Solaris (OmniOS) w/ Napp-It ZPool Share Permissions for CIFS [Solved]

armouredking

New Member
Feb 3, 2018
8
0
1
35
So I've run into this weird hangup that I'm pretty sure comes down to permissions. Fresh install using latest stable Omni with Napp-It free just for the GUI.

NFS is setup and working fine on the one dataset I need it. I'm trying to now get Samba working on the other sets.

This is the log of the error:
Code:
Sep 17 16:13:08 nexus smbsrv: [ID 138215 kern.notice] NOTICE: smbd[NEXUS\supervisor]: \\nexus\test bad path: /library/test
Sep 17 16:13:08 nexus last message repeated 6 times
The actual error on Windows is 0x80070035 network path not found.

Now, I can use Samba with one change so this isn't actually a network problem as Windows is claiming. If I want to use the Samba share, I have to add the local user account to the Samba Administrators group (done via Napp-It) and suddenly I have access to the share, no issues with network path not found and no notices in the logs. It just works; obviously I don't want to have all the users be Samba Admins though. To stress that again, if supervisor is part of the SMB-group administrators I can browse all folders and edit permissions using the IP address or the hostname. If supervisor is NOT in that group, I am able to access //nexus and see the share 'test' as a folder, but I cannot browse it or make any changes to it (and obviously I can't edit share permissions) using either the IP address or the hostname (Windows throws network path not found, logs on server say "bad path").

Code:
members of smb-group administrators   status   option
         
  \root       remove
  \supervisor       remove
^This works.

Code:
members of smb-group administrators   status   option
         
  \root       remove
^This throws errors as noted above.

ZFS Filesystem view from Napp-It:

Code:
 ZFS (all properties)   SMB   NFS   RSYNC     FC,IB,iSCSI   NBMAND   REC   AVAILABLE   USED   RES   RFRES   QUO   RFQU   SYNC   COMPR   DEDUP   CRYPT   FOLDER-ACL   SHARE-ACL   PERM   RDONLY
                                                                                 
 library (pool)-       -   -   -   off   128K   43.1T [51%]   40.8T   none   none   none   none   standard   lz4   off   n.a.   special   -   ACL   off
 library/test   test   off   off   zfs unset   on   128K   43.1T   176K   none   none   none   none   standard   lz4   off   n.a.   special   full_set   ACL   off
Permissions on the set:

Folder ACL

Code:
ACL   User/ Group   acl   acl-set   details   inheritance   type   option
                             
 0   everyone@   rwxpdDaARWcCos   full_set   rd(acl,att,xatt) wr(acl,att,xatt,own) del(yes,child) x, s   folder only   allow   delete
Samba ACL

Code:
ACL   User/ Group   acl   acl-set   details   inheritance   type   option
                            
 0   user:supervisor   rwxpdDaARWcCos   full_set   rd(acl,att,xatt) wr(acl,att,xatt,own) add(fi,sdir) del(yes,child) x, s   file,dir   allow   delete

Where is my error in permissions?
 
Last edited:

armouredking

New Member
Feb 3, 2018
8
0
1
35
Just some extra notes:

From a windows computer, the following command works:

Code:
> net view \\nexus
Shared resources at \\nexus

Share name  Type  Used as  Comment

-------------------------------------------------------------------------------
test        Disk
The command completed successfully.
The following command never works >>including when I can access the share by putting my user into the Samba Admins group<<, but prints two different error messages depending on what you ask:

Code:
> net view \\192.168.200.39\test
System error 53 has occurred.

The network path was not found.

> net view \\nexus\test
System error 1707 has occurred.

The network address is invalid.
And just for S&G:
Code:
> ping nexus

Pinging nexus.local [192.168.200.39] with 32 bytes of data:
Reply from 192.168.200.39: bytes=32 time<1ms TTL=254
Reply from 192.168.200.39: bytes=32 time<1ms TTL=254
Reply from 192.168.200.39: bytes=32 time<1ms TTL=254
Reply from 192.168.200.39: bytes=32 time<1ms TTL=254
So it still really doesn't look like a network problem despite what net commands seem to say. But I can't fathom what permissions are set that make a share available to view (I can see the network folder test by going to \\nexus at any time, with supervisor in or out of the admin group) but unable to open (I can only open folder test by placing supervisor in the admin group and refreshing my connection).

I've done the obvious reboot/restart smb/use IP or dns to access and the results are all the same. Access is only allowed for a user in the samba admins group, and Windows net commands always print issues when accessing the shares. If my user is in the samba admins group, I have full control; I can edit move rename copy add etc any file in the test share.
 

armouredking

New Member
Feb 3, 2018
8
0
1
35
Hello future Google searchers. Hopefully the title change will let you find this and save you some headache.

Napp-It's ACL doesn't seem to apply to the Zpool. When you click on a Pool, it asks you to select a dataset for setting permissions but doesn't appear to do anything from the GUI for the pool. Additionally, I was using
Code:
ls -V
instead of
Code:
ls -laV
from the command line and therefore didn't see the whole picture from the terminal until I did. Lesson learned, don't be a lazy troubleshooter.

These were the settings for permissions on the zpool "library":

Code:
drwx------+  9 root     root           9 Sep 17 17:17 .
              user:root:rwxpdDaARWcCos:fd-----:allow
              everyone@:rwxpdDaARWc--s:fdi----:allow
                 owner@:rwxp-DaARWcCos:-------:allow
                 group@:------a-R-c--s:-------:allow
              everyone@:------a-R-c--s:-------:allow
I cleared them out using the A#- technique until I got down to just the root line, then updated both root and everyone with the default Napp-It reset line like so:

Code:
drwxrwxrwx+  9 root     root           9 Sep 17 17:17 .
              user:root:rwxpdDaARWcCos:fd-----:allow
              everyone@:rwxpdDaARWc--s:fd-----:allow
Shares are working again, I get the prompt for user logon by simply browsing in Windows to \\nexus and don't have to do a
Code:
net use
just to attempt access. As expected the issue was with permissions and not with networking.
 

gea

Well-Known Member
Dec 31, 2010
2,437
815
113
DE
Some remarks

1. napp-it does not support sharing of the pool itself. You must alway create a filesystem. This is why you cannor set ACL to the pool in napp-it, only to filesystems

2. This is not SAMBA but the Solaris OS/ZFS/kernelbased SMB server who supports additionally SMB groups (Unix/Linux groups behaves different), Windows ntfs alike ACL, Shares as a ZFSroperty, out of the box support of Windows Previous Versions and Windows SID as permission reference.

3. Regarding permissions, Windows allows often access per default. You must restrict otherwise. Linux/Unix blocks everything per default, you must allow when wanted.

If you create a filesystem in napp-it, the default is Windows alike (everyone=modify) with acl inheritance enabled (alcinherit=passthrough) If you modify prom console this may be set differently.

If you want to use console commands, use thos from /usr/bin ex /usr/bin/chmod

4. You can modify file permissions from Windows via SMB when you connect as root. To modify share permissions from Windows use Computer Management after SMB connecting as a user that is member od admins on Solarish.

If you enable a share, you need at least readx to the shared filesystem.