SameCompare the Samba configurations ...
SameCompare the Samba configurations ...
testparm -v
on both systems is identical ...FreeNAsI doubt the output oftestparm -v
on both systems is identical ...
root@dom[~]# testparm -v Load smb config files from /usr/local/etc/smb4.conf Loaded services file OK. Server role: ROLE_STANDALONE Press enter to see a dump of your service definitions # Global parameters [global] abort shutdown script = add group script = additional dns hostnames = add machine script = addport command = addprinter command = add share command = add user script = add user to group script = ads dns update = Yes afs token lifetime = 604800 afs username map = aio max threads = 2 algorithmic rid base = 1000 allow dcerpc auth level connect = No allow dns updates = secure only allow insecure wide links = No allow nt4 crypto = No allow trusted domains = Yes allow unsafe cluster upgrade = No apply group policies = No async smb echo handler = No auth event notification = No auto services = binddns dir = /var/run/samba4/bind-dns bind interfaces only = Yes browse list = Yes cache directory = /var/run/samba4 change notify = Yes change share command = check password script = cldap port = 389 client ipc max protocol = default client ipc min protocol = default client ipc signing = default client lanman auth = No client ldap sasl wrapping = sign client max protocol = default client min protocol = CORE client NTLMv2 auth = Yes client plaintext auth = No client schannel = Yes client signing = default client use spnego principal = No client use spnego = Yes cluster addresses = clustering = No config backend = file config file = create krb5 conf = Yes ctdbd socket = ctdb locktime warn threshold = 0 ctdb timeout = 0 cups connection timeout = 30 cups encrypt = No cups server = dcerpc endpoint servers = epmapper, wkssvc, rpcecho, samr, netlogon, lsarpc, drsuapi, dssetup, unixinfo, browser, eventlog6, backupkey, dnsserver deadtime = 0 debug class = No debug hires timestamp = Yes debug pid = No debug prefix timestamp = No debug uid = No dedicated keytab file = default service = defer sharing violations = Yes delete group script = deleteprinter command = delete share command = delete user from group script = delete user script = dgram port = 138 disable netbios = No disable spoolss = Yes dns forwarder = dns proxy = No dns update command = /usr/local/sbin/samba_dnsupdate dns zone scavenging = No domain logons = No domain master = Auto dos charset = CP850 dsdb event notification = No dsdb group change notification = No dsdb password event notification = No enable asu support = No enable core files = Yes enable privileges = Yes enable web service discovery = Yes encrypt passwords = Yes enhanced browsing = Yes enumports command = eventlog list = get quota command = getwd cache = Yes gpo update command = /usr/local/sbin/samba-gpupdate guest account = nobody homedir map = auto.home host msdfs = Yes hostname lookups = No idmap backend = tdb idmap cache time = 604800 idmap gid = idmap negative cache time = 120 idmap uid = include system krb5 conf = Yes init logon delay = 100 init logon delayed hosts = interfaces = iprint server = keepalive = 300 kerberos encryption types = all kerberos method = default kernel change notify = No kpasswd port = 464 krb5 port = 88 lanman auth = No large readwrite = Yes ldap admin dn = ldap connection timeout = 2 ldap debug level = 0 ldap debug threshold = 10 ldap delete dn = No ldap deref = auto ldap follow referral = Auto ldap group suffix = ldap idmap suffix = ldap machine suffix = ldap page size = 1000 ldap passwd sync = no ldap replication sleep = 1000 ldap server require strong auth = Yes ldap ssl = start tls ldap ssl ads = No ldap suffix = ldap timeout = 15 ldap user suffix = lm announce = Auto lm interval = 60 load printers = No local master = Yes lock directory = /var/run/samba4 lock spin time = 200 log file = logging = file log level = 1 log nt token command = logon drive = logon home = \\%N\%U logon path = \\%N\%U\profile logon script = log writeable files on exit = No lpq cache time = 30 lsa over netlogon = No machine password timeout = 604800 mangle prefix = 1 mangling method = hash2 map to guest = Never max disk size = 0 max log size = 51200 max mux = 50 max open files = 467343 max smbd processes = 0 max stat cache size = 512 max ttl = 259200 max wins ttl = 518400 max xmit = 16644 mdns name = netbios message command = min receivefile size = 0 min wins ttl = 21600 mit kdc command = multicast