11.2 U2 changes how SMB+Unix share permissions work

[MikeyG]

I no longer have write access to my smb shares. I can create files, but not modify or delete. Even if I do chmod 777 on the files, I'm still unable to delete them from windows explorer. Switching to the user that has ownership of the files in the terminal, permissions work as expected so this is purely via smb.

If I re-set up the shares with "Apply Default Permissions" checked, then it works correctly. However, a + is added to the folder, and a .windows folder is created inside of it even though the folders are set up with Unix Permissions. When I go to check the permissions on the dataset, it is now set to Windows permissions.

I have always used unix permissions, because I access the smb shares from a combination of Windows and Linux VMs, and I like to be able to see and modify what the permissions are directly from the terminal.

Is this new functionality intentional? If I re-set up the shares using all windows permissions, does this break my ability to set them via terminal? When I looked into this previously, it seemed that if I use Windows permissions, it meant that permissions had to be modified within windows explorer. (Although I'm aware there are sets of commands other than chmod and chown that I never learned to use that deal with the more complex permission set.)

I have tested this on two different FreeNAS systems that I upgraded to 11.2 U2 today, and they behave identically.

Ideas?

 

[Chris Moore]

I have tested this on two different FreeNAS systems that I upgraded to 11.2 U2 today, and they behave identically.

Interesting. Did you file a bug report? I bet that it would be a good idea.

 

[MikeyG]

Interesting. Did you file a bug report? I bet that it would be a good idea.

Not yet. I was hoping someone else could test and verify I'm not missing something.

 

[MikeyG]

Reverted back to 11.2 release on one system, and shares started working again correctly using only unix permissions.

 

[Chris Moore]

Reverted back to 11.2 release on one system, and shares started working again correctly using only unix permissions.

This could be a result of some other change, but the best way to get a fact based answer is to get the developers to look into it. If you decide to open a ticket, please post the number here.

 

[MikeyG]

Thanks @Chris Moore. Submitted here: https://redmine.ixsystems.com/issues/75685

 

[InQuize]

Having the same issue, exact same use case and reasons.
Do I not know something about Windows permissions type or in other words what is the intended way to achieving the same functionality?

 

[anodos]

Can you send post output of testparm -s? A significant amount of changes went into 11.2-U2 related to SMB (including bumping Samba version to 4.9.4).

 

[InQuize]

Code:

# Global parameters
[global]
    bind interfaces only = Yes
    deadtime = 15
    disable spoolss = Yes
    dns proxy = No
    dos charset = CP437
    hostname lookups = Yes
    interfaces = 127.0.0.1 10.2.0.2
    kernel change notify = No
    lm announce = Yes
    load printers = No
    logging = file
    max log size = 51200
    max open files = 854012
    nsupdate command = /usr/local/bin/samba-nsupdate -g
    obey pam restrictions = Yes
    panic action = /usr/local/libexec/samba/samba-backtrace
    printcap name = /dev/null
    security = USER
    server min protocol = SMB2_02
    server role = standalone server
    server string = FreeNAS Server
    time server = Yes
    unix extensions = No
    username map = /usr/local/etc/smbusers
    idmap config *: range = 90000001-100000000
    idmap config * : backend = tdb
    acl allow execute always = Yes
    create mask = 0666
    directory mask = 0777
    directory name cache size = 0
    dos filemode = Yes
    strict locking = No


[PRIVATE]
    path = "/mnt/triplet/PRIVATE"
    read only = No
    veto files = /.snapshot/.windows/.mac/.zfs/
    vfs objects = zfs_space zfsacl streams_xattr
    zfsacl:acesort = dontcare
    nfs4:chown = true
    nfs4:acedup = merge
    nfs4:mode = special


[PUBLIC]
    path = "/mnt/triplet/PUBLIC"
    read only = No
    veto files = /.snapshot/.windows/.mac/.zfs/
    vfs objects = zfs_space zfsacl streams_xattr
    zfsacl:acesort = dontcare
    nfs4:chown = true
    nfs4:acedup = merge
    nfs4:mode = special


[node0]
    path = "/mnt/node0"
    read only = No
    veto files = /.snapshot/.windows/.mac/.zfs/
    vfs objects = zfs_space zfsacl streams_xattr
    zfsacl:acesort = dontcare
    nfs4:chown = true
    nfs4:acedup = merge
    nfs4:mode = special


