adampoconnor Posted September 12, 2019 Share Posted September 12, 2019 (edited) Hello all! I have been using unRAID for around a week now, and up to today have been relatively trouble free. The scenario: There are two computers (Windows 10 Pro) and two users and one share. Both users have r/w access to the share. Computer 1 is logged in via SMB under User1's account. Computer 2 is logged in via SMB under User2's account. (EDIT: On the share itself, SMB is set to Export: Yes, Security: Private) The issue: If User1 makes a file on the share, User2 has no permissions to said file. No read, write, nothing. User2 makes another file on the share, User1 has no access to this file either. Leading up to the issue: I had unraid joined to an Active Directory domain but was having some issues getting user accounts to work properly, so I removed it from the domain, and then added it to a non-default SMB workgroup. That is to say, I changed SMB to "Yes (Workgroup)" and then changed the workgroup name. Both computers that are experiencing the issue are on the same work group. I have run the "New Permissions" tool immediately after unjoining the AD domain. Both machines will map the network drive no problem whatsoever. I had rebooted the server about 5 minutes before reading the item in the "Read this first" topic that says do not reboot the server. However, I recreated the issue and attached the syslog after recreating the issue to this topic. Any help is appreciated Thanks mainserver-diagnostics-20190912-0607.zip Edited September 12, 2019 by adampoconnor Clarification of config Quote Link to comment
Frank1940 Posted September 12, 2019 Share Posted September 12, 2019 Have you run the Docker Safe New Permissions script (it is part of the Fix Common Problems plugin)? Tools >>> Docker Safe New Permissions Does this fix the problem temporarily? Do you know how to use the Linux (or UNIX) command line? The reason being, it could be problem with the owner/permission settings and it is necessary to find out how the underlying Linux system is handling those. We can walk you through the procedure but it would be easier knowing where you are. (You only need a very slight knowledge to get the information that is needed.) But the amount of instruction necessary from no knowledge to some knowledge is considerable! 1 Quote Link to comment
adampoconnor Posted September 12, 2019 Author Share Posted September 12, 2019 30 minutes ago, Frank1940 said: Have you run the Docker Safe New Permissions script (it is part of the Fix Common Problems plugin)? Tools >>> Docker Safe New Permissions Does this fix the problem temporarily? Do you know how to use the Linux (or UNIX) command line? The reason being, it could be problem with the owner/permission settings and it is necessary to find out how the underlying Linux system is handling those. We can walk you through the procedure but it would be easier knowing where you are. (You only need a very slight knowledge to get the information that is needed.) But the amount of instruction necessary from no knowledge to some knowledge is considerable! I have a fair amount of command line experience. I’m no Linux guru, but I can get my way around. I have run the “Docker Safe New Permissions” plug-in. When I run either that one or the built-in unraid one, the files that User1 made that User2 couldn’t access can now be accessed by User2, but any new files still have the same issue Quote Link to comment
Frank1940 Posted September 12, 2019 Share Posted September 12, 2019 OK, open the terminal (it is the >- symbol on the Toolbar). type the following ls -al /mnt/user0 That will get you something like this: total 4 drwxrwxrwx 1 nobody users 75 Sep 8 02:30 ./ drwxr-xr-x 9 root root 180 Aug 6 10:58 ../ drwxrwxrwx 1 nobody users 305 Sep 1 18:20 Backup/ drwxrwxrwx 1 nobody users 273 Nov 6 2017 CommunityApplicationsAppdataBackup/ drwxrwxrwx 1 nobody users 4096 Aug 27 19:01 Media/ These are the Shares on this server. Now pick one of the shares that contains a file that has the problem. I am going to proceed using the Share 'Media'. (Note capitalization is IMPORTANT with Linux!!!) ls -al /mnt/user0/Media This gives an output like so: total 8462508 drwxrwxrwx 1 nobody users 4096 Aug 27 19:01 ./ drwxrwxrwx 1 nobody users 75 Sep 8 02:30 ../ -rw-rw-rw- 1 nobody users 7726504 May 24 2017 100-Magic_Act.mp4 -rw-rw-rw- 1 nobody users 169788268 Mar 2 2013 107D_OutdoorCupboard.mp4 You will, of course, have will to pick a path down to a directory which has a file with the permission problem. When you find one, left click at the beginning of it and 'sweep' the entire line. Now right click on it and copy it. Paste into a reply. Be sure to format it as 'Code' --- the </> symbol on the Toolbar --- as this will keeping everything lined up neatly. 1 Quote Link to comment
Frank1940 Posted September 12, 2019 Share Posted September 12, 2019 Use the Up-arrow key to recall the last command. The arrow keys are very useful in the Terminal window. play with them a bit... 1 Quote Link to comment
adampoconnor Posted September 12, 2019 Author Share Posted September 12, 2019 I believe this is what you are looking for. What sticks out to me right away is that all the other files are owned by "nobody" but the file in question, "Computer BG.jpg" is owned by "adam". root@MainServer:~# ls -al /mnt/user0/MWPBDocs/Logo total 1916 drwxrwxrwx+ 1 nobody users 81 Sep 12 02:05 ./ drwxrwxrwx+ 1 nobody users 273 Sep 8 19:04 ../ -rw-rw-rw-+ 1 nobody users 6148 Sep 8 19:14 .DS_Store -rw-rw----+ 1 adam users 1926881 Jun 2 22:29 Computer\ BG.jpg drwxrwxrwx+ 1 nobody users 23 Sep 8 19:05 Graphics/ drwxrwxrwx+ 1 nobody users 40 Sep 8 19:04 Publishable/ Quote Link to comment