dns register = Yes name cache timeout = 660 name resolve order = lmhosts wins host bcast nbt client socket address = 0.0.0.0 nbt port = 137 ncalrpc dir = /var/run/samba4/ncalrpc netbios aliases = netbios name = DOM netbios scope = neutralize nt4 emulation = No NIS homedir = No nmbd bind explicit broadcast = Yes nsupdate command = /usr/local/bin/samba-nsupdate -g ntlm auth = ntlmv2-only nt pipe support = Yes ntp signd socket directory = /var/run/samba4/ntp_signd nt status support = Yes null passwords = No obey pam restrictions = No old password allowed period = 60 oplock break wait time = 0 os2 driver map = os level = 20 pam password change = No panic action = passdb backend = tdbsam passdb expand explicit = No passwd chat = *new*password* %n\n *new*password* %n\n *changed* passwd chat debug = No passwd chat timeout = 2 passwd program = password hash gpg key ids = password hash userPassword schemes = password server = * perfcount module = pid directory = /var/run/samba4 preferred master = Auto prefork backoff increment = 10 prefork children = 4 prefork maximum backoff = 120 preload modules = printcap cache time = 750 printcap name = private dir = /var/db/system/samba4/private raw NTLMv2 auth = No read raw = Yes realm = registry shares = No reject md5 clients = No reject md5 servers = No remote announce = remote browse sync = rename user script = require strong key = Yes reset on zero vc = No restrict anonymous = 2 rndc command = /usr/sbin/rndc root directory = rpc big endian = No rpc server dynamic port range = 49152-65535 rpc server port = 0 samba kcc command = /usr/local/sbin/samba_kcc security = AUTO server max protocol = SMB3 server min protocol = SMB2_02 server multi channel support = No server role = standalone server server schannel = Yes server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate, dns server signing = default server string = FreeNAS Server set primary group script = set quota command = share backend = classic show add printer wizard = Yes shutdown script = smb2 leases = Yes smb2 max credits = 8192 smb2 max read = 8388608 smb2 max trans = 8388608 smb2 max write = 8388608 smbd profiling level = off smb passwd file = /var/db/system/samba4/private/smbpasswd smb ports = 445 139 socket options = TCP_NODELAY spn update command = /usr/local/sbin/samba_spnupdate stat cache = Yes state directory = /var/db/system/samba4 svcctl list = syslog = 1 syslog only = No template homedir = /home/%D/%U template shell = /bin/false time server = No timestamp logs = Yes tls cafile = tls/ca.pem tls certfile = tls/cert.pem tls crlfile = tls dh params file = tls enabled = Yes tls keyfile = tls/key.pem tls priority = NORMAL:-VERS-SSL3.0 tls verify peer = as_strict_as_possible truenas passive controller = No unicode = Yes unix charset = UTF-8 unix extensions = No unix password sync = No use mmap = Yes username level = 0 username map = username map cache time = 0 username map script = usershare allow guests = No usershare max shares = 0 usershare owner only = Yes usershare path = /var/db/system/samba4/usershares usershare prefix allow list = usershare prefix deny list = usershare template share = utmp = No utmp directory = web port = 901 winbind cache time = 300 winbindd socket directory = /var/run/samba4/winbindd winbind enum groups = No winbind enum users = No winbind expand groups = 0 winbind max clients = 200 winbind max domain connections = 1 winbind nested groups = Yes winbind netbios alias spn = Yes winbind normalize names = No winbind nss info = template winbind offline logon = No winbind reconnect delay = 30 winbind refresh tickets = No winbind request timeout = 60 winbind rpc only = No winbind scan trusted domains = Yes winbind sealed pipes = Yes winbind separator = \ winbind status fifo = No winbind use default domain = No winbind use krb5 enterprise principals = No wins hook = wins proxy = No wins server = wins support = No workgroup = WORKGROUP write raw = Yes wtmp directory = zeroconf name = idmap config *: range = 90000001-100000000 idmap config * : backend = tdb access based share enum = No acl allow execute always = No acl check permissions = Yes acl group control = No acl map full control = Yes administrative share = No admin users = afs share = No aio read size = 1 aio write behind = aio write size = 1 allocation roundup size = 0 available = Yes blocking locks = Yes block size = 1024 browseable = Yes case sensitive = Auto check parent directory delete on close = No comment = copy = create mask = 