SMB ACL issues on 9.10.1-U2

[Henning Kessler]

Hello,

I have update a FreeNAS system from 9.10.1 (d989edd) to 9.10.1-U2 and shortly after this several user were complaining about that they could not modify or delete older files. Clients are mostly OS X (10.12, 10.11.6 or 10.10.5). New created files could be modified and deleted as usual. As soon as I reverted the system back to 9.10.1 the issue disappeared.

The system is bound AD and users could authenticate without any issues.

this the smb4.conf:

Code:

[global]
	server max protocol = SMB3
	encrypt passwords = yes
	dns proxy = no
	strict locking = no
	oplocks = yes
	deadtime = 15
	max log size = 51200
	max open files = 942833
	logging = file
	load printers = no
	printing = bsd
	printcap name = /dev/null
	disable spoolss = yes
	getwd cache = yes
	guest account = nobody
	map to guest = Bad User
	obey pam restrictions = yes
	directory name cache size = 0
	kernel change notify = no
	panic action = /usr/local/libexec/samba/samba-backtrace
	nsupdate command = /usr/local/bin/samba-nsupdate -g
	server string = FreeNAS Server
	ea support = yes
	store dos attributes = yes
	lm announce = yes
	acl allow execute always = true
	dos filemode = yes
	multicast dns register = yes
	domain logons = no
	idmap config *: backend = tdb
	idmap config *: range = 90000001-100000000
	server role = member server
	workgroup = DOMAIN
	realm = DOMAIN.COM
	security = ADS
	client use spnego = yes
	cache directory = /var/tmp/.cache/.samba
	local master = no
	domain master = no
	preferred master = no
	ads dns update = yes
	winbind cache time = 7200
	winbind offline logon = yes
	winbind enum users = yes
	winbind enum groups = yes
	winbind nested groups = yes
	winbind use default domain = no
	winbind refresh tickets = yes
	idmap config DOMAIN: backend = rid
	idmap config DOMAIN: range = 20000-90000000
	allow trusted domains = no
	client ldap sasl wrapping = plain
	template shell = /bin/sh
	template homedir = /home/%D/%U
	netbios name = BER0NAS01
	pid directory = /var/run/samba
	create mask = 0666
	directory mask = 0777
	client ntlmv2 auth = yes
	dos charset = CP437
	unix charset = UTF-8
	log level = 1
   

[Transfer]
	path = /mnt/extpool/Transfer
	printable = no
	veto files = /.snapshot/.windows/.mac/.zfs/
	writeable = yes
	browseable = yes
	shadow:snapdir = .zfs/snapshot
	shadow:sort = desc
	shadow:localtime = yes
	shadow:format = auto-%Y%m%d.%H%M-1w
	shadow:snapdirseverywhere = yes
	vfs objects = shadow_copy2 zfs_space zfsacl streams_xattr fruit catia
	hide dot files = yes
	guest ok = no
	nfs4:mode = special
	nfs4:acedup = merge
	nfs4:chown = true
	zfsacl:acesort = dontcare

POSIX permission on problematic file:

Code:

-r-xrwxr-x+ 1 DOMAIN\domainuser  DOMAIN\domaingroup  109992 Oct 20 09:14 FL_HourTracking.xlsx

ACLs on problematic file

Code:

# file: FL_HourTracking.xlsx
# owner: DOMAIN\domainuser
# group: DOMAIN\domaingroup
group:DOMAIN\domaimuser:rwxpDdaARWcCo-:-------:allow
			group@:rwxpDdaARWcCo-:-------:allow
		everyone@:r-x---a-R-c---:-------:allow

resetting the ACLs with winacl did not help:

Code:

sudo winacl -O 'DOMAIN\domainuser' -G 'DOMAIN\domaingroup' -v -p /PATH/TO/FILE

After reverting the system to 9.10.1 everything worked as it should. Could this be a bug or am I holding it wrong ;-)?

 

[dlavigne]

Did you figure this out?

 

[Henning Kessler]

Well, I just reverted to an older version as a temporary workaround and planned to write a bug report on the weekend ;-)

 

[dlavigne]

Thanks. Please post the bug number here once its created.

 

[F!$hp0nd]

I have had the same issues in our production based environment. It turns out that enabling any of the VFS objects besides the defaults results in chaos. I originally had Full-Audit turned on and found that we could not delete, rename, or save files to the shares. Try removing all the VFS objects except streams_xattr and aio_pthread and see if the issues clears up with 9.10.1u2. This one through me for a loop. Odds are it has to do with the fact that freenas is running the latest version of Samba which is 4.3.*.*. I have had to roll back to Samba 4.2 on our CentOS file systems due to weird bugs in Samba 4.3.

 

[Henning Kessler]

Hi F!$hp0nd,

but it can't be relating only to Samba 4.3.* as reverting my production system back to FreeNAS 9.10.1 (d989edd) solved my problem temporarily and that is still Samba 4.3.11

 

[F!$hp0nd]

Just out of curiosity, when you opened a document and tried to save it back to the share, did it create a tmp file in the directory?

 

[Henning Kessler]

Yes.

 

[Henning Kessler]

I wrote a bug report #18595

 

[F!$hp0nd]

Yeah it has to do with the VFS modules then. This is a much deeper issue, because the SAMBA 4.3 version on both centos, ubuntu and Apple are all reporting the same errors when VFS modules are enabled, besides recycle.

 

[Henning Kessler]

Damn, how can I participate in the discussion of the ticket? I guess I am dumb but I don't find a reply button or something like that...

 

[felixb101]

Having the same issue with VFS as well, however I have to deal with OSX 10.12. My options are:
aio_pthread, fruit, catia and streams_xattr

 

[dlavigne]

I see you figured out how to respond to the ticket?

 

[Henning Kessler]

I see you figured out how to respond to the ticket?

Yes, there has been a bug in Redmine. When the language preferences was set to german there where no option to respond ;-)

 

[Henning Kessler]

Having the same issue with VFS as well, however I have to deal with OSX 10.12. My options are:
aio_pthread, fruit, catia and streams_xattr

Is it a new installation or did you update from an older installation? With what kind of files do you experience issues?

I just got a reply to my bugreport today that was saying that the bug has been fixed but I can't confirm this. At least not with the current 9.10.2-U1:

Excel files that have been created under 9.3-STABLE-201605170422 can't be deleted and modified under 9.10.2-U1 and vice versa.