No Access to Files after Update FreeNAS 9.10.U3 on CIFS

[jackydany]

Hi there,

i am havong quite a mysteroius problem....

i have a CIFS Share for a Windows 7 Client. On this, there are several Subdirectories.
A Program on the client access one of these directories as workdirectory.
lets say:
\\192.168.1.2\Data
\\192.168.1.2\Data\Work
mapped as drive X in Windows.
So it looks like this:
x:\Data\Work

After the recent update i did yesterday, the program says there are acceess problems to the files. It cant open them for write access.
But i can create and delete Files within all directories.
Also i changed nothing at all!

Workaround:
i just copy the whole directory
x:\Data\Work_Copy

rename the original
x:\Data\Work_old

and rename the new copy back to the old name
x:\Data\Work

No everything is working.
I am performing these copy and renoming steps with the Windows-Client and the normal User for this maschine and Cifs-Share, so nothing special!

Does someone has any idea what this is about? Why can i copy, paste, rename, create and delete files, but the program cant access them? Only after these steps before?
Had this problem also from 9.10.U1 to U2.

A reboot of the client didnt solve this.
A disconnect to the share and reconnect again as networkdrive didnt solve it.

Thanks in advance!

Greetings

Jack

 

[anodos]

Hi there,

i am havong quite a mysteroius problem....

i have a CIFS Share for a Windows 7 Client. On this, there are several Subdirectories.
A Program on the client access one of these directories as workdirectory.
lets say:
\\192.168.1.2\Data
\\192.168.1.2\Data\Work
mapped as drive X in Windows.
So it looks like this:
x:\Data\Work

After the recent update i did yesterday, the program says there are acceess problems to the files. It cant open them for write access.
But i can create and delete Files within all directories.
Also i changed nothing at all!

Workaround:
i just copy the whole directory
x:\Data\Work_Copy

rename the original
x:\Data\Work_old

and rename the new copy back to the old name
x:\Data\Work

No everything is working.
I am performing these copy and renoming steps with the Windows-Client and the normal User for this maschine and Cifs-Share, so nothing special!

Does someone has any idea what this is about? Why can i copy, paste, rename, create and delete files, but the program cant access them? Only after these steps before?
Had this problem also from 9.10.U1 to U2.

A reboot of the client didnt solve this.
A disconnect to the share and reconnect again as networkdrive didnt solve it.

Thanks in advance!

Greetings

Jack

It might be changes in samba version causing problems (newer versions deprecated NTLMv1, which is horrifically insecure). Try setting the following parameter under "services" -> "SMB" ntlm auth = yes

 

[jackydany]

Hi,

cant find this setting, or do you mean under auxiliary parameters?

i use smb3 as protocol

 

[anodos]

Hi,

cant find this setting, or do you mean under auxiliary parameters?

i use smb3 as protocol

Yes. Add as an auxiliary parameter.

 

[SweetAndLow]

Sounds like you can't read the files. What are the permissions on them and who did you authenticated as? Does the share have guest access turned on?

Sent from my Nexus 5X using Tapatalk

 

[anodos]

Sounds like you can't read the files. What are the permissions on them and who did you authenticated as? Does the share have guest access turned on?

Sent from my Nexus 5X using Tapatalk

Oops. That's what I get for writing responses on a phone before having some coffee.

@jackydany Post contents of of /usr/local/etc/smb4.conf or a debug file "system" -> "advanced" -> "save debug".

 

[SweetAndLow]

Oops. That's what I get for writing responses on a phone before having some coffee.

@jackydany Post contents of of /usr/local/etc/smb4.conf or a debug file "system" -> "advanced" -> "save debug".

Interpreting posts is actually really difficult. It wasn't really explained what the problem is so I could be wrong also.

Sent from my Nexus 5X using Tapatalk

 

[anodos]

Interpreting posts is actually really difficult. It wasn't really explained what the problem is so I could be wrong also.

Sent from my Nexus 5X using Tapatalk

Indeed. We probably also need to know what the 'program' on the client computer is. Because of this, we can't 100% exclude the possibility that it is NLTM-related (can't exclude the possibility of crap code).

 

[jackydany]

HI all together and thanks for the response.

The Program is a German Finance Software... nothing you would know i think, i only know it because of my fathers business.

i cant reproduce the problem as i solved it with the workaround already.
It only happend the last update and this one. never before or afterwards, so its not a generell problem.
it only happens to this program, word dokuments etc are accessable w/o problems or errors.

access to the folders of the program are accesable, i can create files within and delete them without problems....
i can also rename without errors etc.
only the access from this specific program is not possible to the userdata file (errormessage)

after copying the folder, renaming, everything works as uasual.
only happens to 2 of the programs from the same company (softwarenetz)

owner noboday nogroup as everybody should have full permissions
mode 777 unix style
permissions were set recursivley
"only allow guest access" is turned OFF