0744 csc policy = manual cups options = default case = lower default devmode = Yes delete readonly = No delete veto files = No dfree cache time = 0 dfree command = directory mask = 0755 directory name cache size = 0 dmapi support = No dont descend = dos filemode = Yes dos filetime resolution = No dos filetimes = Yes durable handles = Yes ea support = Yes fake directory create times = No fake oplocks = No follow symlinks = Yes force create mode = 0000 force directory mode = 0000 force group = force printername = No force unknown acl user = No force user = fstype = NTFS guest ok = No guest only = No hide dot files = Yes hide files = hide new files timeout = 0 hide special files = No hide unreadable = No hide unwriteable files = No hosts allow = hosts deny = include = /usr/local/etc/smb4_share.conf inherit acls = No inherit owner = no inherit permissions = No invalid users = kernel oplocks = No kernel share modes = Yes level2 oplocks = Yes locking = Yes lppause command = lpq command = lpq -P'%p' lpresume command = lprm command = lprm -P'%p' %j magic output = magic script = mangled names = yes mangling char = ~ map acl inherit = No map archive = Yes map hidden = No map readonly = no map system = No max connections = 0 max print jobs = 1000 max reported print jobs = 0 min print space = 0 msdfs proxy = msdfs root = No msdfs shuffle referrals = No nt acl support = Yes ntvfs handler = unixuid, default oplocks = Yes path = posix locking = Yes postexec = preexec = preexec close = No preserve case = Yes printable = No print command = lpr -r -P'%p' %s printer name = printing = bsd printjob username = %U print notify backchannel = No queuepause command = queueresume command = read list = read only = Yes root postexec = root preexec = root preexec close = No short preserve case = Yes smbd async dosmode = No smbd getinfo ask sharemode = Yes smbd max async dosmode = 0 smbd search ask sharemode = Yes smb encrypt = default spotlight = No store dos attributes = Yes strict allocate = No strict locking = Auto strict rename = No strict sync = Yes sync always = No use client driver = No use sendfile = No valid users = veto files = veto oplock files = vfs objects = volume = wide links = No write cache size = 0 write list = [Dom] aio write size = 0 ea support = No mangled names = illegal path = /mnt/Seagate_4TB/Dom read only = No vfs objects = shadow_copy_zfs ixnas nfs4:acedup = merge nfs4:chown = true [Wymiana] aio write size = 0 ea support = No mangled names = illegal path = /mnt/Seagate_4TB/Wymiana read only = No vfs objects = streams_xattr shadow_copy_zfs ixnas nfs4:acedup = merge nfs4:chown = true [Zdjecia] aio write size = 0 ea support = No mangled names = illegal path = /mnt/Seagate_4TB/Zdjecia read only = No vfs objects = shadow_copy_zfs ixnas nfs4:acedup = merge nfs4:chown = true
Loaded services file OK. Server role: ROLE_STANDALONE Press enter to see a dump of your service definitions # Global parameters [global] dos charset = CP850 unix charset = UTF-8 workgroup = WORKGROUP realm = netbios name = UBUNTU netbios aliases = netbios scope = server string = %h server (Samba, Ubuntu) interfaces = 192.168.0.193/24 eth0 bind interfaces only = No config backend = file server role = standalone server security = AUTO auth methods = encrypt passwords = Yes client schannel = Auto server schannel = Auto allow trusted domains = Yes map to guest = Bad User null passwords = No old password allowed period = 60 obey pam restrictions = Yes password server = * smb passwd file = /etc/samba/smbpasswd private dir = /var/lib/samba/private passdb backend = tdbsam algorithmic rid base = 1000 root directory = guest account = nobody enable privileges = Yes pam password change = Yes passwd program = /usr/bin/passwd %u passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* . passwd chat debug = No passwd chat timeout = 2 check password script = username map = username level = 0 unix password sync = Yes restrict anonymous = 0 lanman auth = No ntlm auth = Yes raw NTLMv2 auth = No client NTLMv2 auth = Yes client lanman auth = No client plaintext auth = No client use spnego principal = No preload modules = dedicated keytab file = kerberos method = default map untrusted to domain = No log level = 2 syslog = 0 syslog only = No log file = /var/log/samba/log.