Frank1940 Posted September 12, 2019 Share Posted September 12, 2019 Try this command first: chmod 777 /mnt/user0/MWPBDocs/Logo/Computer\ BG.jpg Then check if the other user has access to the file. You can see what this command did with this one (again): ls -al /mnt/user0/MWPBDocs/Logo 1 Quote Link to comment
Frank1940 Posted September 12, 2019 Share Posted September 12, 2019 Did a bit more research. Did you notice the + sign on the -rw-rw-rw-+ string of permissions for all your files and directories. Apparently that means that there are extended permissions called ACLs. (Google is your friend in these cases.) There is a command--- called getfacl ----- that will list these. So try this command: getfacl /mnt/user0/MWPBDocs/Logo/Computer\ BG.jpg and let's see what it tells us. 1 Quote Link to comment
Frank1940 Posted September 12, 2019 Share Posted September 12, 2019 (edited) Another thought. Did you map these shares to your PC as a drive? Did you rework the WIN10 permissions on this mapped drive? The reason for these questions is simple. You should not have to do anything on the WIN10 end for any additional security on any Secure or Private Unraid SMB share. All of the protection is being provided on the server by the Unraid SMB system. (IF the Unraid SMB did not do this, the file would be exposed to any (say) Linux computer!) The system sharing storing the file must provide all of the file security. Thus if you share one of your local hard drives on your WIN10 system, you will have to lock down the files from that computer. I am not sure quite what the Unraid SMB system is going to do if you are implementing file access restrictions on the WIN10 end, It could cause those ACL extensions to be applied! Edited September 12, 2019 by Frank1940 1 Quote Link to comment
adampoconnor Posted September 12, 2019 Author Share Posted September 12, 2019 29 minutes ago, Frank1940 said: There is a command--- called getfacl ----- that will list these. So try this command: # file: mnt/user0/MWPBDocs/Logo/Computer BG.jpg # owner: adam # group: users user::rw- user:root:rwx #effective:rw- user:nobody:rwx #effective:rw- user:930611700:rwx #effective:rw- user:930612313:rwx #effective:rw- group::--- group:930611713:--- group:930612304:rwx #effective:rw- mask::rw- other::--- Here's the result of getfacl Quote Link to comment
adampoconnor Posted September 12, 2019 Author Share Posted September 12, 2019 13 minutes ago, Frank1940 said: Another thought. Did you map these shares to your PC as a drive? Did you rework the WIN10 permissions on this mapped drive? The reason for these questions is simple. You should not have to do anything on the WIN10 end for any additional security on any Secure or Private Unraid SMB share. All of the protection is being provided on the server by the Unraid SMB system. (IF the Unraid SMB did not do this, the file would be exposed to any (say) Linux computer!) The system sharing storing the file must provide all of the file security. Thus if you share one of your local hard drives on your WIN10 system, you will have to lock down the files from that computer. I am not sure quite what the Unraid SMB system is going to do if you are implementing file access restrictions on the WIN10 end, It could cause those ACL extensions to be applied! That I am aware of, there should be nothing on W10 that I have changed other than mapping the share as a network drive in "This PC" and providing my unraid credentials. I should mention that before I unlinked my unraid box from my AD domain, everything worked as normal. I'm almost curious for kicks and giggles if I shouldn't rejoin it and just see what happens? I'd rather not have to go that route, as it turns out trying to manage a non-Windows server on AD is a major PITA. Quote Link to comment
adampoconnor Posted September 12, 2019 Author Share Posted September 12, 2019 1 hour ago, Frank1940 said: Try this command first: chmod 777 /mnt/user0/MWPBDocs/Logo/Computer\ BG.jpg Then check if the other user has access to the file. You can see what this command did with this one (again): ls -al /mnt/user0/MWPBDocs/Logo So from what I can tell, the chmod command there made the file open to all users? In any case, that *did* allow User2 on Computer2 to access the file. So if I understand unraid permissions correctly, all files are supposed to be owned by "nobody" but the users that I allow read or r/w access through the gui are added to a user group for that share so that they can be manipulated? Does that line of thought make sense? Quote Link to comment
adampoconnor Posted September 12, 2019 Author Share Posted September 12, 2019 (edited) Here's another new development. On my MacBook running the Catalina beta, I connected to my server via SMB, and added new files to the share, but on the unraid shell, when I LS the directory, the files do not appear.... (EDIT: /mnt/cache shows the files in the correct directory) (EDIT2: This brings up an interesting discovery too. The files that I added from my Mac are owned by my user account with the same type of permissions as the file from Windows. This more and more points to the SMB server in my opinion) Edited September 12, 2019 by adampoconnor Quote Link to comment
