Weird Permissions Problem


Recommended Posts

Hello all!

 

I have been using unRAID for around a week now, and up to today have been relatively trouble free.

 

The scenario:

There are two computers (Windows 10 Pro) and two users and one share. Both users have r/w access to the share. Computer 1 is logged in via SMB under User1's account. Computer 2 is logged in via SMB under User2's account. (EDIT: On the share itself, SMB is set to Export: Yes, Security: Private)

 

The issue:

If User1 makes a file on the share, User2 has no permissions to said file. No read, write, nothing. User2 makes another file on the share, User1 has no access to this file either.

 

Leading up to the issue:

I had unraid joined to an Active Directory domain but was having some issues getting user accounts to work properly, so I removed it from the domain, and then added it to a non-default SMB workgroup. That is to say, I changed SMB to "Yes (Workgroup)" and then changed the workgroup name. Both computers that are experiencing the issue are on the same work group. I have run the "New Permissions" tool immediately after unjoining the AD domain. Both machines will map the network drive no problem whatsoever.

 

I had rebooted the server about 5 minutes before reading the item in the "Read this first" topic that says do not reboot the server. However, I recreated the issue and attached the syslog after recreating the issue to this topic.

 

Any help is appreciated

 

Thanks

mainserver-diagnostics-20190912-0607.zip

Edited by adampoconnor
Clarification of config
Link to comment

Have you run the Docker Safe New Permissions  script (it is part of the Fix Common Problems plugin)?  Tools    >>>  Docker Safe New Permissions   

Does this fix the problem temporarily? 

 

Do you know how to use the Linux (or UNIX) command line?  The reason being, it could be problem with the owner/permission settings and it is necessary to find out how the underlying Linux system is handling those.  We can walk you through the procedure but it would be easier knowing where you are.  (You only need a very slight knowledge to get the information that is needed.)  But the amount of instruction necessary from no knowledge to some knowledge is considerable! 

  • Like 1
Link to comment
30 minutes ago, Frank1940 said:

Have you run the Docker Safe New Permissions  script (it is part of the Fix Common Problems plugin)?  Tools    >>>  Docker Safe New Permissions   

Does this fix the problem temporarily? 

 

Do you know how to use the Linux (or UNIX) command line?  The reason being, it could be problem with the owner/permission settings and it is necessary to find out how the underlying Linux system is handling those.  We can walk you through the procedure but it would be easier knowing where you are.  (You only need a very slight knowledge to get the information that is needed.)  But the amount of instruction necessary from no knowledge to some knowledge is considerable! 


I have a fair amount of command line experience. I’m no Linux guru, but I can get my way around. 
 

I have run the “Docker Safe New Permissions” plug-in. When I run either that one or the built-in unraid one, the files that User1 made that User2 couldn’t access can now be accessed by User2, but any new files still have the same issue

 

Link to comment

OK, open the terminal  (it is the    >-    symbol on the Toolbar).  type the following

 

ls -al /mnt/user0

That will get you something like this:

 

total 4
drwxrwxrwx 1 nobody users   75 Sep  8 02:30 ./
drwxr-xr-x 9 root   root   180 Aug  6 10:58 ../
drwxrwxrwx 1 nobody users  305 Sep  1 18:20 Backup/
drwxrwxrwx 1 nobody users  273 Nov  6  2017 CommunityApplicationsAppdataBackup/
drwxrwxrwx 1 nobody users 4096 Aug 27 19:01 Media/

These are the Shares on this server.  Now pick one of the shares that contains a file that has the problem.  I am going to proceed using the Share 'Media'.  (Note capitalization is IMPORTANT with Linux!!!) 

 

ls -al /mnt/user0/Media

This gives an output like so:

total 8462508
drwxrwxrwx 1 nobody users       4096 Aug 27 19:01 ./
drwxrwxrwx 1 nobody users         75 Sep  8 02:30 ../
-rw-rw-rw- 1 nobody users    7726504 May 24  2017 100-Magic_Act.mp4
-rw-rw-rw- 1 nobody users  169788268 Mar  2  2013 107D_OutdoorCupboard.mp4

You will, of course, have will to pick a path down to a directory which has a file with the permission problem. When you find one, left click at the beginning of it and 'sweep' the entire line.  Now right click on it and copy it.  Paste into a reply.  Be sure to format it as 'Code' --- the   </>    symbol on the Toolbar --- as this will keeping everything lined up neatly. 

