SOLVED Upgrade from 9.2 -> current 9.3. All cifs have gone Readonly

[TheEditor]

I upgraded this weekend from 9.2.0 -> current 9.3 release with no issues. Had a bit of trouble getting it connected back to AD but it finally connected.

Home/lab enviroment with ad. My user has full permissions to the FreeNas box. Effectively thats the only important permission.

I can write files no problem. I thought it had removed modify permissions for some reason but then I noticed all the Read Only flags set.

Found these but neither has a resolution:

https://forums.freenas.org/index.ph...-cifs-shares-to-no-longer-be-writeable.30727/

https://forums.freenas.org/index.php?threads/cifs-behaving-badly.39965/#post-249581

Before I ask if there is actually a resolution for this can I :

1. Drop ad integration altogether and go back to unix permissions with a single user will full permissions. Will that work for windows and nix clients, since I work on both.

2. Drop back down to 9.2. If so is there a preferred way to do this?

If there is a way to fix I'm posting the same output asked for in that second post.

Thanks

EDIT: More information. ( This maybe be correct but I just don't understand what is going on here. )

wbinfo -t give me a succeeded
wbinfo -u gives me users. yes it shows users from the domain

What I'm noticing is this. If I create a new folder on the share, then strip inheritance. I cannot add a principal, its as if it cannot talk to the dc. As in it can't find my user.

If I'm on the PDC itself I can strip all permissions, add new permisions, correct owner and everything. Still not remove the Readonly flag. Tells me I need "administrator permission" . This makes 0 sense.

 

[TheEditor]

Yeh. After playing with this for awhile my question now has just become how do I actually get write access back to my entire share. AD integration aside I just need to remove these read only flags.

I'm not sure and I don't want to break it even more.

 

[anodos]

Those are some truly screwy permissions you have there.

Post following:

• /etc/local/smb4.conf
• output of "zfs get aclmode Data_Drv/incoming

 

[TheEditor]

Here is an updated output file with everything you asked for. Everything is in one file.

Permissions should not be that crazy. Domain admins and myself.

As an additional update. I can change permissions on things, I can change owner. I just cannot get rid of the readonly flag.

Thank you

 

[anodos]

Here is an updated output file with everything you asked for. Everything is in one file.

Permissions should not be that crazy. Domain admins and myself.

As an additional update. I can change permissions on things, I can change owner. I just cannot get rid of the readonly flag.

Thank you

If you want to entirely disable those DOS modes, you can add the following auxiliary parameters to your CIFS config:

Code:

store dos attributes = no
ea support = no
map archive = no
map hidden = no
map system = no
map readonly = no

It might show the box "read-only" checked, but it will have no effect.

 

[TheEditor]

I'm guessing I turn off cifs, add those to the config, start cifs and things will work? Just want to make sure I don't inadvertently do something wrong here. Also I beh they go under [global] ?

Will turning those off cause any issues I should be aware of?

Thank you

 

[anodos]

I'm guessing I turn off cifs, add those to the config, start cifs and things will work? Just want to make sure I don't inadvertently do something wrong here. Also I beh they go under [global] ?

Will turning those off cause any issues I should be aware of?

Thank you

You add them in the webgui via "Services" -> "CIFS", which automatically appends them to [global]. No need to turn off CIFS prior to the change. Absolutely harmless and easily reverted. It does not remove the DOSATTRIB extended attributes where 'readonly' is stored from your files / folders. Samba just ceases to read them.

 

[TheEditor]

Anodos, thank you! Seriously thank you. It seems to work, I can now write to files. I'll have to do more testing when I get home.

Two things.

1. I see a ton of "Bad smb2 signature for message" in the log. Should I be worried.

2. What caused this in the first place?

 

[anodos]

Anodos, thank you! Seriously thank you. It seems to work, I can now write to files. I'll have to do more testing when I get home.

Two things.

1. I see a ton of "Bad smb2 signature for message" in the log. Should I be worried.

2. What caused this in the first place?

Try reducing server max protocol to SMB2 to see if the message goes away.

I'm not sure what would cause all of your files to get set with the "read only" DOS attribute. Your permissions are set as follows:

Code:

[root@hexnas] ~# getfacl /mnt/Data_Drv/Incoming/
# file: /mnt/Data_Drv/Incoming/
# owner: HEXHOME\bruce
# group: HEXHOME\domain admins
group:HEXHOME\bruce:rwxpDdaARWcCo-:------:allow
            group@:r-x---a-R-c---:------:allow
         everyone@:r-x---a-R-c---:------:allow
         everyone@:r-x---a-R-c---:fd----:allow
group:HEXHOME\administrator:rwxpDdaARWcCo-:fd----:allow
            group@:rwxpDdaARWcCo-:fd----:allow

See how you have multiple group@ and everyone@ entries? This shouldn't be happening. The last time I saw sort of things was in the bad days before FreeNAS switched to setting the aclmode on windows datasets to "restricted". There is a code path in samba where if "owner@" and "group@" lack write permissions, then the dos attribute "read only" will be applied to the file. This is triggered by the smb4.conf parameter "map readonly=yes", which although it is a default parameter, is supposed to be automatically disabled if the share has a parameter "store dos attributes = yes".

Evidently, samba was still treating the share as having "map readonly = yes", reading only the first "group@" entry and the lack of an "owner@" entry in such a way as to trigger the above code path. This is, of course, conjecture.

 

[TheEditor]

Would deleting the share and recreating it clear all that out and give me a fresh start with the permissions?

 

[anodos]

Would deleting the share and recreating it clear all that out and give me a fresh start with the permissions?

No need to delete shares. Just click on "Storage" -> "volumes". Then expand your dataset and click on "change permissions". Set owner how you want it, then check the box "recursively set permissions" and click "OK. Then go to your share config and check the box "apply default permissions" and click "OK". Once you've done this, navigate to \\<server> and fine-tune permissions as needed.