SOLVED ACL weirdness when tagging files on SMB shares from MacOS

tobiasbp

Patron
Joined
Dec 2, 2015
Messages
238
Hello forum...

I have an SMB share running on Freenas 11.2-U3

My MacOS users can use the share as expected, unless they tag a directory (A feature of the MacOS Finder). This will add extended attributes to a dir.
Once a file is tagged, it can no longer be moved or deleted. Tagging files works. Any ideas on how I can tag the dirs with out the permissions being changed?

These are the (working) permissions on an untagged dir:
Code:
# file: BB
# owner: tbp
# group: fileserver-write
            owner@:rwxpDdaARWcCo-:fd----I:allow
            group@:rwxpDdaARWcCos:fd-----:allow
         everyone@:r-x---a-R-c---:fd----I:allow


These are the permissions on a dir once it has been tagged from the MacOS A deny has been added for the owner!:
Code:
# file: AA
# owner: tbp
# group: kontrapunkt-fileserver-write
            owner@:--x-----------:-------:deny
            owner@:rwxpDdaARWcCo-:fdi---I:allow
            group@:rwxpDdaARWcCos:fd-----:allow
         everyone@:r-x---a-R-c---:fdi---I:allow
            group@:rwxpDdaARWcCos:fd-----:allow
            owner@:rw-p--aARWcCos:-------:allow
            group@:rwxpDdaARWcCos:fd-----:allow
         everyone@:rwxp--a-R-c--s:-------:allow


The extended attributes on the tagged dir:
Code:
# lsextattr user AA
AA    DosStream.com.apple.metadata:_kMDItemUserTags:$DATA    DosStream.AFP_AfpInfo:$DATA


Setting tags on files is not a problem.

A newly upload (Untagged) file:
Code:
# file: NetSpot.dmg
# owner: tbp
# group: fileserver-write
            owner@:rw-p--aARWcCos:-------:allow
            group@:rw-p--a-R-c--s:-------:allow
         everyone@:rw-p--a-R-c--s:-------:allow


After tagging the file (Unchanged permissions):
Code:
Account Management [J1023889] # getfacl NetSpot.dmg
# file: NetSpot.dmg
# owner: tbp
# group: fileserver-write
            owner@:rw-p--aARWcCos:-------:allow
            group@:rw-p--a-R-c--s:-------:allow
         everyone@:rw-p--a-R-c--s:-------:allow

Here is the share config:

Code:
[Files]
    access based share enum = Yes
    hosts allow = hosts allow = 172.30.10.0/24 172.30.11.0/24 172.22.33.0/24
    path = "/mnt/storage/files"
    read list = @fileserver-read
    read only = No
    store dos attributes = No
    valid users = @fileserver-write @fileserver-read
    veto files = /*.DS_Store/.apdisk/.TemporaryItems/.windows/.mac/
    vfs objects = catia zfs_space zfsacl fruit streams_xattr
    fruit:encoding = native
    fruit:veto_appledouble = no
    zfsacl:expose_snapdir = True
    zfsacl:acesort = dontcare
    nfs4:chown = true
    nfs4:acedup = merge
    nfs4:mode = special
    fruit:resource = stream
    fruit:metadata = stream
 
Last edited:

tobiasbp

Patron
Joined
Dec 2, 2015
Messages
238
Try setting the following parameter under Services-SMB
fruit:nfs_aces = no

Unmounted share in MacOS. Logged back in. Created dir 'nfs_aces_no' in the SAMBA share. I did not do anything else on the FreeNAS box than adding 'fruit:nfs_aces = no' to the share config. The problem persists :(

Permissions on freshly created (From MacOS client) dir:
Code:
# file: nfs_aces_no
# owner: tbp
# group: fileserver-write
            owner@:rwxpDdaARWcCo-:fd----I:allow
            group@:rwxpDdaARWcCo-:fd----I:allow
         everyone@:r-x---a-R-c---:fd----I:allow


Permissions after tagging the dir:
Code:
# file: nfs_aces_no
# owner: tbp
# group: fileserver-write
            owner@:--x-----------:-------:deny
            owner@:rwxpDdaARWcCo-:fdi---I:allow
            group@:rwxpDdaARWcCo-:fdi---I:allow
         everyone@:r-x---a-R-c---:fdi---I:allow
            owner@:rw-p--aARWcCos:-------:allow
            group@:rwxp--a-R-c--s:-------:allow
         everyone@:rwxp--a-R-c--s:-------:allow


Share config:
Code:
[Files]
    access based share enum = Yes
    hosts allow = hosts allow = 172.30.10.0/24 172.30.11.0/24 172.22.33.0/24
    path = "/mnt/storage/Files"
    read list = @fileserver-read
    read only = No
    store dos attributes = No
    valid users = @fileserver-write @fileserver-read
    veto files = /*.DS_Store/.apdisk/.TemporaryItems/.windows/.mac/
    vfs objects = catia zfs_space zfsacl fruit streams_xattr
    fruit:nfs_aces = no
    fruit:encoding = native
    fruit:veto_appledouble = no
    zfsacl:expose_snapdir = True
    zfsacl:acesort = dontcare
    nfs4:chown = true
    nfs4:acedup = merge
    nfs4:mode = special
    fruit:resource = stream
    fruit:metadata = stream
 
Joined
Jul 3, 2015
Messages
926
What if when you setup the user permissions for the share you don't allow them to change permissions?
 