Frank1940 Posted September 12, 2019 Share Posted September 12, 2019 12 minutes ago, adampoconnor said: So if I understand unraid permissions correctly, all files are supposed to be owned by "nobody" but the users that I allow read or r/w access through the gui are added to a user group for that share so that they can be manipulated? Does that line of thought make sense? Try this: grep '^group_name_here:' /etc/group This is new ground for me as well as you. As I said, "Google is your friend" and I must admit that I do not not the in-and-outs of exactly how things are handled. I assume that your conclusion is correct but I have no firm proof of that truly being the case. I was never involved with a Windows Server setup that used AD. (I do seem to recall seeing some posts on this forum about folks not having great experiences linking Unraid to it.) I actually retired before 'Windows for Workgroups' was introduced but I did help administer a UNIX server that provided file serving for a number of DOS computers that were connected by means of AT&T StarLan. As I recall, we also had a Laser printer (Do even ask the cost of this device) connected to this network. The entire network was less than twenty devices 1 Quote Link to comment
Frank1940 Posted September 12, 2019 Share Posted September 12, 2019 (edited) 26 minutes ago, adampoconnor said: Here's another new development. On my MacBook running the Catalina beta, I connected to my server via SMB, and added new files to the share, but on the unraid shell, when I LS the directory, the files do not appear.... OH, things just keep getting better and better. Can you see them in the file explorers on the MacBook and Windows? One thing I just notice while ls sorts files alphabetically, CAPS come before small letters. So Files letters data files sort this way Files data files letters EDIT: Be careful with this example. Windows will only find one of those two with the same same base (Files and files). The other one will be invisible. Folks have 'lost' whole groups of files by putting them into a directory on an Unraid system with two directories that differ in name only the first letter being capitalized! Edited September 12, 2019 by Frank1940 1 Quote Link to comment
adampoconnor Posted September 12, 2019 Author Share Posted September 12, 2019 6 minutes ago, Frank1940 said: OH, things just keep getting better and better. Can you see them in the file explorers on the MacBook and Windows? One thing I just notice while ls sorts file alphabetical, CAPS come before small letters. So Files letters data sort this way Files data letters Alright, after doing some testing and messing around here is where I am at. I forgot that uploaded files go to the cache drive *first* and then make it to the unraid disks with the mover, so that's where that confusion on file locations comes from. Now; When I copy a file from my MacBook to the share, I can read them on windows or other Macs and do whatever I want with them. It's when I add a file from windows that things get screwy. So, as usual, Windows is effing me over. Go figure :roll eyes:. It looks like I need to turn back around and try to figure out what AD did to my windows workstations that is causing such disfunction. And here I am all this time trying to blame unraid. I will be doing some google research on that, but if you have any input on where to look I would greatly appreciate it. Thanks so much for your help up to this point! Quote Link to comment
Frank1940 Posted September 12, 2019 Share Posted September 12, 2019 I wish you luck. When you find a solution, would you please write it up and post it in one of the FAQ stickies on this subforum-- General Support. It will probably help some other person in the future. 1 Quote Link to comment
adampoconnor Posted September 17, 2019 Author Share Posted September 17, 2019 To anyone who sees this looking for an answer: Through random order of rebooting both my computer and the server and being away from it all for a weekend, the problem has suddenly disappeared. While I wish I had a concrete answer to this behavior, I'm just happy that it works. Quote Link to comment
Frank1940 Posted September 17, 2019 Share Posted September 17, 2019 1 hour ago, adampoconnor said: To anyone who sees this looking for an answer: Through random order of rebooting both my computer and the server and being away from it all for a weekend, the problem has suddenly disappeared. While I wish I had a concrete answer to this behavior, I'm just happy that it works. Welcome to wild, weird and wonderful of SMB. Solving problems often seems to be more depend on witchcraft than science... Quote Link to comment
adampoconnor Posted October 14, 2019 Author Share Posted October 14, 2019 Small update on the matter: The issue reappeared. To solve it, I created a new share and emulated the user access and decommissioned the old share. Finally, I have been problem free for two weeks now, Quote Link to comment
HypR Posted January 27, 2020 Share Posted January 27, 2020 On 9/12/2019 at 6:06 PM, Frank1940 said: Did a bit more research. Did you notice the + sign on the -rw-rw-rw-+ string of permissions for all your files and directories. Apparently that means that there are extended permissions called ACLs. I had exactly this problem. Messed up permissions after leaving an AD. I removed all ACLs with this simple Command... setfacl -Rb /mnt/user/* and than using the unraid "New Permissions" feature to get the permissions right again. P.S. I know the topic is a bit old but I didn't know were else i should post this solution, hope thats ok. Quote Link to comment
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.