[OmniOS-discuss] smb share disappears after changing folder permissions followed by smb/server restart

Thu Nov 3 10:51:42 UTC 2016

It looks like assigning file_dac_read privilege solves the problem. Following command can be used as a workaround:

# ppriv -s +file_dac_read $(pgrep -z global smbd) && kill -HUP $(pgrep -z global smbd)

--
Dmitry Glushenok
Jet Infosystems

> 2 нояб. 2016 г., в 15:36, Дмитрий Глушенок <glush at jet.msk.su> написал(а):
> 
> Hello,
> 
> SMB server was joined AD domain, then ZFS dataset was shared using smbshare=on property. After changing permissions on dataset folder to something like this (no local users allowed):
> 
> # /usr/bin/ls -lvd /tzk-data-01
> d---rwx---+  8 Administrator at tzk.local Domain Admins at tzk.local      13 Nov  2 12:12 /tzk-data-01
>     0:group:Domain Users at tzk.lo:list_directory/read_data/read_xattr/execute
>         /read_attributes/read_acl/synchronize:allow
>     1:group:Domain Admins at tzk.l:list_directory/read_data/add_file/write_data
>         /add_subdirectory/append_data/read_xattr/write_xattr/execute
>         /delete_child/read_attributes/write_attributes/delete/read_acl
>         /write_acl/write_owner/synchronize:file_inherit/dir_inherit:allow
> #
> 
> Everything works fine till smb/server restart. After restart the share disappears from share list (smbutil view shows only c$, IPC$ and vss$). To return it back I have to change dataset folder permissions in such way that local users can access it. For example:
> - add read/exec permission for user:root
> - add read/exec permission for everyone@
> - create idmap record mapping root to domain admin
> 
> Is it correct behavior? What prevents smbd (running as root) to share the folder on start?
> 
> When the dataset is shared i see /tzk-data-01/.zfs/shares/tzk-data-01 file is being created with following attributes:
> 
> -rwxrwxrwx+  1 root     root           0 Nov  2 15:04 /tzk-data-01/.zfs/shares/tzk-data-01
>     0:everyone@:read_data/write_data/append_data/read_xattr/write_xattr
>         /execute/delete_child/read_attributes/write_attributes/delete
>         /read_acl/write_acl/write_owner/synchronize:allow
> 
> When smbd unable to share the dataset after service restart - the file still exists. No id mapping is done, "idmap list" is empty.
> 
> --
> Dmitry Glushenok
> Jet Infosystems
> 