  • Like 1
Link to comment

I believe this is what you are looking for. What sticks out to me right away is that all the other files are owned by "nobody" but the file in question, "Computer BG.jpg" is owned by "adam".

 

root@MainServer:~# ls -al /mnt/user0/MWPBDocs/Logo
total 1916
drwxrwxrwx+ 1 nobody users      81 Sep 12 02:05 ./
drwxrwxrwx+ 1 nobody users     273 Sep  8 19:04 ../
-rw-rw-rw-+ 1 nobody users    6148 Sep  8 19:14 .DS_Store
-rw-rw----+ 1 adam   users 1926881 Jun  2 22:29 Computer\ BG.jpg
drwxrwxrwx+ 1 nobody users      23 Sep  8 19:05 Graphics/
drwxrwxrwx+ 1 nobody users      40 Sep  8 19:04 Publishable/

 

Link to comment

Did a bit more research.  Did you notice the     sign on the   -rw-rw-rw-+   string of permissions for all your files and directories.  Apparently that means that there are  extended permissions called ACLs.   (Google is your friend in these cases.)   

 

There is a command---  called getfacl  -----  that will list these.  So try this command:

 

getfacl  /mnt/user0/MWPBDocs/Logo/Computer\ BG.jpg

and let's see what it tells us.    

 

  • Like 1
Link to comment

Another thought. 

 

Did you map these shares to your PC as a drive?

 

Did you rework the WIN10 permissions on this mapped drive?

 

The reason for these questions is simple.  You should not have to do anything on the WIN10 end for any additional security on any Secure or Private Unraid SMB share.  All of the protection is being provided on the server by the Unraid SMB system.  (IF the Unraid SMB did not do this, the file would be exposed to any (say) Linux computer!)   The system sharing  storing the file must provide all of the file security.  Thus if you share one of your local hard drives on your WIN10 system, you will have to lock down the files from that computer. I am not sure quite what the Unraid SMB system is going to do if you are implementing file access restrictions on the WIN10 end,  It could cause those ACL extensions to be applied!

Edited by Frank1940
  • Like 1
Link to comment
29 minutes ago, Frank1940 said:

There is a command---  called getfacl  -----  that will list these.  So try this command:

# file: mnt/user0/MWPBDocs/Logo/Computer BG.jpg
# owner: adam
# group: users
user::rw-
user:root:rwx			#effective:rw-
user:nobody:rwx			#effective:rw-
user:930611700:rwx		#effective:rw-
user:930612313:rwx		#effective:rw-
group::---
group:930611713:---
group:930612304:rwx		#effective:rw-
mask::rw-
other::---

Here's the result of getfacl

Link to comment
13 minutes ago, Frank1940 said:

Another thought. 

 

Did you map these shares to your PC as a drive?

 

Did you rework the WIN10 permissions on this mapped drive?

 

The reason for these questions is simple.  You should not have to do anything on the WIN10 end for any additional security on any Secure or Private Unraid SMB share.  All of the protection is being provided on the server by the Unraid SMB system.  (IF the Unraid SMB did not do this, the file would be exposed to any (say) Linux computer!)   The system sharing  storing the file must provide all of the file security.  Thus if you share one of your local hard drives on your WIN10 system, you will have to lock down the files from that computer. I am not sure quite what the Unraid SMB system is going to do if you are implementing file access restrictions on the WIN10 end,  It could cause those ACL extensions to be applied!

That I am aware of, there should be nothing on W10 that I have changed other than mapping the share as a network drive in "This PC" and providing my unraid credentials. I should mention that before I unlinked my unraid box from my AD domain, everything worked as normal. I'm almost curious for kicks and giggles if I shouldn't rejoin it and just see what happens? I'd rather not have to go that route, as it turns out trying to manage a non-Windows server on AD is a major PITA.

Link to comment
1 hour ago, Frank1940 said:

Try this command first:


chmod 777 /mnt/user0/MWPBDocs/Logo/Computer\ BG.jpg

Then check if the other user has access to the file.  You can see what this command did with this one (again):


ls -al /mnt/user0/MWPBDocs/Logo

 

So from what I can tell, the chmod command there made the file open to all users? In any case, that *did* allow User2 on Computer2 to access the file. So if I understand unraid permissions correctly, all files are supposed to be owned by "nobody" but the users that I allow read or r/w access through the gui are added to a user group for that share so that they can be manipulated? Does that line of thought make sense?