Code:

cat /usr/local/etc/smb4.conf
[global]
	server max protocol = SMB3
	encrypt passwords = yes
	dns proxy = no
	strict locking = no
	oplocks = yes
	deadtime = 15
	max log size = 51200
	max open files = 352739
	logging = file
	load printers = no
	printing = bsd
	printcap name = /dev/null
	disable spoolss = yes
	getwd cache = yes
	guest account = nobody
	map to guest = Bad User
	obey pam restrictions = yes
	directory name cache size = 0
	kernel change notify = no
	panic action = /usr/local/libexec/samba/samba-backtrace
	nsupdate command = /usr/local/bin/samba-nsupdate -g
	server string = FreeNAS Server
	ea support = yes
	store dos attributes = yes
	lm announce = yes
	hostname lookups = yes
	time server = yes
	acl allow execute always = true
	dos filemode = yes
	multicast dns register = yes
	domain logons = no
	local master = yes
	idmap config *: backend = tdb
	idmap config *: range = 90000001-100000000
	server role = standalone
	netbios name = freenas
	workgroup = WORKGROUP
	security = user
	pid directory = /var/run/samba
	create mask = 0666
	directory mask = 0777
	client ntlmv2 auth = yes
	dos charset = CP437
	unix charset = UTF-8
	log level = 1



[Data]
	path = /mnt/Data
	printable = no
	veto files = /.snapshot/.windows/.mac/.zfs/
	writeable = yes
	browseable = no
	vfs objects = zfs_space zfsacl
	hide dot files = no
	guest ok = no
	nfs4:mode = special
	nfs4:acedup = merge
	nfs4:chown = true
	zfsacl:acesort = dontcare
	writable = yes
	valid users = jackydany webdav


[Work]
	path = /mnt/Data/Work
	printable = no
	veto files = /.snapshot/.windows/.mac/.zfs/
	writeable = yes
	browseable = yes
	shadow:snapdir = .zfs/snapshot
	shadow:sort = desc
	shadow:localtime = yes
	shadow:format = auto-%Y%m%d.%H%M-6m
	shadow:snapdirseverywhere = yes
	vfs objects = shadow_copy2 zfs_space zfsacl
	hide dot files = no
	guest ok = yes
	nfs4:mode = special
	nfs4:acedup = merge
	nfs4:chown = true
	zfsacl:acesort = dontcare

 

[anodos]

HI all together and thanks for the response.

The Program is a German Finance Software... nothing you would know i think, i only know it because of my fathers business.

i cant reproduce the problem as i solved it with the workaround already.
It only happend the last update and this one. never before or afterwards, so its not a generell problem.
it only happens to this program, word dokuments etc are accessable w/o problems or errors.

access to the folders of the program are accesable, i can create files within and delete them without problems....
i can also rename without errors etc.
only the access from this specific program is not possible to the userdata file (errormessage)

after copying the folder, renaming, everything works as uasual.
only happens to 2 of the programs from the same company (softwarenetz)

owner noboday nogroup as everybody should have full permissions
mode 777 unix style
permissions were set recursivley
"only allow guest access" is turned OFF

Code:

cat /usr/local/etc/smb4.conf
[global]
	server max protocol = SMB3
	encrypt passwords = yes
	dns proxy = no
	strict locking = no
	oplocks = yes
	deadtime = 15
	max log size = 51200
	max open files = 352739
	logging = file
	load printers = no
	printing = bsd
	printcap name = /dev/null
	disable spoolss = yes
	getwd cache = yes
	guest account = nobody
	map to guest = Bad User
	obey pam restrictions = yes
	directory name cache size = 0
	kernel change notify = no
	panic action = /usr/local/libexec/samba/samba-backtrace
	nsupdate command = /usr/local/bin/samba-nsupdate -g
	server string = FreeNAS Server
	ea support = yes
	store dos attributes = yes
	lm announce = yes
	hostname lookups = yes
	time server = yes
	acl allow execute always = true
	dos filemode = yes
	multicast dns register = yes
	domain logons = no
	local master = yes
	idmap config *: backend = tdb
	idmap config *: range = 90000001-100000000
	server role = standalone
	netbios name = freenas
	workgroup = WORKGROUP
	security = user
	pid directory = /var/run/samba
	create mask = 0666
	directory mask = 0777
	client ntlmv2 auth = yes
	dos charset = CP437
	unix charset = UTF-8
	log level = 1



[Data]
	path = /mnt/Data
	printable = no
	veto files = /.snapshot/.windows/.mac/.zfs/
	writeable = yes
	browseable = no
	vfs objects = zfs_space zfsacl
	hide dot files = no
	guest ok = no
	nfs4:mode = special
	nfs4:acedup = merge
	nfs4:chown = true
	zfsacl:acesort = dontcare
	writable = yes
	valid users = jackydany webdav


