Bug #7529


SMB shares with no permission for root fail after restart

Added by Dmitry Glushenok almost 6 years ago. Updated about 3 years ago.

cifs - CIFS server and client
Start date:
Due date:
% Done:


Estimated time:
Gerrit CR:


SMB server was joined AD domain, then ZFS dataset was shared using smbshare=on property. After changing permissions on dataset folder to something like this (no local users allowed):

# /usr/bin/ls -lvd /tzk-data-01
d---rwx---+  8 Administrator@tzk.local Domain Admins@tzk.local      13 Nov  2 12:12 /tzk-data-01
    0:group:Domain Users@tzk.lo:list_directory/read_data/read_xattr/execute
    1:group:Domain Admins@tzk.l:list_directory/read_data/add_file/write_data

Everything works fine till smb/server restart. After restart the share disappears from share list (smbutil view shows only c$, IPC$ and vss$).
It was found that assigning file_dac_read privilege to smbd (via ppriv) solves the problem. The issue was observed on OmniOS r151018, root cause unknown.


Actions #1

Updated by Gordon Ross almost 6 years ago

Yeah, we have a fix for this to upstream.
The problem here is that smbd drops all its privileges,
later elevating only when it needs to.
I'm not sure how much point there is in that,
but we kept the design, and added calls to
temporarily elevate privilege when doing
share/unshare work. See this patch:

See also: #7530 (related issue)

Actions #2

Updated by Gordon Ross almost 6 years ago

  • Assignee set to Gordon Ross
Actions #3

Updated by Gordon Ross over 3 years ago

  • Subject changed from smbd unable to share folder whose permissions do not allow the read permission for user root to SMB shares with no permission for root fail after restart
  • Status changed from New to In Progress
Actions #4

Updated by Gordon Ross about 3 years ago

Problem was that, internal to the SMB server, the operation to setup the .zfs/share directory was happening after smbd has dropped its privileges. It needs to temporarily reinstate some privileges for the duration of that work.

Tested with a share with an ACL granting access only to some Windows user (a SID); restart the SMB service and verify the share is still there.
Fix in production since late 2016.

Actions #5

Updated by Electric Monk about 3 years ago

  • Status changed from In Progress to Closed
  • % Done changed from 0 to 100

git commit db46347b25b03d61611dcb9b588ee786da62c918

commit  db46347b25b03d61611dcb9b588ee786da62c918
Author: Gordon Ross <>
Date:   2019-05-28T17:34:10.000Z

    7529 SMB shares with no permission for root fail after restart
    Reviewed by: Alek Pinchuk <>
    Reviewed by: Evan Layton <>
    Reviewed by: Matt Barden <>
    Reviewed by: Sanjay Nadkarni <>
    Reviewed by: Saso Kiselkov <>
    Reviewed by: Rick McNeal <>
    Approved by: Garrett D'Amore <>


Also available in: Atom PDF