Recently I saw an issue arise that caused an inability to access to a vSAN SMB share. The error we received when accessing the vSAN SMB share is below:

“<Share Path> is not accessible. You might not have permission to this resource. Contact the administrator of this server to find out if you have access permissions.”

“The Parameter is incorrect.”

The issue appears to be a corruption of the samba acls attached to the folders and files and causes the above error when attempting to access vSAN SMB shares. Below are the steps that were required to regain access the share and the nested files and folders.

*Be aware that these steps overwrite all current permissions and gives Everyone full control. You will want to reassign proper permissions after you regain access.

Steps to regain access to the vSAN SMB Root Share:

1. Locate the File services Node that the Share is running on
   1. From the cluster in vCenter go to configure file shares
   2. Select the share
   3. Note which File Services Node your share is currently running on
2. Web console into the file services node
   1. Username: root
   2. Password: vmware
3. Identify the Docker instance of the share
   1. docker ps
4. Connect to the container
   1. docker exec -it <ContainerID> bash
5. View the SMB config to get share ID’s
   1. cat /etc/vsfs/smb.conf
6. After you have the share ID run the following command to view the current settings
   1. /usr/local/samba/bin/samba-tool ntacl get <Share Path> –as-sddl
7. Run this command to reset the permissions to allow Everyone access
   1. /usr/local/samba/bin/samba-tool ntacl set ‘O:WDG:S-1-22-2-0D:PAI(A;OICI;0x001f01ff;;;WD)’ <Share Path>
8. Restart SMB
   1. /entrypoint.sh stopsmb
   2. /entrypoint.sh startsmb

Steps to regain access to vSAN SMB Sub Folders and Files:

At this point you should be able to access the root of the share, but you will probably still not be able to access the sub files and folders. You will need to repeat the steps above with some minor changes to restore access to everything.

1. CD to a share volume sub folder that you want to start with
   1. cd /<Share Path>/<Sub Folder>
2. Run the following command on the folder first
   1. /usr/local/samba/bin/samba-tool ntacl set ‘O:WDG:S-1-22-2-0D:PAI(A;OICI;0x001f01ff;;;WD)’/<Share Path>/<Sub Folder>
3. Then run the following script on the folder to apply the same setting to the files
   1. for i in *;do /usr/local/samba/bin/samba-tool ntacl set ‘O:WDG:S-1-22-2-0D:PAI(A;OICI;0x001f01ff;;;WD)’ /<Share Path>/<Sub Folder>/”$i” ;done
   2. This could probably be more efficient but with being forced to use the web console this seemed the easiest to get done in a timely manner.
4. Repeat as many times as necessary for any additional sub folders.
5. Once that’s done restart SMB again and test
   1. /entrypoint.sh stopsmb
   2. /entrypoint.sh startsmb

Repeat these steps as many times as needed until access has been restored to all sub folders and files. You don’t need to restart SMB after each folder unless you want to test and validate your progress.