SMB write issue from Linux after upgrade to 11.3-U1
Description
Problem/Justification
Impact
SmartDraw Connector
Katalon Manual Tests (BETA)
Activity
Andrew Walker May 11, 2020 at 4:49 PM
Hi Robert,
Sorry it took a while to get around to testing what you saw. Depending on cifs-utils version, your Linux client setting up an anonymous rather than a guest session when you specify the "guest" option:
Above is from the latest LTS Ubuntu. During an anonymous session, the user's security token will not contain the SID for the Guest account (S-1-5-21-<domain>-501) and so the session will not be granted the access normally afforded to the guest account. A windows guest session is a proper guest session and therefore has an appropriate SID in its security token.
If you wish to force the Linux client to generate a proper guest session, you can try to pass a bad username in your fstab line (try with manual mount.cifs command first). Samba by default will map bad user to the guest account. This is unfortunately a bit of a hack. Most SMB clients are transitioning to behavior where they will drop sessions if they try to negotiate an authenticated session and receive a guest session instead.
Andrew Walker April 29, 2020 at 7:22 PM
No. Currently you're forcing guest access, which has all users go through the guest account "nobody" regardless of authentication method / status. When "allow guest access" is checked then users are mapped to the guest account only in the case of passing a bad username. Your Linux SMB client was probably bypassing guest access in the original case (possibly coming in under some other system user, which is why you were having reduced access per the everyone@ entry.
Robert Paulson April 29, 2020 at 7:02 PM
Does this mean that Windows systems are some how ignoring the ACLs or the ACL isn't being enforced from Windows?
Andrew Walker April 29, 2020 at 6:23 PM
ACLs are improperly set on shares. This is expected behavior with the ZFS ACL vfs module.
This ACL lacks WRITE_ATTRIBUTES (A) and WRITE_NAMED_ATTRIBUTES (W) for everyone except "nobody".
I have made the "ixnas" module more tolerant chmod 777. You can try that or fix your permissions using the ACL manager.
Robert Paulson April 28, 2020 at 5:19 PM
Debug log as requested. I did not make any changes or run additional tests before uploading this. I'm happy to do so if needed and can upload an updated log.
I recently added some new storage to my NAS. During that I upgraded FreeNAS from 11.1-U5 to 11.3-U1. After the upgrade Linux servers that had SMB mounts to shares on my FreeNAS box were unable to write to them. I had the shares setup with Allow Guest Access and they had been working fine before the upgrade. From multiple Windows boxes I was still able to write to the shares. I tried recreating the shares, several attempts at modifying the fstab config but none of it helped. The only way I could get the Linux boxes to write to the shares was to enable Only Allow Guest Access.
This is a sample of the fstab config that worked prior to the upgrade and again after enabling Only Allow Guest Access
//172.16.11.25/media /media/storage cifs vers=3.0,guest,uid=1000,iocharset=utf8 0 0
I turned up the logging level and tried to write data.
Trying touch fails with permission denied but no error in the log. Doing an mkdir give this in the log:
[2020/04/20 16:26:55.374747, 2] ../../source3/smbd/open.c:4056(open_directory)
open_directory: unable to create test. Error was NT_STATUS_ACCESS_DENIED