machine with different credentials, I could only see and read from the 'public' share.

Is it a similar procedure in napp-it?
 

gea

Well-Known Member
Dec 31, 2010
2,485
837
113
DE
It is quite similar with one huge difference
While SAMBA on FreeNAS (and Solaris as well) gives a Windows user access to Linux/Unix based on Unix UID/GIDs, Solaris CIFS server acts more like a real windows server, offering Windows SID and groups and Windows like ACL support.

Your steps (napp-it):
1. create a pool (menu pools)
2. create a filesystem/dataset (menu filesystem)

Root is owner and has full access and everyone has r/w permissions, SMB is enabled as default.
If you want other permissions (add SMB user and groups in menu user):

3. edit ACL (menu Filesystems >> ACL on folders)
- remove everyone rw
- add (Solaris) user with desired permissions

You need ACL extension for user dependant settings, but can do this via CLI or Windows (mostly)
For a public share (without the need of a user/pw), enable guest access on a filesystem during sharing
or allow everyone ro and user x rw-access
 
Last edited:

knubbze

Member
Jun 13, 2013
35
0
6
Thanks for clarifying the procedure. I set up everything yesterday and all was working well until I rebooted the system. After that, I was unable to access a share to an encrypted Filesystem that I had setup.

This was how I set everything up: I created my pool, and then created a SMB Local User (called 'privsmb'), and then created the first ZFS Filesystem called 'public', which I enabled guest access to, and also changed the ACL on folder settings to the following, including changing 'everyone's access to read-only, and 'privsmb' to full read/write:



And then I setup the second ZFS Filesystem, this time with encryption enabled, and set the ACL folder settings to the following, giving the 'privsmb' user full read/write access, and removing 'everyone' from the access list:



As you can see, this 'privsmb' Local User now has full read and write permissions to both Filesystems/shares, and a guest is allowed read-only access to the 'pubic' Filesystem/share.

Here are the current User settings:



This all worked fine and exactly as expected, until I rebooted the napp-it machine. Since then, I have not been able to get access to the 'private' share at all, no matter what I do. I have tried changing the password for the 'privsmb' user, deleting the Local User and creating a new one, removing and re-adding the ACL folder permissions, restarting the SMB service; basically, everything I can think of. I have of course made sure to unlock the encrypted 'private' Filesystem before trying to access it with the 'privsmb' user that I set up. I am totally lost on what to do now, except reinstall Solaris and napp-it, and importing my pool. I don't understand why everything was working properly until I rebooted, without changing any settings.

Does anyone know what might be going wrong here?
 

gea

Well-Known Member
Dec 31, 2010
2,485
837
113
DE
Thanks for clarifying the procedure. I set up everything yesterday and all was working well until I rebooted the system. After that, I was unable to access a share to an encrypted Filesystem that I had setup.
That is the way it should work.
If someone steals your computer, he cannot access your data.
You must unlock the filesystem after each reboot (menu zfs filesystem)

basics:
How to Manage ZFS Data Encryption
 

knubbze

Member
Jun 13, 2013
35
0
6
Yes, as I said in my post:
knubbze said:
I have of course made sure to unlock the encrypted 'private' Filesystem before trying to access it with the 'privsmb' user that I set up.
Here are my filesystems; noticed that 'private' is unlocked:



...so the unlocking is not the issue here.

When I try to access the network share from my Windows machines, I get asked for login credentials:





But every time I input the correct details (username 'privsmb', and the password), I get the error message below:



I have tried changing the password for this Local User account, making it below 8 characters etc, even tried making new Local User accounts and then giving them the appropriate permissions at the ACL on Folders page, but every time I just keep getting denied access to the 'private' Filesystem. I think it might be possible that there is some sort of bug here.

When I first try to browse the network share through Windows Explorer, it asks me for login credentials. EVEN when I use the root account credentials, it only presents me with the 'public' share:



I am totally lost for things to try at this point.
 
