Solaris (OmniOS) w/ Napp-It ZPool Share Permissions for CIFS [Solved]

Discussion in 'Solaris, Nexenta, OpenIndiana, and napp-it' started by armouredking, Sep 17, 2018.

  1. armouredking

    armouredking New Member

    Joined:
    Feb 3, 2018
    Messages:
    8
    Likes Received:
    0
    So I've run into this weird hangup that I'm pretty sure comes down to permissions. Fresh install using latest stable Omni with Napp-It free just for the GUI.

    NFS is setup and working fine on the one dataset I need it. I'm trying to now get Samba working on the other sets.

    This is the log of the error:
    Code:
    Sep 17 16:13:08 nexus smbsrv: [ID 138215 kern.notice] NOTICE: smbd[NEXUS\supervisor]: \\nexus\test bad path: /library/test
    Sep 17 16:13:08 nexus last message repeated 6 times
    The actual error on Windows is 0x80070035 network path not found.

    Now, I can use Samba with one change so this isn't actually a network problem as Windows is claiming. If I want to use the Samba share, I have to add the local user account to the Samba Administrators group (done via Napp-It) and suddenly I have access to the share, no issues with network path not found and no notices in the logs. It just works; obviously I don't want to have all the users be Samba Admins though. To stress that again, if supervisor is part of the SMB-group administrators I can browse all folders and edit permissions using the IP address or the hostname. If supervisor is NOT in that group, I am able to access //nexus and see the share 'test' as a folder, but I cannot browse it or make any changes to it (and obviously I can't edit share permissions) using either the IP address or the hostname (Windows throws network path not found, logs on server say "bad path").

    Code:
    members of smb-group administrators   status   option
             
      \root       remove
      \supervisor       remove
    
    ^This works.

    Code:
    members of smb-group administrators   status   option
             
      \root       remove
    
    ^This throws errors as noted above.

    ZFS Filesystem view from Napp-It:

    Code:
    
     ZFS (all properties)   SMB   NFS   RSYNC     FC,IB,iSCSI   NBMAND   REC   AVAILABLE   USED   RES   RFRES   QUO   RFQU   SYNC   COMPR   DEDUP   CRYPT   FOLDER-ACL   SHARE-ACL   PERM   RDONLY
                                                                                     
     library (pool)-       -   -   -   off   128K   43.1T [51%]   40.8T   none   none   none   none   standard   lz4   off   n.a.   special   -   ACL   off
     library/test   test   off   off   zfs unset   on   128K   43.1T   176K   none   none   none   none   standard   lz4   off   n.a.   special   full_set   ACL   off 
    Permissions on the set:

    Folder ACL

    Code:
    ACL   User/ Group   acl   acl-set   details   inheritance   type   option
                                 
     0   everyone@   rwxpdDaARWcCos   full_set   rd(acl,att,xatt) wr(acl,att,xatt,own) del(yes,child) x, s   folder only   allow   delete 
    Samba ACL

    Code:
    ACL   User/ Group   acl   acl-set   details   inheritance   type   option
                                
     0   user:supervisor   rwxpdDaARWcCos   full_set   rd(acl,att,xatt) wr(acl,att,xatt,own) add(fi,sdir) del(yes,child) x, s   file,dir   allow   delete  

    Where is my error in permissions?
     
    #1
    Last edited: Sep 18, 2018
  2. armouredking

    armouredking New Member

    Joined:
    Feb 3, 2018
    Messages:
    8
    Likes Received:
    0
    Just some extra notes:

    From a windows computer, the following command works:

    Code:
    > net view \\nexus
    Shared resources at \\nexus
    
    Share name  Type  Used as  Comment
    
    -------------------------------------------------------------------------------
    test        Disk
    The command completed successfully.
    
    The following command never works >>including when I can access the share by putting my user into the Samba Admins group<<, but prints two different error messages depending on what you ask:

    Code:
    > net view \\192.168.200.39\test
    System error 53 has occurred.
    
    The network path was not found.
    
    > net view \\nexus\test
    System error 1707 has occurred.
    
    The network address is invalid.
    
