SMB share permissions

[CombFiltered]

I am noticing that some users don't get execute permissions when accessing a VSAN SMB share in Windows. I have no idea what's causing this, but read/write always seems to be fine. Execute seems to be set to only one user, and it could be the administrator account, or it could be another user. This is causing issues with not being able to execute apps from the SMB share. Copying the apps from the share to a local PC and running works, but that's a real pain. When Security perms are viewed in Windows, there's a sambashare user (Unix Group\sambashare) that gets Read and Write perms, and then one other user local to VSAN (either a created user, or administrator) that gets Read & execute, Read, Write, and Special permissions. Any ideas what's going on and how to fix this?

[yaroslav (staff)]

StarWind VSAN does not create SMB shares. It does not create the special users either.
CVM can do NFS shares though.
Does your question relate to the SMB witness or NFS shares?
As a side note, SMB witness is not available for CVM.

[CombFiltered]

Ok I must be thoroughly confused about something. What's the attached SMB share? It's a web interface for my VSAN.

Screenshot 2025-01-23 174537.png (36.23 KiB) Viewed 15160 times

[yaroslav (staff)]

Hi,

I discussed this thread with my colleague (we need more time to prepare the workaround). Thanks for pointing this limitation out!
Also, as a side note, VSAN supports sharing options not only for NFS (sorry for misleading you).

[CombFiltered]

Great, thanks for looking into it. I didn’t think I was using this in an edge case, but I seem to be a magnet for finding those.

[dmytro (staff)]

Hi CombFiltered,

We conducted a quick test in our lab and have reproduced the issue you described. I have requested our R&D team to implement a fix in the next release, either through a custom setting or as a permanent update for sharing. In the meantime, I have a workaround that will resolve the problem for you.

Please follow the next steps:
1. Log in to your appliance using the Text-based User Interface (TUI).
2. Navigate to the Troubleshoot menu and select Open Shell Terminal.
3. Execute the following commands:
3.1 Create a backup of your current configuration file:

Code: Select all

sudo cp /etc/samba/smb.conf ~/smb.conf.backup

3.2 Open the configuration file for editing:

Code: Select all

sudo nano /etc/samba/smb.conf

3.3 Modify the share configuration: locate the share configuration section at the end of the file. For each SMB share, add the following line:

Code: Select all

force create mode = 0755

Save the changes:
3.4 Press Ctrl + X, then confirm by pressing Y and Enter.
3.5 Restart the SMB (Samba) service:

Code: Select all

sudo systemctl daemon-reload
sudo systemctl restart smbd

3.5 Update permissions for existing SMB shares:
sudo chmod 0755 -R <share path>
Run the following commands for each share you have. :

Code: Select all

chmod 0755 -R <path to an SMB share>

With regards to the provided screenshot, I assume the commands would be the following:

Code: Select all

sudo chmod 0755 -R /mnt/md1/data/Archives
sudo chmod 0755 -R /mnt/md1/data/Home

3.6 Exit the Terminal by pressing Ctrl + X and then Esc.
3.7 Log off the Text-based user interface.

This workaround should resolve the issue until the official fix is available.

Let me know if you encounter any problems or need further assistance!

[CombFiltered]

I finally got to this, and it worked perfectly. Thank you! With the upcoming update, will I have to revert any of these changes?

Relatedly, I did go and check for an update through the web interface before I tried any of this, and it errored out. Checking the logs, I see these errors every time I check for an update:

E: Release file for http://security.ubuntu.com/ubuntu/dists ... /InRelease is not valid yet (invalid for another 3h 9min 14s). Updates for this repository will not be applied.
E: Release file for http://archive.ubuntu.com/ubuntu/dists/ ... /InRelease is not valid yet (invalid for another 3h 12min 37s). Updates for this repository will not be applied.
E: Release file for http://archive.ubuntu.com/ubuntu/dists/ ... /InRelease is not valid yet (invalid for another 1h 13min 21s). Updates for this repository will not be applied.
Error: command apt-get update failed. Return code: 100

[dmytro (staff)]

Hi CombFilteredm,

The update won't revert the changes you made in the configuration file and will apply the setting to new shares created.

Could you please collect the logs from your system and send them to us using this form? https://www.starwindsoftware.com/support-form
I'll check them and let you know what is the problem with the update.

[CombFiltered]

The logs have been submitted

[yaroslav (staff)]

Thanks!

[CombFiltered]

Okay, so I'm now realizing that this fixed the execute perms, but now I can't write anything. I have triple checked that the user has read-write perms on the web interface. I have re-run the commands to reset perms on the samba shares. Verifying "ls -ld" on the directory has perms of rwxr-sr-x, owner swsystem sambashare. Running "stat -c %a" on the directory shows 2755. Does this seem correct?

[CombFiltered]

I re-ran the chmod commands with 0775 instead of 0755, and it appears to be now working as expected. Should it be 0775, or is there a piece of a config missing somewhere because of the previous changes? If it does need to be 0775, should the "force create mode" config line be updated to 0775 as well?

[dmytro (staff)]

Hello CombFiltered,

Yes, you are correct. Indeed, the "force create mode" should be set to "0775" to ensure that both the user and group have read, write, and execute permissions on the file share. This configuration will maintain consistent permission settings for newly created files and prevent execution issues encountered previously.

If you need any further assistance or have additional questions, please feel free to ask.