Solved samba share permission privilege changed since update

[bxbzq]

Hello folks,
I'm having samba share permission privilege since an upgrade today. Now it's 13.2-release-p4.
Now the file server is running samba4.16-11. People here cannot work with files on the server as they used to. When opening a file from Windows10, a typical error is like this:

Looks all files on the server are now readonly. Even owner cannot open a file normally from Window10.
IIRC, I had no problem when upgraded from 13.2-release-p2 to p3.
Helps are appriciated.

 

[sko]

Any reason why you might specifically need Samba 4.16?
I reverted to 4.13 on our file server because 4.16 caused nothing but problems and simply wasn't a drop-in-upgrade from 4.13...

 

[bxbzq]

Any reason why you might specifically need Samba 4.16?
I reverted to 4.13 on our file server because 4.16 caused nothing but problems and simply wasn't a drop-in-upgrade from 4.13...

IIRC, it was 4.16 since I set up the server a few months back.
I could be wrong though. How do you revert to 4.13? I might try to do the same. Instructions would be nice.

 

[sko]

How do you revert to 4.13?

just install net/samba413

 

[SirDice]

Any 'weird' (i.e. non-latin) characters in that directory name? It might be a localization issue.

 

[bxbzq]

Any 'weird' (i.e. non-latin) characters in that directory name? It might be a localization issue.

No. There was no privilege problem before the upgrade.

 

[SirDice]

Localization != privileges.

But speaking of privileges, or more importantly, the SMB version that's used. What does your smb4.conf look like?

 

[freejlr]

As the user sko said, reinstall the previous version, on the other hand I don't know if you are using ZFS on your system, in any case if you are using it for the next time you could use BootEnvironments this will allow you to do a rollback if necessary if the updated service does not work properly.

 

[bxbzq]

Localization != privileges.

But speaking of privileges, or more importantly, the SMB version that's used. What does your smb4.conf look like?

There are directories having special symbolsdot(.), space( ), single quote or chinese letters. There are also those containing only english letters. All behave the same, error pops up when opening files.
Here is /usr/local/etc/smb4.conf. I haven't made any changes since this one started to work for me months back.

[global]
    netbios name = JFSVR
    passdb backend = tdbsam
    realm = RET.IO
    workgroup = RET
    max connections = 30
    vfs objects = dfs_samba4 zfsacl
    server string = office samba server %v
    server role = standalone server
    security = user
    ntlm auth = yes
    local master = yes
    log level = 3
    max log size = 5000
    log file = /var/log/samba4/%m
    os level = 255
    hosts allow = 192.168.0.0/255.255.0.0 
    dns forwarder = no
    dns proxy = no
    interfaces = bce0, lo0
    bind interfaces only = yes
    socket options = TCP_NODELAY

[store1]
    path = /jails/samba/store1
    valid users = @mgmt, @eng, @mfg, @sales, @qual, @purch, @hr, @fina, @mech, @elec, @oper, dzs97p
    write list = @eng, @mfg, @sales, @qual, @purch, @mech, @elec, dzs97p
    browseable = yes
    writeable  = yes
    guest ok = no
    public = no
    create mask = 0775
    force create mode = 0775
    directory mask = 0775
    force directory mode = 0775
    inherit acls = no
    inherit owner = no
    inherit permissions = yes

[store2]
    path = /jails/samba/store2
    valid users = @mgmt, @eng, @mfg, @sales, @qual, @purch, @hr, @fina, @mech, @elec, @oper, @smbuser, dzs97p
    write list = @mgmt, @eng, @mfg, @sales, @qual, @purch, @elec, @mech, @smbuser, dzs97p
    writeable  = yes
    browseable = yes
    guest ok = no
    public = no
    create mask = 0775
    force create mode = 0775
    directory mask = 0775
    force directory mode = 0775
    inherit acls = no
    inherit owner = no
    inherit permissions = yes

 

[bxbzq]

As the user sko said, reinstall the previous version, on the other hand I don't know if you are using ZFS on your system, in any case if you are using it for the next time you could use BootEnvironments this will allow you to do a rollback if necessary if the updated service does not work properly.

