SOLVED ACL weirdness when tagging files on SMB shares from MacOS

[tobiasbp]

Hello forum...

I have an SMB share running on Freenas 11.2-U3

My MacOS users can use the share as expected, unless they tag a directory (A feature of the MacOS Finder). This will add extended attributes to a dir.
Once a file is tagged, it can no longer be moved or deleted. Tagging files works. Any ideas on how I can tag the dirs with out the permissions being changed?

These are the (working) permissions on an untagged dir:

Code:

# file: BB
# owner: tbp
# group: fileserver-write
            owner@:rwxpDdaARWcCo-:fd----I:allow
            group@:rwxpDdaARWcCos:fd-----:allow
         everyone@:r-x---a-R-c---:fd----I:allow

These are the permissions on a dir once it has been tagged from the MacOS A deny has been added for the owner!:

Code:

# file: AA
# owner: tbp
# group: kontrapunkt-fileserver-write
            owner@:--x-----------:-------:deny
            owner@:rwxpDdaARWcCo-:fdi---I:allow
            group@:rwxpDdaARWcCos:fd-----:allow
         everyone@:r-x---a-R-c---:fdi---I:allow
            group@:rwxpDdaARWcCos:fd-----:allow
            owner@:rw-p--aARWcCos:-------:allow
            group@:rwxpDdaARWcCos:fd-----:allow
         everyone@:rwxp--a-R-c--s:-------:allow

The extended attributes on the tagged dir:

Code:

# lsextattr user AA
AA    DosStream.com.apple.metadata:_kMDItemUserTags:$DATA    DosStream.AFP_AfpInfo:$DATA

Setting tags on files is not a problem.

A newly upload (Untagged) file:

Code:

# file: NetSpot.dmg
# owner: tbp
# group: fileserver-write
            owner@:rw-p--aARWcCos:-------:allow
            group@:rw-p--a-R-c--s:-------:allow
         everyone@:rw-p--a-R-c--s:-------:allow

After tagging the file (Unchanged permissions):

Code:

Account Management [J1023889] # getfacl NetSpot.dmg
# file: NetSpot.dmg
# owner: tbp
# group: fileserver-write
            owner@:rw-p--aARWcCos:-------:allow
            group@:rw-p--a-R-c--s:-------:allow
         everyone@:rw-p--a-R-c--s:-------:allow

Here is the share config:

Code:

[Files]
    access based share enum = Yes
    hosts allow = hosts allow = 172.30.10.0/24 172.30.11.0/24 172.22.33.0/24
    path = "/mnt/storage/files"
    read list = @fileserver-read
    read only = No
    store dos attributes = No
    valid users = @fileserver-write @fileserver-read
    veto files = /*.DS_Store/.apdisk/.TemporaryItems/.windows/.mac/
    vfs objects = catia zfs_space zfsacl fruit streams_xattr
    fruit:encoding = native
    fruit:veto_appledouble = no
    zfsacl:expose_snapdir = True
    zfsacl:acesort = dontcare
    nfs4:chown = true
    nfs4:acedup = merge
    nfs4:mode = special
    fruit:resource = stream
    fruit:metadata = stream

 

[anodos]

Try setting the following parameter under Services-SMB
fruit:nfs_aces = no

 

[tobiasbp]

Try setting the following parameter under Services-SMB
fruit:nfs_aces = no

Unmounted share in MacOS. Logged back in. Created dir 'nfs_aces_no' in the SAMBA share. I did not do anything else on the FreeNAS box than adding 'fruit:nfs_aces = no' to the share config. The problem persists :(

Permissions on freshly created (From MacOS client) dir:

Code:

# file: nfs_aces_no
# owner: tbp
# group: fileserver-write
            owner@:rwxpDdaARWcCo-:fd----I:allow
            group@:rwxpDdaARWcCo-:fd----I:allow
         everyone@:r-x---a-R-c---:fd----I:allow

Permissions after tagging the dir:

Code:

# file: nfs_aces_no
# owner: tbp
# group: fileserver-write
            owner@:--x-----------:-------:deny
            owner@:rwxpDdaARWcCo-:fdi---I:allow
            group@:rwxpDdaARWcCo-:fdi---I:allow
         everyone@:r-x---a-R-c---:fdi---I:allow
            owner@:rw-p--aARWcCos:-------:allow
            group@:rwxp--a-R-c--s:-------:allow
         everyone@:rwxp--a-R-c--s:-------:allow

Share config:

Code:

[Files]
    access based share enum = Yes
    hosts allow = hosts allow = 172.30.10.0/24 172.30.11.0/24 172.22.33.0/24
    path = "/mnt/storage/Files"
    read list = @fileserver-read
    read only = No
    store dos attributes = No
    valid users = @fileserver-write @fileserver-read
    veto files = /*.DS_Store/.apdisk/.TemporaryItems/.windows/.mac/
    vfs objects = catia zfs_space zfsacl fruit streams_xattr
    fruit:nfs_aces = no
    fruit:encoding = native
    fruit:veto_appledouble = no
    zfsacl:expose_snapdir = True
    zfsacl:acesort = dontcare
    nfs4:chown = true
    nfs4:acedup = merge
    nfs4:mode = special
    fruit:resource = stream
    fruit:metadata = stream

 

[Johnny Fartpants]

What if when you setup the user permissions for the share you don't allow them to change permissions?