[node1]
    path = "/mnt/node1"
    read only = No
    veto files = /.snapshot/.windows/.mac/.zfs/
    vfs objects = zfs_space zfsacl streams_xattr
    zfsacl:acesort = dontcare
    nfs4:chown = true
    nfs4:acedup = merge
    nfs4:mode = special


[node2]
    path = "/mnt/node2"
    read only = No
    veto files = /.snapshot/.windows/.mac/.zfs/
    vfs objects = zfs_space zfsacl streams_xattr
    zfsacl:acesort = dontcare
    nfs4:chown = true
    nfs4:acedup = merge
    nfs4:mode = special


[node3]
    path = "/mnt/node3"
    read only = No
    veto files = /.snapshot/.windows/.mac/.zfs/
    vfs objects = zfs_space zfsacl streams_xattr
    zfsacl:acesort = dontcare
    nfs4:chown = true
    nfs4:acedup = merge
    nfs4:mode = special


[test]
    path = "/mnt/triplet/TEST"
    read only = No
    veto files = /.snapshot/.windows/.mac/.zfs/
    vfs objects = zfs_space zfsacl streams_xattr
    zfsacl:acesort = dontcare
    nfs4:chown = true
    nfs4:acedup = merge
    nfs4:mode = special

 

[anodos]

Code:

# Global parameters
[global]
    bind interfaces only = Yes
    deadtime = 15
    disable spoolss = Yes
    dns proxy = No
    dos charset = CP437
    hostname lookups = Yes
    interfaces = 127.0.0.1 10.2.0.2
    kernel change notify = No
    lm announce = Yes
    load printers = No
    logging = file
    max log size = 51200
    max open files = 854012
    nsupdate command = /usr/local/bin/samba-nsupdate -g
    obey pam restrictions = Yes
    panic action = /usr/local/libexec/samba/samba-backtrace
    printcap name = /dev/null
    security = USER
    server min protocol = SMB2_02
    server role = standalone server
    server string = FreeNAS Server
    time server = Yes
    unix extensions = No
    username map = /usr/local/etc/smbusers
    idmap config *: range = 90000001-100000000
    idmap config * : backend = tdb
    acl allow execute always = Yes
    create mask = 0666
    directory mask = 0777
    directory name cache size = 0
    dos filemode = Yes
    strict locking = No


[PRIVATE]
    path = "/mnt/triplet/PRIVATE"
    read only = No
    veto files = /.snapshot/.windows/.mac/.zfs/
    vfs objects = zfs_space zfsacl streams_xattr
    zfsacl:acesort = dontcare
    nfs4:chown = true
    nfs4:acedup = merge
    nfs4:mode = special


[PUBLIC]
    path = "/mnt/triplet/PUBLIC"
    read only = No
    veto files = /.snapshot/.windows/.mac/.zfs/
    vfs objects = zfs_space zfsacl streams_xattr
    zfsacl:acesort = dontcare
    nfs4:chown = true
    nfs4:acedup = merge
    nfs4:mode = special


[node0]
    path = "/mnt/node0"
    read only = No
    veto files = /.snapshot/.windows/.mac/.zfs/
    vfs objects = zfs_space zfsacl streams_xattr
    zfsacl:acesort = dontcare
    nfs4:chown = true
    nfs4:acedup = merge
    nfs4:mode = special


[node1]
    path = "/mnt/node1"
    read only = No
    veto files = /.snapshot/.windows/.mac/.zfs/
    vfs objects = zfs_space zfsacl streams_xattr
    zfsacl:acesort = dontcare
    nfs4:chown = true
    nfs4:acedup = merge
    nfs4:mode = special


[node2]
    path = "/mnt/node2"
    read only = No
    veto files = /.snapshot/.windows/.mac/.zfs/
    vfs objects = zfs_space zfsacl streams_xattr
    zfsacl:acesort = dontcare
    nfs4:chown = true
    nfs4:acedup = merge
    nfs4:mode = special


[node3]
    path = "/mnt/node3"
    read only = No
    veto files = /.snapshot/.windows/.mac/.zfs/
    vfs objects = zfs_space zfsacl streams_xattr
    zfsacl:acesort = dontcare
    nfs4:chown = true
    nfs4:acedup = merge
    nfs4:mode = special