No, I'm not using ZFS.

Correction: I was confused by ZFS and actually thinking NFS. Yes, I'm using ZFS. Thanks for the tip.

 

[SirDice]

 ntlm auth = yes

Don't enable this. Seriously.

 

[bxbzq]

 ntlm auth = yes

Don't enable this. Seriously.

OK. I'll comment out this line. But, it is not related to the problem I'm seeing, is it?

 

[SirDice]

Well, I read some Microsoft knowledge base articles and you can get this same error if authentication isn't set up properly, if you only allow SMBv1 for example. So it might be related. It may also not be the only thing that's not correct.

 

[bxbzq]

There are people on other forums mentioning a workaround to this problem is clear smb cache on Synology system. How do I do so in FreeBSD?

 

[bxbzq]

just install net/samba413

Now I have samba413 running. Obviously, the problem persists.

 

[VladiBG]

Is this server part of DFS? Are you using ZFS ACL?

 

[bxbzq]

Is this server part of DFS?

Not sure what DFS is, but it is configured as standalone file server.

Are you using ZFS ACL?

The smb4.conf has a line vfs objects = dfs_samba4 zfsacl

 

[VladiBG]

DFS is distributed file system so you can have multiple file servers located in each branch office which provide same shares and when roaming clients connect to that shares they pick up the closest local server to access the shares while instead of accessing each server individually they use the domain name.

for example
\\server1\share1\
\\server2\share1\
\\domain\share1\

so the users connect to \\domain\share1\ which is served by both server1 and server2 and depending of the user location it will get connected to the local branch server. For all this you need a working DNS....

If you don't use DFS then disable dfs_samba4 same goes and for ZFS acl which is used in NFS. You can comment the entire line of "vfs objects" then restart the samba server and see if you can connect to the server.

 

[bxbzq]

DFS is distributed file system so you can have multiple file servers located in each branch office which provide same shares and when roaming clients connect to that shares they pick up the closest local server to access the shares while instead of accessing each server individually they use the domain name.

for example
\\server1\share1\
\\server2\share1\
\\domain\share1\

so the users connect to \\domain\share1\ which is served by both server1 and server2 and depending of the user location it will get connected to the local branch server. For all this you need a working DNS....

If you don't use DFS then disable dfs_samba4 same goes and for ZFS acl which is used in NFS. You can comment the entire line of "vfs objects" then restart the samba server and see if you can connect to the server.

Just did what you suggest, I can connect to the server, but the problem of opening files persists.

 

[freejlr]

Have you ensured that the minimum protocol that the server runs is SMB2? Like they said.

client min protocol = ""SMB2 or SMB3""
server min protocol = ""SMB2 or SMB3""

Can you see anything in the Samba logs that helps you? On the other hand, you are focusing only on the server. If the clients are Windows, have you been able to view anything in the event viewer?

 

[bxbzq]

Have you ensured that the minimum protocol that the server runs is SMB2? Like they said.

Yes, no difference.

Can you see anything in the Samba logs that helps you? On the other hand, you are focusing only on the server. If the clients are Windows, have you been able to view anything in the event viewer?

I have very limited knowledge on this topic, understanding the log files is a challenge.
I raise log level to 4, hopefully there can be something clearer.

 

[Eric A. Borisch]

Can you check what version of Samba you had running when it was last working?

Also, make sure you are restarting or reloading the Samba service after changing any parameters in the configuration file. (it’s easier to restart, since a reload will leave previously established sessions active.)

 

[bxbzq]

From /var/log/messages,

Oct 23 12:39:55 jfsvr pkg[7028]: samba416 upgraded: 4.16.10_1 -> 4.16.11

Then it kept getting errors related to zfsacl:

