Project

General

Profile

Bug #7529

SMB shares with no permission for root fail after restart

Added by Dmitry Glushenok almost 3 years ago. Updated 5 months ago.

Status:
Closed
Priority:
Normal
Assignee:
Category:
cifs - CIFS server and client
Start date:
2016-11-03
Due date:
% Done:

100%

Estimated time:
Difficulty:
Medium
Tags:
needs-triage

Description

SMB server was joined AD domain, then ZFS dataset was shared using smbshare=on property. After changing permissions on dataset folder to something like this (no local users allowed):

# /usr/bin/ls -lvd /tzk-data-01
d---rwx---+  8 Administrator@tzk.local Domain Admins@tzk.local      13 Nov  2 12:12 /tzk-data-01
    0:group:Domain Users@tzk.lo:list_directory/read_data/read_xattr/execute
        /read_attributes/read_acl/synchronize:allow
    1:group:Domain Admins@tzk.l:list_directory/read_data/add_file/write_data
        /add_subdirectory/append_data/read_xattr/write_xattr/execute
        /delete_child/read_attributes/write_attributes/delete/read_acl
        /write_acl/write_owner/synchronize:file_inherit/dir_inherit:allow
#

Everything works fine till smb/server restart. After restart the share disappears from share list (smbutil view shows only c$, IPC$ and vss$).
It was found that assigning file_dac_read privilege to smbd (via ppriv) solves the problem. The issue was observed on OmniOS r151018, root cause unknown.


Files

History

#1

Updated by Gordon Ross almost 3 years ago

Yeah, we have a fix for this to upstream.
The problem here is that smbd drops all its privileges,
later elevating only when it needs to.
I'm not sure how much point there is in that,
but we kept the design, and added calls to
temporarily elevate privilege when doing
share/unshare work. See this patch:
0001-NEX-6949-SMB-shares-with-no-permission-for-root-fail.patch

See also: #7530 (related issue)

#2

Updated by Gordon Ross almost 3 years ago

  • Assignee set to Gordon Ross
#3

Updated by Gordon Ross 5 months ago

  • Subject changed from smbd unable to share folder whose permissions do not allow the read permission for user root to SMB shares with no permission for root fail after restart
  • Status changed from New to In Progress
#4

Updated by Gordon Ross 5 months ago

Problem was that, internal to the SMB server, the operation to setup the .zfs/share directory was happening after smbd has dropped its privileges. It needs to temporarily reinstate some privileges for the duration of that work.

Tested with a share with an ACL granting access only to some Windows user (a SID); restart the SMB service and verify the share is still there.
Fix in production since late 2016.

#5

Updated by Electric Monk 5 months ago

  • Status changed from In Progress to Closed
  • % Done changed from 0 to 100

git commit db46347b25b03d61611dcb9b588ee786da62c918

commit  db46347b25b03d61611dcb9b588ee786da62c918
Author: Gordon Ross <gwr@nexenta.com>
Date:   2019-05-28T17:34:10.000Z

    7529 SMB shares with no permission for root fail after restart
    Reviewed by: Alek Pinchuk <alek@nexenta.com>
    Reviewed by: Evan Layton <evan.layton@nexenta.com>
    Reviewed by: Matt Barden <matt.barden@nexenta.com>
    Reviewed by: Sanjay Nadkarni <sanjay.nadkarni@nexent.com>
    Reviewed by: Saso Kiselkov <saso.kiselkov@nexenta.com>
    Reviewed by: Rick McNeal <rick.mcneal@nexenta.com>
    Approved by: Garrett D'Amore <garrett@damore.org>

Also available in: Atom PDF