Last edited:

knubbze

Member
Jun 13, 2013
35
0
6
UPDATE:

Just as a test, I created a NEW encrypted ZFS Filesystem called 'test', and then went to 'ACL on Folders' and setup the EXACT same Local User permissions as I did on the 'private' Filesystem; see below:



I restarted the SMB service, and lo and behold, this new 'test' filesystem appeared In Windows Explorer:



So for some reason, something is preventing the 'private' share from appearing @ SMB. All of the filesystems are available locally on the napp-it machine:



EDIT:

After trying to access the share in Windows (supplying the user credentials that I specified at 'ACL on Folders'), I get the following error message:



I'm almost ready to give up; I don't know what else to do here :/
 
Last edited:

gea

Well-Known Member
Dec 31, 2010
2,485
837
113
DE
I would first check if the problem is an the Windows or Solaris side

Windows
disconnect the share (net use /delete) and/or reboot
check shares

then Solaris
restart SMB service or reboot
 

knubbze

Member
Jun 13, 2013
35
0
6
I would first check if the problem is an the Windows or Solaris side

Windows
disconnect the share (net use /delete) and/or reboot
check shares

then Solaris
restart SMB service or reboot
Thanks, I did what you suggested (both steps) and now I am able to access the 'test' encrypted filesystem:



Now, I went through the EXACT same procedure with the 'private' filesystem share, but get this error message when trying to access it:



The types of filesystems and ACLs are EXACTLY the same:




One thing I was thinking is that I only set permissions in the 'ACL on folders' menu item, and had not set anything in the 'ACL on SMB shares' item - what is the difference between these two sections, and could it have anything to do with this issue that I am experiencing?
 

gea

Well-Known Member
Dec 31, 2010
2,485
837
113
DE
One thing I was thinking is that I only set permissions in the 'ACL on folders' menu item, and had not set anything in the 'ACL on SMB shares' item - what is the difference between these two sections, and could it have anything to do with this issue that I am experiencing?
This is something like you have also on a real Windows server where you can set permissions to files and folder and to shares for general restrictions. keep this untouched now.

What you can check:
boot, unlock a filesystem and then either restart smb server or unshare/reshare

(I do not use Solaris 11.1 beside napp-it bugfixes so maybee this is now needed.
Most people run Solaris 24/7 so this is not a common usage)
 

knubbze

Member
Jun 13, 2013
35
0
6
Right, sorry for the delay in responding - I have had something occupy my time recently, and I've only just had chance to sit down and continue with this problem. I have been tinkering with it all morning, trying different things to try to osilate the problem. I am now unable to access ANY of the encrypted filesystems via SMB. I have tried accessing the shares from two different Windows machines (one Win7 and one Win8), to make sure that it isn't a Windows issue. As well as not being able to access the encrypted filesystems, I am also not allowed to write to my unencrypted[n/] 'public' filesystem with this same user who I assigned full access to the folder. So I am now fairly certain that it is a napp-it issue; for my reasoning, see below:

To recap, I currently have the following encrypted filesystems:



And I set up a local user and gave it full permissions to each encrypted filesystem (as per example below):



But I get error messages in Windows when I attempt to map each share with the correct user credentials. Now, the reason that I think this is a napp-it issue is that when i try to access these SMB shares from the Windows machines on my LAN, I get error messages at the Solaris console which is shown at the monitor output:



So does this mean that SMB sharing is somehow misconfigured?
 
Last edited:

knubbze

Member
Jun 13, 2013
35
0
6
I've been playing around and adding new local user accounts and giving them permissions to my shares, but I am STILL unable to access them. I decided to have a look at System -> Log in the menu, and noticed these:

Code:
Jul  2 15:11:18 solaris smbd[8737]: [ID 702911 daemon.notice] dyndns: failed to get domainname
Jul  2 15:11:18 solaris smbd[8737]: [ID 702911 daemon.notice] service initialized
Jul  2 15:12:38 solaris smbsrv: [ID 421734 kern.notice] NOTICE: [SOLARIS\testuser]: final share not found
Jul  2 15:15:55 solaris smbd[8737]: [ID 702911 daemon.notice] service shutting down
Jul  2 15:15:55 solaris smbsrv: [ID 981122 kern.warning] WARNING: accept on port 139 returned 4
Jul  2 15:15:55 solaris smbsrv: [ID 981122 kern.warning] WARNING: accept on port 445 returned 4
Jul  2 15:15:55 solaris smbd[8737]: [ID 702911 daemon.notice] service terminated
Jul  2 15:15:56 solaris smbd[15782]: [ID 702911 daemon.notice] dyndns: failed to get domainname
Jul  2 15:15:56 solaris smbd[15782]: [ID 702911 daemon.notice] service initialized
Jul  2 15:16:24 solaris smbd[15782]: [ID 702911 daemon.notice] service shutting down
Jul  2 15:16:24 solaris smbsrv: [ID 981122 kern.warning] WARNING: accept on port 139 returned 4
Jul  2 15:16:24 solaris smbsrv: [ID 981122 kern.warning] WARNING: accept on port 445 returned 4
Jul  2 15:16:24 solaris smbd[15782]: [ID 702911 daemon.notice] service terminated
Jul  2 15:16:24 solaris smbd[16672]: [ID 702911 daemon.notice] dyndns: failed to get domainname
Jul  2 15:16:24 solaris smbd[16672]: [ID 702911 daemon.notice] service initialized
Jul  2 15:17:44 solaris smbd[16672]: [ID 812811 daemon.notice] logon[BOX\testuser]: LOGON_FAILURE
Jul  2 15:17:59 solaris smbd[16672]: [ID 812811 daemon.notice] logon[BOX\lala]: LOGON_FAILURE
Jul  2 15:18:41 solaris smbd[16672]: [ID 702911 daemon.notice] dyndns: failed to get domainname
Jul  2 15:18:41 solaris smbd[16672]: [ID 812811 daemon.notice] logon[BOX\testuser]: LOGON_FAILURE
Jul  2 15:18:41 solaris last message repeated 1 time
Jul  2 15:18:42 solaris smbd[16672]: [ID 702911 daemon.notice] dyndns: failed to get domainname
Jul  2 15:18:46 solaris smbd[16672]: [ID 812811 daemon.notice] logon[BOX\testuser]: LOGON_FAILURE
Jul  2 15:18:58 solaris smbd[16672]: [ID 812811 daemon.notice] logon[BOX\lala]: LOGON_FAILURE
 

Dr_Drache

New Member
Jun 7, 2013
26
0
1
I've been playing around and adding new local user accounts and giving them permissions to my shares, but I am STILL unable to access them. I decided to have a look at System -> Log in the menu, and noticed these:

Code:
Jul  2 15:11:18 solaris smbd[8737]: [ID 702911 daemon.notice] dyndns: failed to get domainname
Jul  2 15:11:18 solaris smbd[8737]: [ID 702911 daemon.notice] service initialized
Jul  2 15:12:38 solaris smbsrv: [ID 421734 kern.notice] NOTICE: [SOLARIS\testuser]: final share not found
Jul  2 15:15:55 solaris smbd[8737]: [ID 702911 daemon.notice] service shutting down
Jul  2 15:15:55 solaris smbsrv: [ID 981122 kern.warning] WARNING: accept on port 139 returned 4
Jul  2 15:15:55 solaris smbsrv: [ID 981122 kern.warning] WARNING: accept on port 445 returned 4
Jul  2 15:15:55 solaris smbd[8737]: [ID 702911 daemon.notice] service terminated
Jul  2 15:15:56 solaris smbd[15782]: [ID 702911 daemon.notice] dyndns: failed to get domainname
Jul  2 15:15:56 solaris smbd[15782]: [ID 702911 daemon.notice] service initialized
Jul  2 15:16:24 solaris smbd[15782]: [ID 702911 daemon.notice] service shutting down
Jul  2 15:16:24 solaris smbsrv: [ID 981122 kern.warning] WARNING: accept on port 139 returned 4
Jul  2 15:16:24 solaris smbsrv: [ID 981122 kern.warning] WARNING: accept on port 445 returned 4
Jul  2 15:16:24 solaris smbd[15782]: [ID 702911 daemon.notice] service terminated
Jul  2 15:16:24 solaris smbd[16672]: [ID 702911 daemon.notice] dyndns: failed to get domainname
Jul  2 15:16:24 solaris smbd[16672]: [ID 702911 daemon.notice] service initialized
Jul  2 15:17:44 solaris smbd[16672]: [ID 812811 daemon.notice] logon[BOX\testuser]: LOGON_FAILURE
Jul  2 15:17:59 solaris smbd[16672]: [ID 812811 daemon.notice] logon[BOX\lala]: LOGON_FAILURE
Jul  2 15:18:41 solaris smbd[16672]: [ID 702911 daemon.notice] dyndns: failed to get domainname
Jul  2 15:18:41 solaris smbd[16672]: [ID 812811 daemon.notice] logon[BOX\testuser]: LOGON_FAILURE
Jul  2 15:18:41 solaris last message repeated 1 time
Jul  2 15:18:42 solaris smbd[16672]: [ID 702911 daemon.notice] dyndns: failed to get domainname
Jul  2 15:18:46 solaris smbd[16672]: [ID 812811 daemon.notice] logon[BOX\testuser]: LOGON_FAILURE
Jul  2 15:18:58 solaris smbd[16672]: [ID 812811 daemon.notice] logon[BOX\lala]: LOGON_FAILURE
MAYBE, just switch to a differnt system, seems like that would be faster :p
 