%m logging = max log size = 1000 debug timestamp = Yes timestamp logs = Yes debug prefix timestamp = No debug hires timestamp = Yes debug pid = No debug uid = No debug class = No enable core files = Yes smb ports = 445 139 large readwrite = Yes server max protocol = SMB3 max protocol = SMB3 protocol = SMB3 server min protocol = LANMAN1 min protocol = LANMAN1 client max protocol = default client min protocol = CORE unicode = Yes min receivefile size = 0 read raw = Yes write raw = Yes disable netbios = No reset on zero vc = No log writeable files on exit = No defer sharing violations = Yes nt pipe support = Yes nt status support = Yes smbd profiling level = off max mux = 50 max xmit = 16644 name resolve order = lmhosts wins host bcast max ttl = 259200 max wins ttl = 518400 min wins ttl = 21600 time server = No unix extensions = Yes use spnego = Yes client signing = default server signing = default client use spnego = Yes client ldap sasl wrapping = sign ldap server require strong auth = Yes enable asu support = No svcctl list = cldap port = 389 dgram port = 138 nbt port = 137 krb5 port = 88 kpasswd port = 464 web port = 901 rpc big endian = No deadtime = 0 getwd cache = Yes keepalive = 300 change notify = Yes kernel change notify = Yes lpq cache time = 30 max smbd processes = 0 max disk size = 0 max open files = 16384 socket options = TCP_NODELAY use mmap = Yes hostname lookups = No name cache timeout = 660 ctdbd socket = cluster addresses = clustering = No ctdb timeout = 0 ctdb locktime warn threshold = 0 smb2 max read = 8388608 smb2 max write = 8388608 smb2 max trans = 8388608 smb2 max credits = 8192 load printers = Yes printcap cache time = 750 printcap name = cups server = cups encrypt = No cups connection timeout = 30 iprint server = disable spoolss = No addport command = enumports command = addprinter command = deleteprinter command = show add printer wizard = Yes os2 driver map = mangling method = hash2 mangle prefix = 1 max stat cache size = 256 stat cache = Yes machine password timeout = 604800 add user script = rename user script = delete user script = add group script = delete group script = add user to group script = delete user from group script = set primary group script = add machine script = shutdown script = abort shutdown script = username map script = username map cache time = 0 logon script = logon path = \\%N\%U\profile logon drive = logon home = \\%N\%U domain logons = No init logon delayed hosts = init logon delay = 100 os level = 20 lm announce = Auto lm interval = 60 preferred master = Auto local master = Yes domain master = Auto browse list = Yes enhanced browsing = Yes dns proxy = No wins proxy = No wins server = wins support = No wins hook = smb2 leases = No lock spin time = 200 oplock break wait time = 0 ldap admin dn = ldap delete dn = No ldap group suffix = ldap idmap suffix = ldap machine suffix = ldap passwd sync = no ldap replication sleep = 1000 ldap suffix = ldap ssl = start tls ldap ssl ads = No ldap deref = auto ldap follow referral = Auto ldap timeout = 15 ldap connection timeout = 2 ldap page size = 1024 ldap user suffix = ldap debug level = 0 ldap debug threshold = 10 eventlog list = add share command = change share command = delete share command = config file = preload = auto services = lock directory = /var/run/samba state directory = /var/lib/samba cache directory = /var/cache/samba pid directory = /var/run/samba ntp signd socket directory = /var/lib/samba/ntp_signd utmp directory = wtmp directory = utmp = No default service = default = message command = get quota command = set quota command = remote announce = remote browse sync = nbt client socket address = 0.0.0.0 socket address = 0.0.0.0 nmbd bind explicit broadcast = Yes homedir map = auto.home afs username map = afs token lifetime = 604800 log nt token command = NIS homedir = No registry shares = No usershare allow guests = Yes usershare max shares = 100 usershare owner only = Yes usershare path = /var/lib/samba/usershares usershare prefix allow list = usershare prefix deny list = usershare template share = allow insecure wide links = No async smb echo handler = No panic action = /usr/share/samba/panic-action %d perfcount module = host msdfs = Yes passdb expand explicit = No idmap backend = tdb idmap cache time = 604800 idmap negative cache time = 120 idmap uid = idmap gid = template homedir = /home/%D/%U template shell = /bin/false winbind separator = \ winbind cache time = 300 winbind reconnect delay = 30 winbind request timeout = 60 winbind max clients = 200 winbind enum users = No winbind enum groups = No winbind use default domain = No winbind trusted domains only = No winbind nested groups = Yes winbind expand