[SOLVED] Smb permission issues

Michael_Stufflebeam · October 15, 2016, 4:37am

Hello all,

I’m new to rockstor and has boxes in general. I’m on stable updates running 3.8-14. I have 6x 3TB drives 2 are independent for low important data backups and 4 are setup as a raid1 for mission critical backups. I’ve got 3 shares setup on my redundant pool and I have an smb share on each. I have a user setup that’s an admin on each smb share.

On my windows 10 computer I can browse the available shares at \ipaddress after logging in but I get a permission denied error or an invalid handle error.

I’ve changed the root user on the shares under access control but that does help.

Any help wood be great,
Michael

Flyer · October 15, 2016, 8:04am

Good morning @Michael_Stufflebeam and welcome to our community

Can you please provide a screenshot of your Rockstor Share ACL (or just tell us if is 700, 755, etc etc etc) + a screen of a Samba share from Rockstor Web UI??

Please note this could be related to this too (no auto inherited permissions over samba shares):

Once again welcome on board

Michael_Stufflebeam · October 15, 2016, 2:31pm

Thanks @Flyer for the welcome!

I’ll post again with changing photo share to cpuchip/cpuchip 775

And let me know if those aren’t the acl’s you need I’m not sure exactly what you’re asking, like finding the acls by ssh’ing into the box and seing it’s smb config and permissions bits?

Michael_Stufflebeam · October 15, 2016, 2:38pm

Flyer · October 15, 2016, 2:50pm

Hi @Michael_Stufflebeam how do you login to samba share??

cpuchip user same password on Rockstor & Win10?
can you please provide - shell - a ls -l of photos folder?

M.

Michael_Stufflebeam · October 15, 2016, 3:10pm

I’ve created a user called cpuchip on my nas, and that’s the user I’m logging in with on windows. It wont list the dir of ]172.17.4.102 unless I’m logged in with cpuchip

He is an “ls -l” of /mnt2/photos
[root@chipnas photos]# ls -l
total 0

current /mnt2 dir listing
[root@chipnas mnt2]# ll
total 64
drwxrwxr-x. 1 cpuchip cpuchip 62 Oct 15 09:09 chip-tm
drwxr-xr-x. 1 root root 24 Oct 14 13:02 home
drwxrwxr-x. 1 root root 0 Oct 14 22:47 photos
drwxr-xr-x. 1 root root 12 Oct 14 22:45 redundent
drwxr-xr-x. 1 root root 0 Oct 14 12:53 regular
drwxr-xr-x. 1 root root 144 Oct 15 08:40 rockons
drwxr-xr-x. 1 root root 30 Oct 13 19:22 rockstor
dr-xr-xr-x. 1 root root 168 Oct 15 08:41 root
drwxr-xr-x. 1 root root 14 Oct 14 13:10 timemachine

Here’s a from samba /var/log/samba/log.maclappy2 (the windows name of the computer I’m trying to connect to share from)

