deadlock

[marian78]

Hi, today i tested v9.3 Beta (FreeNAS-9.3-BETA-853426f-x64) in vmware player for sharing problem, if still persist. And is still there.

I create standard dataset with windows acl and standard windows share. i remove from windows client user "everyone" on share. Share still working (can create folder and files for both users). Than i reboot and test again (in windows client open permission properties). After that i can create file, but not folder and in console log:

log from console:
Nov 9 10:00:00 freenas syslog-ng[1579]: Configuration reload request received, reloading configuration;
Nov 9 10:03:43 freenas winbindd[2152]: STATUS=daemon 'winbindd' finished starting up and ready to serve connectionssam_rids_to_names: possible deadlock - trying to lookup SID S-1-5-21-2495665797-3528467598-246010422


dataset owner = test, group = zdielanie
user test have group test
user test2 have group test2 and have auxiliary group zdielanie

Next problem, when i remove user everyone from share "zdielanie" i create file, but this file have again in permission user everyone.

Without properly functioning sharing, is freenas crap because sharing is base function for NAS... This problem persist (i first saw it) from version 9.2.1.6.

 

[solarisguy]

@marian78, and how would real Windows servers behave?

 

[anodos]

Regarding the winbindd error: This may be worth making a bug report about as the issue was reported in the following and marked as resolved in 9.3:
https://bugs.freenas.org/issues/4432
https://bugs.freenas.org/issues/5828

I think we need a bit more info about the exact problem you are experiencing with permissions. Post your smb4.conf file and the output of getfacl on a file or folder that has the wrong permissions.

I have noticed that if you disable permissions inheritance for a folder located within a share via a Windows client, then samba seems to fall back on using the "directory mask" and "create mask" parameters to determine unix rights, which then the "nt acl support" parameter seems to try to map to nfsv4 ACEs resulting in the creation of extraneous / bizarre "everyone" ACEs.

 

[marian78]

Hi i attached some new pisctures and here is smb4.conf:

Code:

[global]
    server max protocol = SMB2
    encrypt passwords = yes
    dns proxy = no
    strict locking = no
    oplocks = yes
    deadtime = 15
    max log size = 51200
    max open files = 58223
    load printers = no
    printing = bsd
    printcap name = /dev/null
    disable spoolss = yes
    getwd cache = yes
    guest account = nobody
    map to guest = Bad User
    obey pam restrictions = yes
    directory name cache size = 0
    kernel change notify = no
    panic action = /usr/local/libexec/samba/samba-backtrace
    server string = FreeNAS Server
    ea support = yes
    store dos attributes = yes
    unix extensions = no
    acl allow execute always = true
    acl check permissions = true
    dos filemode = yes
    domain logons = no
    idmap config *: backend = tdb
    idmap config *: range = 90000001-100000000
    server role = standalone
    netbios name = FREENAS
    workgroup = WORKGROUP
    security = user
    pid directory = /var/run/samba
    smb passwd file = /var/etc/private/smbpasswd
    private dir = /var/etc/private
    create mask = 0666
    directory mask = 0777
    client ntlmv2 auth = yes
    dos charset = CP437
    unix charset = UTF-8
    log level = 1
  

[zdielanie]
    path = /mnt/volume0/zdielanie
    printable = no
    veto files = /.snapshot/.windows/.mac/.zfs/
    writeable = yes
    browseable = yes
    recycle:repository = .recycle/%U
    recycle:keeptree = yes
    recycle:versions = yes
    recycle:touch = yes
    recycle:directory_mode = 0777
    recycle:subdir_mode = 0700
    vfs objects = recycle zfsacl
    hide dot files = yes
    guest ok = no
    nfs4:mode = special
    nfs4:acedup = merge
    nfs4:chown = true
    zfsacl:acesort = dontcare

Today i test again (boot up virtual). If i login to freenas share (CIFS from Windows 7 client) as user "test2" (dataset group) all work well. But if i login as user "test" (dataset owner) i get deadlock and i cannot create folder or files and dont see all folders and files in share (only data that create user test, i dont know why). Today inheretate permissions from dataset work well (no user everyone).

 

[marian78]

Regarding the winbindd error: This may be worth making a bug report about as the issue was reported in the following and marked as resolved in 9.3:
https://bugs.freenas.org/issues/4432
https://bugs.freenas.org/issues/5828

I think we need a bit more info about the exact problem you are experiencing with permissions. Post your smb4.conf file and the output of getfacl on a file or folder that has the wrong permissions.

I have noticed that if you disable permissions inheritance for a folder located within a share via a Windows client, then samba seems to fall back on using the "directory mask" and "create mask" parameters to determine unix rights, which then the "nt acl support" parameter seems to try to map to nfsv4 ACEs resulting in the creation of extraneous / bizarre "everyone" ACEs.

Hi, i want ask something about my "deadlock". It is bug or future and problem is between my keyboard and chair? If it is bug on version, can somebody investigate?

Thx, Marian.

 

[anodos]

Hi, i want ask something about my "deadlock". It is bug or future and problem is between my keyboard and chair? If it is bug on version, can somebody investigate?

Thx, Marian.