    And just for S&G:
    Code:
    > ping nexus
    
    Pinging nexus.local [192.168.200.39] with 32 bytes of data:
    Reply from 192.168.200.39: bytes=32 time<1ms TTL=254
    Reply from 192.168.200.39: bytes=32 time<1ms TTL=254
    Reply from 192.168.200.39: bytes=32 time<1ms TTL=254
    Reply from 192.168.200.39: bytes=32 time<1ms TTL=254
    
    So it still really doesn't look like a network problem despite what net commands seem to say. But I can't fathom what permissions are set that make a share available to view (I can see the network folder test by going to \\nexus at any time, with supervisor in or out of the admin group) but unable to open (I can only open folder test by placing supervisor in the admin group and refreshing my connection).

    I've done the obvious reboot/restart smb/use IP or dns to access and the results are all the same. Access is only allowed for a user in the samba admins group, and Windows net commands always print issues when accessing the shares. If my user is in the samba admins group, I have full control; I can edit move rename copy add etc any file in the test share.
     
    #2
  3. armouredking

    armouredking New Member

    Joined:
    Feb 3, 2018
    Messages:
    8
    Likes Received:
    0
    Hello future Google searchers. Hopefully the title change will let you find this and save you some headache.

    Napp-It's ACL doesn't seem to apply to the Zpool. When you click on a Pool, it asks you to select a dataset for setting permissions but doesn't appear to do anything from the GUI for the pool. Additionally, I was using
    Code:
    ls -V
    instead of
    Code:
    ls -laV
    from the command line and therefore didn't see the whole picture from the terminal until I did. Lesson learned, don't be a lazy troubleshooter.

    These were the settings for permissions on the zpool "library":

    Code:
    drwx------+  9 root     root           9 Sep 17 17:17 .
                  user:root:rwxpdDaARWcCos:fd-----:allow
                  everyone@:rwxpdDaARWc--s:fdi----:allow
                     owner@:rwxp-DaARWcCos:-------:allow
                     group@:------a-R-c--s:-------:allow
                  everyone@:------a-R-c--s:-------:allow
    
    I cleared them out using the A#- technique until I got down to just the root line, then updated both root and everyone with the default Napp-It reset line like so:

    Code:
    drwxrwxrwx+  9 root     root           9 Sep 17 17:17 .
                  user:root:rwxpdDaARWcCos:fd-----:allow
                  everyone@:rwxpdDaARWc--s:fd-----:allow
    
    Shares are working again, I get the prompt for user logon by simply browsing in Windows to \\nexus and don't have to do a
    Code:
    net use
    just to attempt access. As expected the issue was with permissions and not with networking.
     
    #3
  4. gea

    gea Well-Known Member

    Joined:
    Dec 31, 2010
    Messages:
    2,075
    Likes Received:
    670
    Some remarks

    1. napp-it does not support sharing of the pool itself. You must alway create a filesystem. This is why you cannor set ACL to the pool in napp-it, only to filesystems

    2. This is not SAMBA but the Solaris OS/ZFS/kernelbased SMB server who supports additionally SMB groups (Unix/Linux groups behaves different), Windows ntfs alike ACL, Shares as a ZFSroperty, out of the box support of Windows Previous Versions and Windows SID as permission reference.

    3. Regarding permissions, Windows allows often access per default. You must restrict otherwise. Linux/Unix blocks everything per default, you must allow when wanted.

    If you create a filesystem in napp-it, the default is Windows alike (everyone=modify) with acl inheritance enabled (alcinherit=passthrough) If you modify prom console this may be set differently.

    If you want to use console commands, use thos from /usr/bin ex /usr/bin/chmod

    4. You can modify file permissions from Windows via SMB when you connect as root. To modify share permissions from Windows use Computer Management after SMB connecting as a user that is member od admins on Solarish.

    If you enable a share, you need at least readx to the shared filesystem.
     
    #4
Similar Threads: Solaris (OmniOS)
Forum Title Date
Solaris, Nexenta, OpenIndiana, and napp-it Solaris 11.4 meta devices for DDT Apr 10, 2019
Solaris, Nexenta, OpenIndiana, and napp-it Should I use open-vm-tools instead of vmware-tools solaris? Mar 12, 2019
Solaris, Nexenta, OpenIndiana, and napp-it [Solved] Soft Errors with Napp-It 18.06+ and Solaris 11.4 Mar 4, 2019
Solaris, Nexenta, OpenIndiana, and napp-it question regarding napp-it installer on Solaris 11.4 Feb 25, 2019
Solaris, Nexenta, OpenIndiana, and napp-it solaris zfs partition question Feb 7, 2019

Share This Page