[OmniOS-discuss] smb share disappears after changing folder permissions followed by smb/server restart

Thu Nov 3 12:58:57 UTC 2016

3 ноября 2016 г. 11:51:42 CET, "Дмитрий Глушенок" <glush at jet.msk.su> пишет:
>It looks like assigning file_dac_read privilege solves the problem.
>Following command can be used as a workaround:
>
># ppriv -s +file_dac_read $(pgrep -z global smbd) && kill -HUP $(pgrep
>-z global smbd)
>
>--
>Dmitry Glushenok
>Jet Infosystems
>
>> 2 нояб. 2016 г., в 15:36, Дмитрий Глушенок <glush at jet.msk.su>
>написал(а):
>> 
>> Hello,
>> 
>> SMB server was joined AD domain, then ZFS dataset was shared using
>smbshare=on property. After changing permissions on dataset folder to
>something like this (no local users allowed):
>> 
>> # /usr/bin/ls -lvd /tzk-data-01
>> d---rwx---+  8 Administrator at tzk.local Domain Admins at tzk.local     
>13 Nov  2 12:12 /tzk-data-01
>>     0:group:Domain
>Users at tzk.lo:list_directory/read_data/read_xattr/execute
>>         /read_attributes/read_acl/synchronize:allow
>>     1:group:Domain
>Admins at tzk.l:list_directory/read_data/add_file/write_data
>>         /add_subdirectory/append_data/read_xattr/write_xattr/execute
>>        
>/delete_child/read_attributes/write_attributes/delete/read_acl
>>        
>/write_acl/write_owner/synchronize:file_inherit/dir_inherit:allow
>> #
>> 
>> Everything works fine till smb/server restart. After restart the
>share disappears from share list (smbutil view shows only c$, IPC$ and
>vss$). To return it back I have to change dataset folder permissions in
>such way that local users can access it. For example:
>> - add read/exec permission for user:root
>> - add read/exec permission for everyone@
>> - create idmap record mapping root to domain admin
>> 
>> Is it correct behavior? What prevents smbd (running as root) to share
>the folder on start?
>> 
>> When the dataset is shared i see /tzk-data-01/.zfs/shares/tzk-data-01
>file is being created with following attributes:
>> 
>> -rwxrwxrwx+  1 root     root           0 Nov  2 15:04
>/tzk-data-01/.zfs/shares/tzk-data-01
>>    
>0:everyone@:read_data/write_data/append_data/read_xattr/write_xattr
>>         /execute/delete_child/read_attributes/write_attributes/delete
>>         /read_acl/write_acl/write_owner/synchronize:allow
>> 
>> When smbd unable to share the dataset after service restart - the
>file still exists. No id mapping is done, "idmap list" is empty.
>> 
>> --
>> Dmitry Glushenok
>> Jet Infosystems
>> 
>
>_______________________________________________
>OmniOS-discuss mailing list
>OmniOS-discuss at lists.omniti.com
>http://lists.omniti.com/mailman/listinfo/omnios-discuss

If that is the case, consider fixing up the method_context privileges in the SMF service for the smb/server.
Good luck and thanks for sharing ;)
--
Typos courtesy of K-9 Mail on my Samsung Android