The error message is generated by the following in winbindd_samr.c:

Code:

static NTSTATUS sam_rids_to_names(struct winbindd_domain *domain,
                 TALLOC_CTX *mem_ctx,
                 const struct dom_sid *domain_sid,
                 uint32 *rids,
                 size_t num_rids,
                 char **pdomain_name,
                 char ***pnames,
                 enum lsa_SidType **ptypes)
{
    struct rpc_pipe_client *lsa_pipe;
    struct policy_handle lsa_policy;
    enum lsa_SidType *types = NULL;
    char *domain_name = NULL;
    char **names = NULL;
    TALLOC_CTX *tmp_ctx;
    NTSTATUS status, result;
    struct dcerpc_binding_handle *b = NULL;

    DEBUG(3,("sam_rids_to_names for %s\n", domain->name));

    ZERO_STRUCT(lsa_policy);

    /* Paranoia check */
    if (!sid_check_is_builtin(domain_sid) &&
       !sid_check_is_our_sam(domain_sid) &&
       !sid_check_is_unix_users(domain_sid) &&
       !sid_check_is_unix_groups(domain_sid) &&
       !sid_check_is_in_wellknown_domain(domain_sid)) {
        DEBUG(0, ("sam_rids_to_names: possible deadlock - trying to "
             "lookup SID %s\n", sid_string_dbg(domain_sid)));
        return NT_STATUS_NONE_MAPPED;
    }

    tmp_ctx = talloc_stackframe();
    if (tmp_ctx == NULL) {
        return NT_STATUS_NO_MEMORY;
    }

    status = open_internal_lsa_conn(tmp_ctx, &lsa_pipe, &lsa_policy);
    if (!NT_STATUS_IS_OK(status)) {
        goto done;
    }

    b = lsa_pipe->binding_handle;

    status = rpc_rids_to_names(tmp_ctx,
                  lsa_pipe,
                  &lsa_policy,
                  domain,
                  domain_sid,
                  rids,
                  num_rids,
                  &domain_name,
                  &names,
                  &types);
    if (!NT_STATUS_IS_OK(status)) {
        goto done;
    }

    if (pdomain_name) {
        *pdomain_name = talloc_move(mem_ctx, &domain_name);
    }

    if (ptypes) {
        *ptypes = talloc_move(mem_ctx, &types);
    }

    if (pnames) {
        *pnames = talloc_move(mem_ctx, &names);
    }

done:
    if (b && is_valid_policy_hnd(&lsa_policy)) {
        dcerpc_lsa_Close(b, mem_ctx, &lsa_policy, &result);
    }

    TALLOC_FREE(tmp_ctx);
    return status;
}

As you can clearly see, it is a "paranoia check". :)

That being said, I'm not entirely sure that winbind is actually needed for a standalone server. The samba documentation states:

A standalone Samba server is an implementation that is not a member of a Windows NT4 domain, a Windows 200X Active Directory domain, or a Samba domain.

By definition, this means that users and groups will be created and controlled locally, and the identity of a network user must match a local UNIX/Linux user login. The IDMAP facility is therefore of little to no interest, winbind will not be necessary, and the IDMAP facility will not be relevant or of interest.

 

[marian78]

Hi, thx for all your time.

All you wrote is over my knowledge , but i am "happy" that fault is not on my side. I am surprised, that here are not too much people, that have same problem, because if it showing on server, CIFS is not usable (cant access data or access problem).

Also i have concerns, that this malfunction will be in newer updates without resolving. :(

Marian L.

 

[anodos]

Hi, thx for all your time.

All you wrote is over my knowledge , but i am "happy" that fault is not on my side. I am surprised, that here are not too much people, that have same problem, because if it showing on server, CIFS is not usable (cant access data or access problem).

Also i have concerns, that this malfunction will be in newer updates without resolving. :(

Marian L.

The documents you can't see are owned by the user "Test2". This means that if "Test", the dataset owner, is not a member of the group " zdielanie", then the user will have no permissions WRT to the files. One of the peculiarities of using NFSv4 ACLs with samba is that files and folders "disappear" when the user does not have the requisite privileges ([foo]@:------a-R-c---). Short answer - the winbind error is probably a red-herring, add "Test" to group "zdielanie" and retest.

.

 

[marian78]

Dear sir, i tested what you wrote. I added auxiliary group "zdielanie" to user "Test". Tested about 15 minutes and for now i do not have "deadlock" :) . I will test it later on real server, if i will get "deadlock".

If i good understood if i have:
dataset = "zdielanie" (/mnt/volume0/zdielanie)

CIFS share = dataset
dataset owner = "test"
dataset group = "zdielanie"

1. full access user over CIFS
user test have group test and have auxiliary group zdielanie = for me, dataset owner is always administrator or user, that have full permissions over CIFS.

2. other users
user test2 have group test2 and have auxiliary group zdielanie
....
....
....


NEXT, rules:
1. dataset owner (user that have access to that dataset over CIFS) MUST always have auxiliary group and that group MUST be dataset group (in my configuration where have more users that have access over CIFS to same dataset) - hm, this is different from what i expected from owner and also very different behavior that i expected..
Question: if owner have full rights and dataset group have only read permissions, what permissions are applied to owner? full or only read? I think full...

2. all other users, that have also access to that dataset over CIFS uses dataset group (that is normal behavior for me).


OK, if this is how NFSv4 ACLs + SAMBA v4 works, i must learn something new and I should apologize for what I thought, to developers.

Next question: it is normal that if i not keep rule 1. i get "deadlock"?

 

[Jeremy Janz]

I also get a similar deadlock error. However, it does not affect me accessing the NAS in anyway. I have been having this error since 9.2.1.7. Here is my current system:

Build FreeNAS 9.3-BETA GMT
Platform Intel(R) Core(TM)2 Quad CPU Q9550 @ 2.83GHz
Memory 8166MB

I was hoping this would go away after I upgraded to 9.3, but alas not :(. However, it is more of an annoyance since it has seemingly no affect on how I use it.