groups = 0 winbind nss info = template winbind refresh tickets = No winbind offline logon = No winbind normalize names = No winbind rpc only = No create krb5 conf = Yes ncalrpc dir = /var/run/samba/ncalrpc winbind max domain connections = 1 winbindd socket directory = /var/run/samba/winbindd winbindd privileged socket directory = /var/lib/samba/winbindd_privileged winbind sealed pipes = Yes neutralize nt4 emulation = No reject md5 servers = No require strong key = Yes allow dns updates = secure only dns forwarder = dns update command = /usr/sbin/samba_dnsupdate nsupdate command = /usr/bin/nsupdate -g rndc command = /usr/sbin/rndc multicast dns register = Yes samba kcc command = /usr/sbin/samba_kcc server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate, dns dcerpc endpoint servers = epmapper, wkssvc, rpcecho, samr, netlogon, lsarpc, spoolss, drsuapi, dssetup, unixinfo, browser, eventlog6, backupkey, dnsserver spn update command = /usr/sbin/samba_spnupdate share backend = classic allow nt4 crypto = No reject md5 clients = No tls enabled = Yes tls keyfile = tls/key.pem tls certfile = tls/cert.pem tls cafile = tls/ca.pem tls crlfile = tls dh params file = tls priority = NORMAL:-VERS-SSL3.0 tls verify peer = as_strict_as_possible client ipc max protocol = default client ipc min protocol = default client ipc signing = default allow dcerpc auth level connect = No idmap config * : backend = tdb comment = path = username = invalid users = valid users = admin users = read list = write list = force user = force group = group = read only = Yes spotlight = No acl check permissions = Yes acl group control = No acl map full control = Yes acl allow execute always = No create mask = 0744 force create mode = 0000 directory mask = 0755 directory mode = 0755 force directory mode = 0000 force unknown acl user = No inherit permissions = No inherit acls = No inherit owner = No guest only = No administrative share = No guest ok = No only user = No hosts allow = hosts deny = allocation roundup size = 1048576 aio read size = 0 aio write size = 0 aio write behind = ea support = No nt acl support = Yes profile acls = No map acl inherit = No afs share = No smb encrypt = default durable handles = Yes block size = 1024 directory name cache size = 100 max connections = 0 min print space = 0 strict allocate = No strict rename = No strict sync = No sync always = No use sendfile = No write cache size = 0 max reported print jobs = 0 max print jobs = 1000 printable = No print notify backchannel = No printing = cups cups options = print command = lpq command = %p lprm command = lppause command = lpresume command = queuepause command = queueresume command = printer name = use client driver = No default devmode = Yes force printername = No printjob username = %U default case = lower case sensitive = Auto preserve case = Yes short preserve case = Yes mangling char = ~ hide dot files = Yes hide special files = No hide unreadable = No hide unwriteable files = No delete veto files = No veto files = hide files = veto oplock files = map archive = Yes map hidden = No map system = No map readonly = yes mangled names = Yes store dos attributes = No dmapi support = No browseable = Yes access based share enum = No blocking locks = Yes csc policy = manual fake oplocks = No kernel oplocks = No kernel share modes = Yes locking = Yes oplocks = Yes level2 oplocks = Yes oplock contention limit = 2 posix locking = Yes strict locking = Auto dfree cache time = 0 dfree command = include = preexec = exec = preexec close = No postexec = root preexec = root preexec close = No root postexec = available = Yes volume = fstype = NTFS wide links = No follow symlinks = Yes dont descend = magic script = magic output = delete readonly = No dos filemode = No dos filetimes = Yes dos filetime resolution = No fake directory create times = No vfs objects = msdfs root = No msdfs proxy = msdfs shuffle referrals = No ntvfs handler = unixuid, default [printers] comment = All Printers path = /var/spool/samba create mask = 0700 printable = Yes browseable = No [print$] comment = Printer Drivers path = /var/lib/samba/printers [public] comment = smb share path = /media/storage/ read only = No guest ok = Yes
lsextattr user /path/to/dir/*
Then why does it pop up?!?My experience with this error message is that either (1) the Windows client considers the server in question to be in an untrusted security zone or (2) the file in question has a Zone.Identifier alternate datastream written to it.