Link to comment

Here's another new development. On my MacBook running the Catalina beta, I connected to my server via SMB, and added new files to the share, but on the unraid shell, when I LS the directory, the files do not appear....

(EDIT: /mnt/cache shows the files in the correct directory)

 

(EDIT2: This brings up an interesting discovery too. The files that I added from my Mac are owned by my user account with the same type of permissions as the file from Windows. This more and more points to the SMB server in my opinion)

Edited by adampoconnor
Link to comment
12 minutes ago, adampoconnor said:

So if I understand unraid permissions correctly, all files are supposed to be owned by "nobody" but the users that I allow read or r/w access through the gui are added to a user group for that share so that they can be manipulated? Does that line of thought make sense?

Try this:

grep '^group_name_here:' /etc/group

This is new ground for me as well as you.  As I said, "Google is your friend" and I must admit that I do not not the in-and-outs of exactly how things are handled.  

 

I assume that your conclusion is correct but I have no firm proof of that truly being the case.  

 

I was never involved with a Windows Server setup that used AD. (I do seem to recall seeing some posts on this forum about folks not having great experiences linking Unraid to it.)  I actually retired before 'Windows for Workgroups' was introduced but I did help administer a UNIX server that provided file serving for a number of DOS computers that were connected by means of AT&T StarLan.  As I recall, we also had a Laser printer (Do even ask the cost of this device) connected to this network.  The entire network was less than twenty devices

  • Like 1
Link to comment
26 minutes ago, adampoconnor said:

Here's another new development. On my MacBook running the Catalina beta, I connected to my server via SMB, and added new files to the share, but on the unraid shell, when I LS the directory, the files do not appear....

OH, things just keep getting better and better.  Can you see them in the file explorers on the MacBook and Windows?  

 

One thing I just notice while ls sorts files alphabetically, CAPS come before small letters. So    Files  letters data  files   sort this way

 

Files

data

files

letters

 

EDIT:  Be careful with this example.  Windows will only find one of those two with the same same base (Files and files).  The other one will be invisible.  Folks have 'lost' whole groups of files  by putting them into a directory on an Unraid system with two directories that differ in name only the first letter being capitalized! 

Edited by Frank1940
  • Like 1
Link to comment
6 minutes ago, Frank1940 said:

OH, things just keep getting better and better.  Can you see them in the file explorers on the MacBook and Windows?  

 

One thing I just notice while ls sorts file alphabetical, CAPS come before small letters. So    Files  letters data     sort this way

 

Files

data

letters

 

Alright, after doing some testing and messing around here is where I am at.

 

I forgot that uploaded files go to the cache drive *first* and then make it to the unraid disks with the mover, so that's where that confusion on file locations comes from. 

 

Now; When I copy a file from my MacBook to the share, I can read them on windows or other Macs and do whatever I want with them. It's when I add a file from windows that things get screwy. So, as usual, Windows is effing me over. Go figure :roll eyes:. It looks like I need to turn back around and try to figure out what AD did to my windows workstations that is causing such disfunction. And here I am all this time trying to blame unraid. I will be doing some google research on that, but if you have any input on where to look I would greatly appreciate it. Thanks so much for your help up to this point!

Link to comment
1 hour ago, adampoconnor said:

To anyone who sees this looking for an answer:

Through random order of rebooting both my computer and the server and being away from it all for a weekend, the problem has suddenly disappeared. While I wish I had a concrete answer to this behavior, I'm just happy that it works.

Welcome to wild, weird and wonderful of SMB.  Solving problems often seems to be more depend on witchcraft than science...  

Link to comment
  • 4 weeks later...
  • 3 months later...
On 9/12/2019 at 6:06 PM, Frank1940 said:

Did a bit more research.  Did you notice the     sign on the   -rw-rw-rw-+   string of permissions for all your files and directories.  Apparently that means that there are  extended permissions called ACLs.

I had exactly this problem. Messed up permissions after leaving an AD.

I removed all ACLs with this simple Command...

setfacl -Rb /mnt/user/*

and than using the unraid "New Permissions" feature to get the permissions right again.

 

P.S. I know the topic is a bit old but I didn't know were else i should post this solution, hope thats ok.

Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.