SMB shares with no permission for root fail after restart
SMB server was joined AD domain, then ZFS dataset was shared using smbshare=on property. After changing permissions on dataset folder to something like this (no local users allowed):
# /usr/bin/ls -lvd /tzk-data-01 d---rwx---+ 8 Administrator@tzk.local Domain Admins@tzk.local 13 Nov 2 12:12 /tzk-data-01 0:group:Domain Users@tzk.lo:list_directory/read_data/read_xattr/execute /read_attributes/read_acl/synchronize:allow 1:group:Domain Admins@tzk.l:list_directory/read_data/add_file/write_data /add_subdirectory/append_data/read_xattr/write_xattr/execute /delete_child/read_attributes/write_attributes/delete/read_acl /write_acl/write_owner/synchronize:file_inherit/dir_inherit:allow #
Everything works fine till smb/server restart. After restart the share disappears from share list (smbutil view shows only c$, IPC$ and vss$).
It was found that assigning file_dac_read privilege to smbd (via ppriv) solves the problem. The issue was observed on OmniOS r151018, root cause unknown.
Updated by Gordon Ross about 4 years ago
- File 0001-NEX-6949-SMB-shares-with-no-permission-for-root-fail.patch 0001-NEX-6949-SMB-shares-with-no-permission-for-root-fail.patch added
Yeah, we have a fix for this to upstream.
The problem here is that smbd drops all its privileges,
later elevating only when it needs to.
I'm not sure how much point there is in that,
but we kept the design, and added calls to
temporarily elevate privilege when doing
share/unshare work. See this patch:
See also: #7530 (related issue)
Updated by Gordon Ross over 1 year ago
Problem was that, internal to the SMB server, the operation to setup the .zfs/share directory was happening after smbd has dropped its privileges. It needs to temporarily reinstate some privileges for the duration of that work.
Tested with a share with an ACL granting access only to some Windows user (a SID); restart the SMB service and verify the share is still there.
Fix in production since late 2016.
Updated by Electric Monk over 1 year ago
- Status changed from In Progress to Closed
- % Done changed from 0 to 100
commit db46347b25b03d61611dcb9b588ee786da62c918 Author: Gordon Ross <firstname.lastname@example.org> Date: 2019-05-28T17:34:10.000Z 7529 SMB shares with no permission for root fail after restart Reviewed by: Alek Pinchuk <email@example.com> Reviewed by: Evan Layton <firstname.lastname@example.org> Reviewed by: Matt Barden <email@example.com> Reviewed by: Sanjay Nadkarni <firstname.lastname@example.org> Reviewed by: Saso Kiselkov <email@example.com> Reviewed by: Rick McNeal <firstname.lastname@example.org> Approved by: Garrett D'Amore <email@example.com>