Bug #7529
SMB shares with no permission for root fail after restart
100%
Description
SMB server was joined AD domain, then ZFS dataset was shared using smbshare=on property. After changing permissions on dataset folder to something like this (no local users allowed):
# /usr/bin/ls -lvd /tzk-data-01
d---rwx---+ 8 Administrator@tzk.local Domain Admins@tzk.local 13 Nov 2 12:12 /tzk-data-01
0:group:Domain Users@tzk.lo:list_directory/read_data/read_xattr/execute
/read_attributes/read_acl/synchronize:allow
1:group:Domain Admins@tzk.l:list_directory/read_data/add_file/write_data
/add_subdirectory/append_data/read_xattr/write_xattr/execute
/delete_child/read_attributes/write_attributes/delete/read_acl
/write_acl/write_owner/synchronize:file_inherit/dir_inherit:allow
#
Everything works fine till smb/server restart. After restart the share disappears from share list (smbutil view shows only c$, IPC$ and vss$).
It was found that assigning file_dac_read privilege to smbd (via ppriv) solves the problem. The issue was observed on OmniOS r151018, root cause unknown.
Files
History
Updated by Gordon Ross over 3 years ago
Updated by - File 0001-NEX-6949-SMB-shares-with-no-permission-for-root-fail.patch 0001-NEX-6949-SMB-shares-with-no-permission-for-root-fail.patch added
Yeah, we have a fix for this to upstream.
The problem here is that smbd drops all its privileges,
later elevating only when it needs to.
I'm not sure how much point there is in that,
but we kept the design, and added calls to
temporarily elevate privilege when doing
share/unshare work. See this patch:
0001-NEX-6949-SMB-shares-with-no-permission-for-root-fail.patch
See also: #7530 (related issue)
Updated by Gordon Ross about 1 year ago
- Subject changed from smbd unable to share folder whose permissions do not allow the read permission for user root to SMB shares with no permission for root fail after restart
- Status changed from New to In Progress
Updated by Gordon Ross about 1 year ago
Problem was that, internal to the SMB server, the operation to setup the .zfs/share directory was happening after smbd has dropped its privileges. It needs to temporarily reinstate some privileges for the duration of that work.
Tested with a share with an ACL granting access only to some Windows user (a SID); restart the SMB service and verify the share is still there.
Fix in production since late 2016.
Updated by Electric Monk 12 months ago
Updated by - Status changed from In Progress to Closed
- % Done changed from 0 to 100
git commit db46347b25b03d61611dcb9b588ee786da62c918
commit db46347b25b03d61611dcb9b588ee786da62c918
Author: Gordon Ross <gwr@nexenta.com>
Date: 2019-05-28T17:34:10.000Z
7529 SMB shares with no permission for root fail after restart
Reviewed by: Alek Pinchuk <alek@nexenta.com>
Reviewed by: Evan Layton <evan.layton@nexenta.com>
Reviewed by: Matt Barden <matt.barden@nexenta.com>
Reviewed by: Sanjay Nadkarni <sanjay.nadkarni@nexent.com>
Reviewed by: Saso Kiselkov <saso.kiselkov@nexenta.com>
Reviewed by: Rick McNeal <rick.mcneal@nexenta.com>
Approved by: Garrett D'Amore <garrett@damore.org>