[test]
    path = "/mnt/triplet/TEST"
    read only = No
    veto files = /.snapshot/.windows/.mac/.zfs/
    vfs objects = zfs_space zfsacl streams_xattr
    zfsacl:acesort = dontcare
    nfs4:chown = true
    nfs4:acedup = merge
    nfs4:mode = special

Which share are you having problems with? Can you perhaps PM me a debug file (system->advanced->Save Debug)

 

[InQuize]

Which share are you having problems with? Can you perhaps PM me a debug file (system->advanced->Save Debug)

All of them except 'TEST', which is the only one with Windows permissions type. The ones that are Unix type stopped working on Windows.
On Debian I can no longer access any of CIFS shares. No matter what version I specify, it gives "mount error(95): Operation not supported".

Can you perhaps PM me a debug file (system->advanced->Save Debug)

I'd rather leave it as a last resort measure.

 

[anodos]

All of them except 'TEST', which is the only one with Windows permissions type. The ones that are Unix type stopped working on Windows.
On Debian I can no longer access any of CIFS shares. No matter what version I specify, it gives "mount error(95): Operation not supported".
I'd rather leave it as a last resort measure.

Okay. In that case, I need the contents of /var/log/samba4/, output of net groupmap list net get localsid pdbedit -Lv and getfacl output for the paths to a working share and a broken share.

 

[anodos]

All of them except 'TEST', which is the only one with Windows permissions type. The ones that are Unix type stopped working on Windows.
On Debian I can no longer access any of CIFS shares. No matter what version I specify, it gives "mount error(95): Operation not supported".


I'd rather leave it as a last resort measure.

Can you also try checking the "allow SMB1" box under Services->SMB?

 

[InQuize]

Can you also try checking the "allow SMB1" box under Services->SMB?

Allowing SMB1, I am able to connect from Linux.

Okay. In that case, I need the contents of /var/log/samba4/, output of net groupmap list net get localsid pdbedit -Lv and getfacl output for the paths to a working share and a broken share.

Sent link in PM

 

[anodos]

It looks like I may have introduced a regression in zfsacl behavior. @mgittelman if you feel up for experimentation, can you try the following:
1) Check the "enable SMB1" checkbox under services->SMB
2) replace "zfsacl" with the "ixnas" module on one of your shares to verify that permissions are working as expected.

 

[KrisBee]

@anodos There's a fundamental problem here for sharing a dataset with "unix" share type via smb.

1. create a dataset and select "unix" as share type. Leave default perms as 755 and set owner/group

Code:

[chris@freenas /mnt/NasPool]$ ls -l
drwxr-xr-x  2 chris  chris  2 Feb 19 16:00 winshare
[chris@freenas /mnt/NasPool]$ getfacl winshare

# file: winshare
# owner: chris
# group: chris
            owner@:rwxp--aARWcCos:-------:allow
            group@:r-x---a-R-c--s:-------:allow
         everyone@:r-x---a-R-c--s:-------:allow
[chris@freenas /mnt/NasPool]$

2. Create a new windows share on this dataset On the New ui the "default permissions" checkbox is not visible unless in advanced mode and is then auto selected. A end user might not see this. When the "default permissions" checkbox is selected, the perms on the dataset revert to a "windows type" - 775 and getfacl reflects this:

Code:

[chris@freenas /mnt/NasPool]$ ls -l  winshare
total 11
drwxrwxr-x+ 2 chris  chris  3 Feb 19 16:05 winshare
[chris@freenas /mnt/NasPool]$ getfacl winshare
# file: winshare
# owner: chris
# group: chris
            owner@:rwxpDdaARWcCos:fd-----:allow
            group@:rwxpDdaARWcCos:fd-----:allow
         everyone@:r-x---a-R-c---:fd-----:allow
[chris@freenas /mnt/NasPool]$

3. If you now go back to the dataset and change the share type back to unix again, you need up with this:

Code:

[chris@freenas /mnt/NasPool]$ getfacl winshare

# file: winshare
# owner: chris
# group: chris
            owner@:rwxpDdaARWcCos:fdi----:allow
            group@:rwxpDdaARWcCos:fdi----:allow
         everyone@:r-x---a-R-c---:fdi----:allow
            owner@:rwxp--aARWcCos:-------:allow
            group@:r-x---a-R-c--s:-------:allow
         everyone@:r-x---a-R-c--s:-------:allow
[chris@freenas /mnt/NasPool]$
[chris@freenas /mnt/NasPool]$ ls -l  
total 11
drwxr-xr-x  3 root   wheel  3 Dec 21 09:20 home
drwxr-xr-x  6 root   wheel  6 Dec 21 09:52 myJails
drwxr-xr-x  6 root   wheel  6 Jan  1 15:32 topdataset
drwxr-xr-x+ 2 chris  chris  2 Feb 19 16:10 winshare

AFAIK, the behaviour in step 2 above has always been like this, but in FN11.2-U2 it's not now possible to reverse this change. Also, if you return to edit a smb share where you know "default perms" has been previously checked, this option is displayed as unchecked.

Browsing smb shares in Linux file managers might require insecure SMB1, but mounting at the CLI in any up to date distro doesn't, e..g:

Code:

root@sweep:/# mount -t cifs -o user=chris,uid=1000,gid=1000 //192.168.0.56/winshare /home/chris/CIFS  
Password for chris@//192.168.0.56/winshare:  ********
root@sweep:/

#

Code:

root@freenas:~ # smbstatus

Samba version 4.9.4
PID     Username     Group        Machine                                   Protocol Version  Encryption           Signing              
----------------------------------------------------------------------------------------------------------------------------------------
16323   chris        chris        192.168.0.201 (ipv4:192.168.0.201:44578)  SMB3_02           -                    partial(AES-128-CMAC)

Service      pid     Machine       Connected at                     Encryption   Signing      
---------------------------------------------------------------------------------------------
IPC$         16323   192.168.0.201 Tue Feb 19 16:34:05 2019 GMT     -            -            
winshare     16323   192.168.0.201 Tue Feb 19 16:34:05 2019 GMT     -            -            

Locked files:
Pid          Uid        DenyMode   Access      R/W        Oplock           SharePath   Name   Time
--------------------------------------------------------------------------------------------------
16323        1000       DENY_NONE  0x80        RDONLY     NONE             /mnt/NasPool/winshare   .   Tue Feb 19 16:34:04 2019

root@freenas:~ #

 

[anodos]

@anodos There's a fundamental problem here for sharing a dataset with "unix" share type via smb.

1. create a dataset and select "unix" as share type. Leave default perms as 755 and set owner/group

Code:

[chris@freenas /mnt/NasPool]$ ls -l
drwxr-xr-x  2 chris  chris  2 Feb 19 16:00 winshare
[chris@freenas /mnt/NasPool]$ getfacl winshare

# file: winshare
# owner: chris
# group: chris
            owner@:rwxp--aARWcCos:-------:allow
            group@:r-x---a-R-c--s:-------:allow
         everyone@:r-x---a-R-c--s:-------:allow
[chris@freenas /mnt/NasPool]$

2. Create a new windows share on this dataset On the New ui the "default permissions" checkbox is not visible unless in advanced mode and is then auto selected. A end user might not see this. When the "default permissions" checkbox is selected, the perms on the dataset revert to a "windows type" - 775 and getfacl reflects this:

Code:

[chris@freenas /mnt/NasPool]$ ls -l  winshare
total 11
drwxrwxr-x+ 2 chris  chris  3 Feb 19 16:05 winshare
[chris@freenas /mnt/NasPool]$ getfacl winshare
# file: winshare
# owner: chris
# group: chris
            owner@:rwxpDdaARWcCos:fd-----:allow
            group@:rwxpDdaARWcCos:fd-----:allow
         everyone@:r-x---a-R-c---:fd-----:allow
[chris@freenas /mnt/NasPool]$

3. If you now go back to the dataset and change the share type back to unix again, you need up with this:

Code:

[chris@freenas /mnt/NasPool]$ getfacl winshare

# file: winshare
# owner: chris
# group: chris
            owner@:rwxpDdaARWcCos:fdi----:allow
            group@:rwxpDdaARWcCos:fdi----:allow
         everyone@:r-x---a-R-c---:fdi----:allow
            owner@:rwxp--aARWcCos:-------:allow
            group@:r-x---a-R-c--s:-------:allow
         everyone@:r-x---a-R-c--s:-------:allow
[chris@freenas /mnt/NasPool]$
[chris@freenas /mnt/NasPool]$ ls -l 
total 11
drwxr-xr-x  3 root   wheel  3 Dec 21 09:20 home
drwxr-xr-x  6 root   wheel  6 Dec 21 09:52 myJails
drwxr-xr-x  6 root   wheel  6 Jan  1 15:32 topdataset
drwxr-xr-x+ 2 chris  chris  2 Feb 19 16:10 winshare

AFAIK, the behaviour in step 2 above has always been like this, but in FN11.2-U2 it's not now possible to reverse this change. Also, if you return to edit a smb share where you know "default perms" has been previously checked, this option is displayed as unchecked.

Browsing smb shares in Linux file managers might require insecure SMB1, but mounting at the CLI in any up to date distro doesn't, e..g:

Code:

root@sweep:/# mount -t cifs -o user=chris,uid=1000,gid=1000 //192.168.0.56/winshare /home/chris/CIFS 
Password for chris@//192.168.0.56/winshare:  ********
root@sweep:/

#

Code:

root@freenas:~ # smbstatus

Samba version 4.9.4
PID     Username     Group        Machine                                   Protocol Version  Encryption           Signing             
----------------------------------------------------------------------------------------------------------------------------------------
16323   chris        chris        192.168.0.201 (ipv4:192.168.0.201:44578)  SMB3_02           -                    partial(AES-128-CMAC)

Service      pid     Machine       Connected at                     Encryption   Signing     
---------------------------------------------------------------------------------------------
IPC$         16323   192.168.0.201 Tue Feb 19 16:34:05 2019 GMT     -            -           
winshare     16323   192.168.0.201 Tue Feb 19 16:34:05 2019 GMT     -            -           

Locked files:
Pid          Uid        DenyMode   Access      R/W        Oplock           SharePath   Name   Time
--------------------------------------------------------------------------------------------------
16323        1000       DENY_NONE  0x80        RDONLY     NONE             /mnt/NasPool/winshare   .   Tue Feb 19 16:34:04 2019

root@freenas:~ #

Yes, we changed what was allowed via the UI so that users can change Windows -> Unix permissions type. This performs a chmod (possibly with a -R) on the dataset in question. The resulting permissions are what you would expect with this combination of actions. In general, it's not a great idea to do this, but we allow it. If you need to strip the extended ACL, you can perform a find /mnt/NasPool/winshare | setfacl -b. We can't perform this action by default because it is significantly more destructive than a recursive chmod. Big picture: we need a graphical ACL editor in the GUI.

 

[MikeyG]

It looks like I may have introduced a regression in zfsacl behavior. @mgittelman if you feel up for experimentation, can you try the following:
1) Check the "enable SMB1" checkbox under services->SMB
2) replace "zfsacl" with the "ixnas" module on one of your shares to verify that permissions are working as expected.

Replacing zfsacl with ixnas corrects the issue. Is this safe as a long term fix? What are the ramifications of this?

I also tried simply removing zfsacl earlier, and that seemed to work as well.

 

[anodos]

Replacing zfsacl with ixnas corrects the issue. Is this safe as a long term fix? What are the ramifications of this?

The primary change is that DOS attributes are stored a file flags (readonly -> UF_READONLY, archive-> UF_ARCHIVE, etc.) as opposed to xattrs. This should make directory listing more efficient in directories with large numbers of files. The primary downside is that if an SMB client decides to set the readonly bit, then the file is really readonly. I will put in a fix today and send you a recompiled zfsacl binary for testing.

 

[MikeyG]

The primary change is that DOS attributes are stored a file flags (readonly -> UF_READONLY, archive-> UF_ARCHIVE, etc.) as opposed to xattrs. This should make directory listing more efficient in directories with large numbers of files. The primary downside is that if an SMB client decides to set the readonly bit, then the file is really readonly. I will put in a fix today and send you a recompiled zfsacl binary for testing.

Thanks @anodos! I'm honestly not educated enough in these things to fully understand what you are saying. For example "the file is really readonly" - not sure what that means. I guess my real question is, am I asking for trouble by modifying things in this way? Do you recommend either waiting for a bugfix or converting over to Windows permissions? I'm worried about having some weird permissions problem in the future and trying to get help with it.