knubbze

Member
Jun 13, 2013
35
0
6
Maybe, but I just suspect that there is just such a trivial solution for this that I have somehow missed. I am going to do a full reinstall tomorrow and see if it behaves as it should do. If not, I guess I'll have to reluctantly switch to freenas or something. Which is a shame, because napp-it is such a good system.
 

gea

Well-Known Member
Dec 31, 2010
2,485
837
113
DE
Maybe, but I just suspect that there is just such a trivial solution for this that I have somehow missed. I am going to do a full reinstall tomorrow and see if it behaves as it should do. If not, I guess I'll have to reluctantly switch to freenas or something. Which is a shame, because napp-it is such a good system.
I am not aware of a general problem with Solaris 11.1 - there are no other problem reports but every setup is different.
I do not use Solaris 11.1 myself and most users use OI or OmniOS like me. Solaris + napp-it fixes are only done on user problem reports. Solaris fixes need a payed support contract with Oracle. And their sharing settings are done without usability in mind and quite different to Illumos based systems and somehow overcomplicated.

If you like, you can try:
Do a clean install of Solaris and setup sharing via CLI and compare to napp-it to be sure if its a napp-it problem or not. Look at Oracle docs at Setting Up a Oracle Solaris SMB Server to Manage and Share Files - Managing SMB File Sharing and Windows Interoperability in Oracle Solaris 11.1


update:
It seems that Solaris 11.1 did not re-establish SMB shares automatically after unlocking.
You must disable/enable the share.

I will add this to next release
 
Last edited:

knubbze

Member
Jun 13, 2013
35
0
6
I will try that.

I was wondering if these steps are required, or it they are automatically applied with the latest napp-it build?:

Solaris 11.1 (November 2012)
File to config pam settings has moved compared to Solaris 11

edit /etc/pam.conf and delete the line
other password required pam_smb_passwd.so.1 nowarn

edit /etc/pam.d/other and add
password required pam_smb_passwd.so.1 nowarn

There is another step needed in Solaris 11.1:
edit admin.pl and comment out line 1162
# $t=&exe("perl -e 'open (R,\">>/etc/pam.conf\"); print R \"$t\"; close (R);'");

(fixed in napp-it 0.9+)


5.1.2013: afp installer fixes a problem with "user cannot login"
 

gea

Well-Known Member
Dec 31, 2010
2,485
837
113
DE
I will try that.

I was wondering if these steps are required, or it they are automatically applied with the latest napp-it build?:

This is done by the current wget installer

ps
It seems that Solaris 11.1 did not re-establish SMB shares automatically after unlocking.
You must disable/enable the share.
 

knubbze

Member
Jun 13, 2013
35
0
6
This is done by the current wget installer

ps
It seems that Solaris 11.1 did not re-establish SMB shares automatically after unlocking.
You must disable/enable the share.
OK, do I do that by stopping and restarting the SMB service?
 

knubbze

Member
Jun 13, 2013
35
0
6
Also, do I need to reset the root password after napp-it has finished installing (as suggested in this guide)?:

Before rebooting type:
passwd root
type your new password twice. the napp-it install changes the root password so we need to change it back
 

gea

Well-Known Member
Dec 31, 2010
2,485
837
113
DE
Also, do I need to reset the root password after napp-it has finished installing (as suggested in this guide)?:
unshare/share:
menu zfs folder, click under SMB on the share to unshare -> off, the click on off to re-share

You can re-enter a root-pw after setup of napp-it to create a smb-pw for root
You are then able to connect as root from Windows