[2016/10/15 08:50:37.535550, 3] …/source3/smbd/vfs.c:1174(check_reduced_name)
check_reduced_name [.] [/mnt2/photos]
[2016/10/15 08:50:37.535654, 3] …/source3/smbd/vfs.c:1322(check_reduced_name)
check_reduced_name: . reduced to /mnt2/photos
[2016/10/15 08:50:37.535788, 3] …/source3/smbd/dosmode.c:196(unix_mode)
unix_mode(.) returning 0744
[2016/10/15 08:50:37.694875, 3] …/source3/smbd/filename.c:1178(get_real_filename_full_scan)
scan dir didn’t open dir [.]
[2016/10/15 08:50:37.695086, 3] …/source3/smbd/vfs.c:1174(check_reduced_name)
check_reduced_name [desktop.ini] [/mnt2/photos]
[2016/10/15 08:50:37.695136, 3] …/source3/smbd/vfs.c:1322(check_reduced_name)
check_reduced_name: desktop.ini reduced to /mnt2/photos/desktop.ini
[2016/10/15 08:50:37.695264, 3] …/source3/smbd/dosmode.c:196(unix_mode)
unix_mode(desktop.ini) returning 0744
[2016/10/15 08:50:37.695462, 3] …/source3/smbd/vfs.c:1174(check_reduced_name)
check_reduced_name [.] [/mnt2/photos]
[2016/10/15 08:50:37.695520, 3] …/source3/smbd/vfs.c:1322(check_reduced_name)
check_reduced_name: . reduced to /mnt2/photos
[2016/10/15 08:50:37.696261, 3] …/source3/smbd/vfs.c:1174(check_reduced_name)
check_reduced_name [.] [/mnt2/photos]
[2016/10/15 08:50:37.696312, 3] …/source3/smbd/vfs.c:1322(check_reduced_name)
check_reduced_name: . reduced to /mnt2/photos
[2016/10/15 08:50:37.696405, 3] …/source3/smbd/dosmode.c:196(unix_mode)
unix_mode(.) returning 0744
[2016/10/15 08:50:37.696464, 3] …/source3/smbd/open.c:881(open_file)
Error opening file . (NT_STATUS_ACCESS_DENIED) (local_flags=0) (flags=0)
[2016/10/15 08:50:37.697421, 3] …/source3/smbd/vfs.c:1174(check_reduced_name)
check_reduced_name [.] [/mnt2/photos]
[2016/10/15 08:50:37.697468, 3] …/source3/smbd/vfs.c:1322(check_reduced_name)
check_reduced_name: . reduced to /mnt2/photos
[2016/10/15 08:50:37.699605, 3] …/source3/smbd/vfs.c:1174(check_reduced_name)
check_reduced_name [.] [/mnt2/photos]
[2016/10/15 08:50:37.699715, 3] …/source3/smbd/vfs.c:1322(check_reduced_name)
check_reduced_name: . reduced to /mnt2/photos
[2016/10/15 08:50:37.699848, 3] …/source3/smbd/dosmode.c:196(unix_mode)
unix_mode(.) returning 0744
[2016/10/15 08:50:37.699916, 3] …/source3/smbd/open.c:881(open_file)
Error opening file . (NT_STATUS_ACCESS_DENIED) (local_flags=0) (flags=0)
[2016/10/15 08:50:38.965253, 3] …/source3/rpc_server/srv_pipe.c:728(api_pipe_bind_req)
api_pipe_bind_req: srvsvc -> srvsvc rpc service
[2016/10/15 08:50:38.965376, 3] …/source3/rpc_server/srv_pipe.c:356(check_bind_req)
check_bind_req for srvsvc context_id=0
[2016/10/15 08:50:38.965427, 3] …/source3/rpc_server/srv_pipe.c:399(check_bind_req)
check_bind_req: srvsvc -> srvsvc rpc service
[2016/10/15 08:50:38.966077, 3] …/source3/rpc_server/srv_pipe.c:1450(api_rpcTNP)
api_rpcTNP: rpc command: SRVSVC_NETSHAREENUMALL
[2016/10/15 08:50:39.820012, 3] …/source3/smbd/vfs.c:1174(check_reduced_name)
check_reduced_name [.] [/mnt2/photos]
[2016/10/15 08:50:39.820113, 3] …/source3/smbd/vfs.c:1322(check_reduced_name)
check_reduced_name: . reduced to /mnt2/photos
[2016/10/15 08:50:39.820211, 3] …/source3/smbd/dosmode.c:196(unix_mode)
unix_mode(.) returning 0744
[2016/10/15 08:50:39.820249, 3] …/source3/smbd/open.c:881(open_file)
Error opening file . (NT_STATUS_ACCESS_DENIED) (local_flags=0) (flags=0)

Michael_Stufflebeam · October 15, 2016, 9:46pm

I’ve not resolved my issue, but I did a fresh install in a VM and I don’t have this issue in the VM. So I think I’m inclined to just format the boot drive and try again on my physical hardware. I’ll have to do that when I get home tonight. Thank for your help @Flyer!