[Work]
	path = /mnt/Data/Work
	printable = no
	veto files = /.snapshot/.windows/.mac/.zfs/
	writeable = yes
	browseable = yes
	shadow:snapdir = .zfs/snapshot
	shadow:sort = desc
	shadow:localtime = yes
	shadow:format = auto-%Y%m%d.%H%M-6m
	shadow:snapdirseverywhere = yes
	vfs objects = shadow_copy2 zfs_space zfsacl
	hide dot files = no
	guest ok = yes
	nfs4:mode = special
	nfs4:acedup = merge
	nfs4:chown = true
	zfsacl:acesort = dontcare

Oh. There are several problems here:

1. You're using "Unix" permissions type with samba configured to use ZFS ACLs. This is well-known to be a somewhat broken configuration - like cats and dogs living together or Trump in the White House. You should choose either one or the other way of doing it (note that the orthodox way of doing this is to use "windows" permissions type with ZFS ACLs).
2. You have nested shares (and possibly datasets). You need to make sure permissions are set consistently across them.
3. You performed chmod 777 on a share with ZFS ACLs enabled. This also can break permissions in interesting ways. If you go this way, remove ACLs and the zfsacl vfs module first before using chmod.

The actual problem you encountered may have been FreeNAS deciding to "apply default permissions" to your "work" share.

 

[jackydany]

Hi and sorry for the delay....

how can i configure this correctly? I was (still am) not aware where my mistake is as i configured this as the FreeNAS Shares before on the previous Server (9.3).

I know i have nested shares, but thats what i need! I need full Access to the Dataset root directory but also need Sub-Shares for different "Users".

What about these ZFS ACL? I dont know where to configure this.
As i am only using Samba Shares on this Dataset, it would be nice to configure it "best practice".
I am also using Linux to access to the shares, so i still want to use Unix permissions, also its easier for me i think. I dont have so much users and no access right problems or security issues in my network.

All hints will be appreciated.

Thanks for your help!

Stefan

 

[anodos]

Hi and sorry for the delay....

how can i configure this correctly? I was (still am) not aware where my mistake is as i configured this as the FreeNAS Shares before on the previous Server (9.3).

I know i have nested shares, but thats what i need! I need full Access to the Dataset root directory but also need Sub-Shares for different "Users".

It's not necessarily a problem. It just adds complexity and increases the likelihood that mistakes will happen.

What about these ZFS ACL? I dont know where to configure this.

This is typically done through windows explorer like on a Windows server. See link in my sig.

As i am only using Samba Shares on this Dataset, it would be nice to configure it "best practice".
I am also using Linux to access to the shares, so i still want to use Unix permissions, also its easier for me i think. I dont have so much users and no access right problems or security issues in my network.

"Unix" permissions type has nothing to do with clients. I routinely use Linux servers to access my "Windows" shares. If you decide you want to use "Unix" permissions type, then you need to (1) remove all ACLs on the shares and (2) disable the ZFSACL vfs module.

 

[jackydany]

Hi,

So I tried and tried :D

It seems to be working now....

What did I do? I don't know!!! nooooo..... just a joke ;)

First, I read the links from your signature, thanks for the hint!

Then I created a new group
added the existing user to this group
changed the owner of the Dataset to this user and the group to the newly created one
checked "set permissions recursively" and hit OK.
It took a minute, a restart of the client and a new connection to the share as network-drive, but now its working for both clients.

Thanks a lot for your help!

One last question:
where to find this ZFSACL vfs module and deactivate it?
What is it good for? Can i get any problems by removing it? For Example with other shares etc? NFS?

Thank you so much for your patience and help.

Good software, awesome support.

Greetings from Germany

 

[anodos]

One last question:
where to find this ZFSACL vfs module and deaktivate it?

I believe that FreeNAS 11 is supposed to add an option to deactivate it. In 9.X, you need to add a vfs objects line to your share's auxiliary parameters for example vfs objects = streams_xattr

What is it good for?

It provides full compatibility with Windows permissions types. It helps your FreeNAS server act more like a Windows server, which is a good thing when you're using Samba ;)

Can i get any problems by removing it?

Not really. You just need to set permissions correctly.

For Example with other shares etc? NFS?

If this is a multi-user / office environment, then sharing the same dataset with SMB and NFS simultaneously is not a good idea. FreeBSD doesn't support kernel oplocks, which means you run the risk of data corruption. In a home environment where you have more rigid control over what's going on, then it's relatively safe (as long as you don't do anything really dumb).

 

[jackydany]

I believe that FreeNAS 11 is supposed to add an option to deactivate it. In 9.X, you need to add a vfs objects line to your share's auxiliary parameters for example vfs objects = streams_xattr

So this is the only thing i need to do? Just select this object in the Share configuration?

Thank you.

 

[anodos]

So this is the only thing i need to do? Just select this object in the Share configuration?

Thank you.

No. What you should do is:

1. enter cli and type testparm
2. scroll through output to your share. It will begin with [Work] or [Data] in your case (you have two shares).
3. copy the contents of the "vfs objects" line into the field "Auxiliary parameters" in the FreeNAS webui for your share configuration. I.e. vfs objects = shadow_copy2 zfs_space zfsacl
4. remove "zfsacl" vfs objects = shadow_copy2 zfs_space