Having trouble with Transmission and SMB ACLs

BetYourBottom

Contributor
Joined
Nov 26, 2016
Messages
141
I've been lazy and am finally working on transferring all my old Plugins/Jails to the new Jail system. I've also been working on avoiding using the plugin system because, frankly, some of the plugins are too infrequently updated and some, like Syncthing, are locked into preventing updating manually.

So today I worked on transferring over Transmission and for the most part everything went well, however, I am having one issue that I can't seem to wrap my brain around. Each time the Transmission service boots it does something to the SMB ACLs and it pisses my Windows computer off a little. I decided during the move to separate my Transmission configs and such into a separate folder outside of the jail to allow for easier transfers if they become necessary in the future. I made a separate dataset with Unix ACLs because I had some trouble with a similar endeavor in the past when the permissions were set to Windows ACLs.

Now everything is okay, the config folder mounts where Transmission expects it, I have it chown'd by the transmission user, I have an external transmission user with a matching UID/GID, and I can access the files with Windows. However, after setting up the ACLs, whenever the service is started it somehow messes with them so that Windows will throw an "permissions are out of order" error when accessing the ACLs through the security tab. Correcting it only seems to fix it for the single launch and a relaunch of the service will break them again. I've also tried resetting them with winacl but it also only lasts for a single reboot of the service.

I have no idea what's going on, if it's a mistake in how I configured the ACLs from the start or if it's some weird issue with Transmission.

Any help would be much appreciated! If there are any details you need feel free to ask.

And of course I'm running Freenas 11.2-U4, Transmission 2.94.
 

anodos

Sambassador
iXsystems
Joined
Mar 6, 2014
Messages
9,545
Now everything is okay, the config folder mounts where Transmission expects it, I have it chown'd by the transmission user, I have an external transmission user with a matching UID/GID, and I can access the files with Windows. However, after setting up the ACLs, whenever the service is started it somehow messes with them so that Windows will throw an "permissions are out of order" error when accessing the ACLs through the security tab.
The out-of-order ACLs error is expected behavior from Windows clients in this situation. ZFS appends non-inheriting special ACEs (for instance, the ones that resulting from chmod()) to the end of an ACL.
Code:
root@freenas[/mnt/dozer/SMB2]# getfacl foo
# file: foo
# owner: root
# group: wheel
            owner@:rwxp--aARWcCos:-------:allow
            group@:r-x---a-R-c--s:-------:allow
         everyone@:r-x---a-R-c--s:-------:allow
       group:wheel:rwxpDdaARWcCos:fd-----:allow
root@freenas[/mnt/dozer/SMB2]# chmod 755 foo
root@freenas[/mnt/dozer/SMB2]# getfacl foo  
# file: foo
# owner: root
# group: wheel
       group:wheel:rwxpDdaARWcCos:fd-----:allow
            owner@:rwxp--aARWcCos:-------:allow
            group@:r-x---a-R-c--s:-------:allow
         everyone@:r-x---a-R-c--s:-------:allow

Windows requires that non-inheriting ACEs be located prior to inheriting ACEs. I'm adding an optional parameter in 11.3 to canonicalize the ACE ordering in the ACL returned to SMB clients. In 11.3 you will be able to add the share auxiliary parameter ixnas:zfsacl_sortaces=True to have samba dynamically re-order them so that you don't see that error message.
 

BetYourBottom

Contributor
Joined
Nov 26, 2016
Messages
141
The out-of-order ACLs error is expected behavior from Windows clients in this situation. ZFS appends non-inheriting special ACEs (for instance, the ones that resulting from chmod()) to the end of an ACL.

Windows requires that non-inheriting ACEs be located prior to inheriting ACEs. I'm adding an optional parameter in 11.3 to canonicalize the ACE ordering in the ACL returned to SMB clients. In 11.3 you will be able to add the share auxiliary parameter ixnas:zfsacl_sortaces=True to have samba dynamically re-order them so that you don't see that error message.

Well that answers basically everything. One last question, do you know if it's possible to keep Transmission from adding any special permissions at all for the everyone user?
 

anodos

Sambassador
iXsystems
Joined
Mar 6, 2014
Messages
9,545
Well that answers basically everything. One last question, do you know if it's possible to keep Transmission from adding any special permissions at all for the everyone user?
The everyone user is "other" if you're setting POSIX mode bits. Check the transmission config to see if there is a default create mask. Otherwise, you can set the dataset's aclmode to "restricted". zfs set aclmode=restricted tank/share This will cause all chmod() requests to fail if there is a non-trivial ACL on the file (indicated by a "+" next to the file in "ls -l" output). Changing the aclmode is a big hammer. It can lead to undefined behavior from applications because they may not gracefully handle chmod returning EPERM.
 
Top