Flyer · October 16, 2016, 12:23pm

Hey @Michael_Stufflebeam sorry had not time to answer before,
having some checks could solve it without a new installation.

Mirko

Michael_Stufflebeam · October 16, 2016, 4:31pm

Well, I could still use the help. I freshly installed and… the same issue. I don’t know why in a vm it works perfectly but then on real hardware I have issues. I’m running an amd apu a8-7600 with 16gb ram the motherboard has a rieltek nic. I’m a bit lost at this point.

Michael_Stufflebeam · October 16, 2016, 9:50pm

I was able to start accessing and writing to my cpuchip home directory after running:
setsebool -P samba_enable_home_dirs on

My guess is SELinux interfering with the shares. For some reason it seems to work out of the box in my VM but no matter how many times I format the boot drive and install I can’t get the defaults to just work out of the box on my physical box.

When I create a new share say, data.

[root@chipnas mnt2]# ls -ldZ data/
drwxr-xr-x. root root system_u:object_r:unlabeled_t:s0 data/

Then after running:

[root@chipnas mnt2]# chcon -t samba_share_t data/
[root@chipnas mnt2]# ls -ldZ data/
drwxr-xr-x. root root system_u:object_r:samba_share_t:s0 data/

I can now write into that directory.

Interesting notes on my VM:

[root@vmnas ~]# ls -ldZ /mnt2/photos/
drwxr-xr-x root root ? /mnt2/photos/
[root@vmnas ~]# sestatus
SELinux status: disabled

on my physical hardware:

[root@chipnas mnt2]# sestatus
SELinux status: enabled
SELinuxfs mount: /sys/fs/selinux
SELinux root directory: /etc/selinux
Loaded policy name: targeted
Current mode: enforcing
Mode from config file: enforcing
Policy MLS status: enabled
Policy deny_unknown status: allowed
Max kernel policy version: 30

Is there any reason why on installing in a VM SELinux would be disabled and not on physical hardware? I did not change any settings while installing except where to install to. Any thoughts? I like having SELinux running, but that means I’ll need to run that command on any new shares I create.

Michael_Stufflebeam · October 17, 2016, 4:05pm

This was the relevant page that helped me identify the root issue:
https://www.centos.org/forums/viewtopic.php?t=44737

Flyer · October 17, 2016, 5:57pm

Hi @Michael_Stufflebeam,
reading your last posts your using a VM (I do same, over a Proxmox).
What is under your VM?

Mirko

Michael_Stufflebeam · October 17, 2016, 9:42pm

That’s an interesting idea. So you’re running Rockstor in a vm on your nas box? I was just playing around with installs on my MacBook Pro with Parallels just to see how the defaults work with smb shares. Currently I have Rockstor running on bare metal. Simple AMD A8-7600 APU with 16GB non-ecc ram on a Gigabyte a88xm mother board with 6x3TB drives with 4 in raid1 and 2 independent. and a 120GB ssd as the boot. I had a USB3.0 32GB boot drive, but it gave up the ghost too quickly for my taste.

It didn’t occur to me to run it in a virtualized environment on that box. That would also allow me to install a dual or quad port NIC and run PFSense on it too. That’s tempting.

Flyer · October 18, 2016, 7:23am

Yep, my Rockies (production & dev) run over a VM, actually just missing disks passthrough on the production VM (having that should provide smart capabilities too).
It’s the first time I read about SeLinux issues over Rockstor, maybe related to Parallel way to have VMs?!? Don’t know, but happy to hear we have a new Mac guy ( Check this one → Simple AFP Setting Request - #12 by sfranzen , we need Mac testers & coders )

Mirko

Michael_Stufflebeam · October 18, 2016, 3:54pm

Like how it shows up here? my RockStor chipnas looks like an iMac where as our storage on our router looks like a server box?

Flyer · October 19, 2016, 7:17am

Hi @Michael_Stufflebeam,
this should solve it