 

[anodos]

That's a global parameter, not a share-level parameter. Set it under Service->SMB and then restart the SMB service.

 

[tobiasbp]

What if when you setup the user permissions for the share you don't allow them to change permissions?

I'm not sure what you are suggesting. Please elaborate.

 

[Johnny Fartpants]

If you manage the permissions of the share via a windows computer you can be much more granular than what you can from within the FreeNAS UI. I never allow my users to be able to change permissions on shares as they would likely hang themselves. I assume you have given them full control?

 

[anodos]

If you manage the permissions of the share via a windows computer you can be much more granular than what you can from within the FreeNAS UI. I never allow my users to be able to change permissions on shares as they would likely hang themselves. I assume you have given them full control?

The owner of a file can always chmod it. This is true in Windows and it's true in Unix.

When vfs_fruit is enabled, it by default will expose the posix mode to MacOS clients via NFS aces, and allow them to set it. First try disabling this capability as I suggested. Also try setting the nfs4:mode to "simple". Note that if you change the nfs4:mode, it must be performed on _all_ shares, and winbind's caches must be cleared. (service samba_server stop, rm /var/db/system/samba4/winbindd_cache*, net cache flush, service samba_server start)

If that fails, try setting the ZFS dataset's aclmode to restricted.

Of course, it goes without saying that if this is a business environment, make these changes in a maintenance window.

 

[tobiasbp]

Of course, it goes without saying that if this is a business environment, make these changes in a maintenance window.

I'll announce down time and try out your suggestions. Thanks.

 

[tobiasbp]

Try setting the following parameter under Services-SMB
fruit:nfs_aces = no

Added fruit:nfs_aces = no to the samba config. It shows up in the [global] section when running testparm. It appears to make no difference (In regards to my problem). Below are the permissions on a newly created and tagged (From MacOS dir).

I'll take a look at you other suggestions.

Code:

# file: NFS_ACES_ENABLED/
# owner: tbp
# group: fileserver-write
            owner@:--x-----------:-------:deny
            owner@:rwxpDdaARWcCos:fdi---I:allow
            group@:rwxpDdaARWcCos:fdi---I:allow
         everyone@:r-x---a-R-c---:fdi---I:allow
            owner@:rw-p--aARWcCos:-------:allow
            group@:rwxp--a-R-c--s:-------:allow
         everyone@:rwxp--a-R-c--s:-------:allow

 

[tobiasbp]

Also try setting the nfs4:mode to "simple". Note that if you change the nfs4:mode, it must be performed on _all_ shares, and winbind's caches must be cleared. (service samba_server stop, rm /var/db/system/samba4/winbindd_cache*, net cache flush, service samba_server start)

1. Added nfs4:mode = simple to all shares (Checked with testparm)
2. service samba_server stop
3. Deleted the file /var/db/system/samba4/winbindd_cache.tdb
4. Ran the command net cache flush (There was no message returned)
5. service samba_server start

The problem was not solved. Exact same (wrong) permissions as before after tagging a file from MacOS.

Will look at the ZFS dataset's aclmode

 

[tobiasbp]

If that fails, try setting the ZFS dataset's aclmode to restricted.

That fixed it: zfs set aclmode=restricted tank/my_dataset

I'll revert the other changes I made.

 

[anodos]

That fixed it: zfs set aclmode=restricted tank/my_dataset

I'll revert the other changes I made.

In 11.3 the aclmode will be exposed in the UI as one of the available ZFS dataset properties.

 

[seanm]

FWIW, I tried to reproduce your problem on my setup, and could not. Setting a Finder label/colour on a folder does not change what getfacl outputs for that folder, and I'm able to delete the folder too.

I'm on 11.2U4.1 and am already using `nfs4:mode = simple` and `fruit:nfs_aces = no`

Seems my aclmode was already restricted too:

# zfs get aclmode ekur/Test6
NAME PROPERTY VALUE SOURCE
ekur/Test6 aclmode restricted local

@anodos is 'restricted' not the default? I'm all but certain I never set it myself.

 

[anodos]

FWIW, I tried to reproduce your problem on my setup, and could not. Setting a Finder label/colour on a folder does not change what getfacl outputs for that folder, and I'm able to delete the folder too.

I'm on 11.2U4.1 and am already using `nfs4:mode = simple` and `fruit:nfs_aces = no`

Seems my aclmode was already restricted too:

# zfs get aclmode ekur/Test6
NAME PROPERTY VALUE SOURCE
ekur/Test6 aclmode restricted local

@anodos is 'restricted' not the default? I'm all but certain I never set it myself.

It's the default for windows shares and the key differentiator between "unix/mac" and "windows" share types.