In this case the alternate datastream indicates to the Windows client that the file originates from an untrusted source (for instance... the internet).
MacOS has the same behavior (writing file origins to alternate datastreams if possible). I don't see anything that is a bug here. Who said it was a bug on our side? I see no chatter in the samba mailing lists or their bug tracker.
My experience with this error message is that either (1) the Windows client considers the server in question to be in an untrusted security zone or (2) the file in question has a Zone.Identifier alternate datastream written to it.
In this case the alternate datastream indicates to the Windows client that the file originates from an untrusted source (for instance... the internet).
MacOS has the same behavior (writing file origins to alternate datastreams if possible). I don't see anything that is a bug here. Who said it was a bug on our side? I see no chatter in the samba mailing lists or their bug tracker.
You can view a list of xattrs on every file in a directory on FreeNAS at once by running the commandlsextattr user /path/to/dir/*
lsextattr user /mnt/Seagate_4TB/Dom/* /mnt/Seagate_4TB/Dom/_Umowa ramowa o prowadzenie rachunków bankowych NestBank.pd f DosStream.Zone.Identifier:$DATA /mnt/Seagate_4TB/Dom/_umowa_kupna_sprzedazy_samochodu.pdf /mnt/Seagate_4TB/Dom/0205090jhghjbvcfghjnbvfghjn vhjuytrewsdcvbhju87654esxcfg@$$ $@@$ghjufychv bjknhoiuivjb nkjhuoivgjb0210.rar /mnt/Seagate_4TB/Dom/23IktkqTURBXy9iMDM2MTEwOGRjODQ4M2FhMmQyODg2Y2E2YjJiNDhiNi5q cGVnkpUDAB_NA-jNAjKTBc0DFM0BvA.jpg DosStream.Zone.Identifier:$DATA /mnt/Seagate_4TB/Dom/4-2018-0 (1).pub /mnt/Seagate_4TB/Dom/48375457_360118198114023_3128233477216927744_n.jpg /mnt/Seagate_4TB/Dom/49422673_314062669211831_6142278256662937600_n.jpg /mnt/Seagate_4TB/Dom/56deb7f4c8fd3.jpg DosStream.Zone.Identifier:$DATA /mnt/Seagate_4TB/Dom/866aea10-d587-4521-99e3-90873ebd7669.pdf
It's a design / security feature in Windows clients.Then why does it pop up?!?
In my case, computers have now arrived, I have 150 and additionally it is made fromat every 90 days. I really need to solve it at FreeNas level.It's a design / security feature in Windows clients.
testparm
results, sorry. I would first run diff
on them. Then possibly return to the Samba folks with the results. My first question holds, though - what about AD, domain membership and stuff ...?My server is not a member of AD. I also don't have AD on Widnows Server if you ask.Is the FreeNAS server a member of your AD domain? Do you have an AD? At 150 clients I assume you do ...
Yes :(You manage 150 Windows desktops without a Windows server or any other domain controller? Phew ...