Joined
Jul 3, 2015
Messages
926
If you manage the permissions of the share via a windows computer you can be much more granular than what you can from within the FreeNAS UI. I never allow my users to be able to change permissions on shares as they would likely hang themselves. I assume you have given them full control?
 

anodos

Sambassador
iXsystems
Joined
Mar 6, 2014
Messages
9,546
If you manage the permissions of the share via a windows computer you can be much more granular than what you can from within the FreeNAS UI. I never allow my users to be able to change permissions on shares as they would likely hang themselves. I assume you have given them full control?
The owner of a file can always chmod it. This is true in Windows and it's true in Unix.

When vfs_fruit is enabled, it by default will expose the posix mode to MacOS clients via NFS aces, and allow them to set it. First try disabling this capability as I suggested. Also try setting the nfs4:mode to "simple". Note that if you change the nfs4:mode, it must be performed on _all_ shares, and winbind's caches must be cleared. (service samba_server stop, rm /var/db/system/samba4/winbindd_cache*, net cache flush, service samba_server start)

If that fails, try setting the ZFS dataset's aclmode to restricted.

Of course, it goes without saying that if this is a business environment, make these changes in a maintenance window.
 

tobiasbp

Patron
Joined
Dec 2, 2015
Messages
238
Try setting the following parameter under Services-SMB
fruit:nfs_aces = no
Added fruit:nfs_aces = no to the samba config. It shows up in the [global] section when running testparm. It appears to make no difference (In regards to my problem). Below are the permissions on a newly created and tagged (From MacOS dir).

I'll take a look at you other suggestions.

Code:
# file: NFS_ACES_ENABLED/
# owner: tbp
# group: fileserver-write
            owner@:--x-----------:-------:deny
            owner@:rwxpDdaARWcCos:fdi---I:allow
            group@:rwxpDdaARWcCos:fdi---I:allow
         everyone@:r-x---a-R-c---:fdi---I:allow
            owner@:rw-p--aARWcCos:-------:allow
            group@:rwxp--a-R-c--s:-------:allow
         everyone@:rwxp--a-R-c--s:-------:allow
 

tobiasbp

Patron
Joined
Dec 2, 2015
Messages
238
Also try setting the nfs4:mode to "simple". Note that if you change the nfs4:mode, it must be performed on _all_ shares, and winbind's caches must be cleared. (service samba_server stop, rm /var/db/system/samba4/winbindd_cache*, net cache flush, service samba_server start)

  1. Added nfs4:mode = simple to all shares (Checked with testparm)
  2. service samba_server stop
  3. Deleted the file /var/db/system/samba4/winbindd_cache.tdb
  4. Ran the command net cache flush (There was no message returned)
  5. service samba_server start
The problem was not solved. Exact same (wrong) permissions as before after tagging a file from MacOS.

Will look at the ZFS dataset's aclmode
 

seanm

Guru
Joined
Jun 11, 2018
Messages
570
FWIW, I tried to reproduce your problem on my setup, and could not. Setting a Finder label/colour on a folder does not change what getfacl outputs for that folder, and I'm able to delete the folder too.

I'm on 11.2U4.1 and am already using `nfs4:mode = simple` and `fruit:nfs_aces = no`

Seems my aclmode was already restricted too:

# zfs get aclmode ekur/Test6
NAME PROPERTY VALUE SOURCE
ekur/Test6 aclmode restricted local


@anodos is 'restricted' not the default? I'm all but certain I never set it myself.
 

anodos

Sambassador
iXsystems
Joined
Mar 6, 2014
Messages
9,546
FWIW, I tried to reproduce your problem on my setup, and could not. Setting a Finder label/colour on a folder does not change what getfacl outputs for that folder, and I'm able to delete the folder too.

I'm on 11.2U4.1 and am already using `nfs4:mode = simple` and `fruit:nfs_aces = no`

Seems my aclmode was already restricted too:

# zfs get aclmode ekur/Test6
NAME PROPERTY VALUE SOURCE
ekur/Test6 aclmode restricted local


@anodos is 'restricted' not the default? I'm all but certain I never set it myself.
It's the default for windows shares and the key differentiator between "unix/mac" and "windows" share types.
 
Top