Oct 23 12:56:04 jfsvr smbd[19357]: [2023/10/23 12:56:04.465164,  0] ../../lib/util/modules.c:49(load_module)
Oct 23 12:56:04 jfsvr smbd[19357]:   Error loading module '/usr/local/lib/samba4/modules/vfs/zfsacl.so': /usr/local/lib/samba4/private/libsmbd-base-samba4.so: version SAMBA_4.16.11_SAMBA4 required by /usr/local/lib/samba4/modules/vfs/zfsacl.so not found
Oct 23 12:56:04 jfsvr smbd[19357]: [2023/10/23 12:56:04.465272,  0] ../../source3/smbd/vfs.c:186(vfs_init_custom)
Oct 23 12:56:04 jfsvr smbd[19357]:   error probing vfs module 'zfsacl': NT_STATUS_UNSUCCESSFUL
Oct 23 12:56:04 jfsvr smbd[19357]: [2023/10/23 12:56:04.465348,  0] ../../source3/smbd/vfs.c:399(smbd_vfs_init)
Oct 23 12:56:04 jfsvr smbd[19357]:   smbd_vfs_init: vfs_init_custom failed for zfsacl
Oct 23 12:56:04 jfsvr smbd[19357]: [2023/10/23 12:56:04.465398,  0] ../../source3/smbd/service.c:639(make_connection_snum)
Oct 23 12:56:04 jfsvr smbd[19357]:   make_connection_snum: vfs_init failed for service IPC$
...

But after system reboot, the errors stopped showing up.
The line queue_query_name: interface 1 has NULL IP address ! is new and suspicious. No idea where it comes from.

Oct 23 15:10:49 jfsvr nmbd[1145]: [2023/10/23 15:10:49.196924,  0] ../../source3/nmbd/nmbd.c:901(main)
Oct 23 15:10:49 jfsvr nmbd[1145]:   nmbd version 4.16.11 started.
Oct 23 15:10:49 jfsvr nmbd[1145]:   Copyright Andrew Tridgell and the Samba Team 1992-2022
Oct 23 15:10:49 jfsvr nmbd[1146]: [2023/10/23 15:10:49.260197,  0] ../../source3/nmbd/nmbd_packets.c:761(queue_query_name)
Oct 23 15:10:49 jfsvr nmbd[1146]:   queue_query_name: interface 1 has NULL IP address !
Oct 23 15:10:49 jfsvr smbd[1148]: [2023/10/23 15:10:49.781801,  0] ../../source3/smbd/server.c:1741(main)
Oct 23 15:10:49 jfsvr smbd[1148]:   smbd version 4.16.11 started.
Oct 23 15:10:49 jfsvr smbd[1148]:   Copyright Andrew Tridgell and the Samba Team 1992-2022
Oct 23 15:11:13 jfsvr nmbd[1146]: [2023/10/23 15:11:13.372910,  0] ../../source3/nmbd/nmbd_become_lmb.c:398(become_local_master_stage2)
Oct 23 15:11:13 jfsvr nmbd[1146]:   *****
Oct 23 15:11:13 jfsvr nmbd[1146]:   
Oct 23 15:11:13 jfsvr nmbd[1146]:   Samba name server JFSVR is now a local master browser for workgroup RET on subnet 192.168.1.254
Oct 23 15:11:13 jfsvr nmbd[1146]:   
Oct 23 15:11:13 jfsvr nmbd[1146]:   *****

 

[VladiBG]

"interface 1 has NULL IP address" message is caused by "lo0" interface that you are trying to listen on. Remove it from interface list in your smb4.conf
Change your log file location to log file = /var/log/samba4/%m.log
Change your create mask to create mask = 0660 and directory mask = 0770 you don't need to store files as executable, RW access is enough.
Verify and change if necessary the directory permissions of /jails/samba/store1 and /jails/samba/store2

 

[bxbzq]

"interface 1 has NULL IP address" message is caused by "lo0" interface that you are trying to listen on. Remove it from interface list in your smb4.conf
Change your log file location to log file = /var/log/samba4/%m.log
Change your create mask to create mask = 0660 and directory mask = 0770 you don't need to store files as executable, RW access is enough.
Verify and change if necessary the directory permissions of /jails/samba/store1 and /jails/samba/store2

Hi, I did all. Not sure if it made some difference, but after system reboot, I connected the samba server from a win10 machine, clicked some files and it looked the file operations on server went ok. I wanted to be sure things are working again, so I log out the Windows 10 then back in, connect to server, click file, boom~, error again.