Auxiliary Parameters missed

[anodos]

Force user and force group come to mind. These are great if you are managing a datastore/dropthing of some sorts where evryone who can authenticate should have exactly the same view.

Believe or not I have seen this as the dominant model in corporate environments, too. Everyone who can mount "drive Q:" has full access, period. Everyone who should not, gets no access at all.

Windows ACLs are way too complicated for users, IMHO.

I can see case for having wide-open (delegating access control to share-level ACLs or restricting by IP address), but not really for forcing the file owner. You lose track of who created what (and makes auditing nearly useless). I've not seen this in enterprise environments, they're usually going in the other direction (very strict access controls).

 

[Patrick M. Hausen]

Seeing your case as well. I'm thinking a bit smaller. SMB with "the department network drive". And offline coordination of write access without version control leading to beauties like "report23-pmh-final-thistimeforreal.xls". That's the world where I used to do systems integration, 3000 years ago ...

And then the same data is to be shared via Nextcloud and *ding* ... force user.

 

[etibamecus]

Hi,

I have 2 truenas servers, with same settings.

using the webUI, I had some auxiliary parameters :

[global]
strict sync = No
vfs objects = fruit streams_xattr
fruit:nfs_aces = false
fruit:posix_rename = yes
fruit:zero_file_id = false
fruit:metadata = stream
fruit:delete_empty_adfiles = yes
fruit:wipe_intentionally_left_blank_rfork = yes
fruit:model = MacSamba
fruit:veto_appledouble = no
socket options = TCP_NODELAY IPTOS_LOWDELAY SO_KEEPALIVE

I upgraded server 1 from CORE to BLUEFIN.

i had an error concerning the "socket options" parameter and i was able to delete the line, restart smb and everything was fine.

I upgraded server 2 from CORE to BLUEFIN and then straight to COBIA.

I have the same error, but i can't see the auxiliary parameters now, i can't delete the line, if i change "/etc/smb4.conf" and restart it's not loading the parameters there and testparm -t still shows the old parameters

the error i'm getting is that :

middlewared.service_exception.ValidationErrors: [EINVAL] smb_update.smb_options.smb_update.smb_options.auxsmbconf: socket options is a blacklisted auxiliary parameter. Changes to this parameter are not permitted.

any idea how to either change that parameters without the webUI or to reset SMB service ?

Thanks,

pv

 

[katbyte]

CLI parsing of newline character (and some other edge cases) are scheduled to be fixed in 23.10.1 NAS-124847,

this is good news, do you have any rough ETA for when this will be released?

I won't go into full details, but for a trivial example there were some prominent reddit instructions that advised setting the vfs_crossrename size limit to a JSON object via auxiliary parameters. strtoull converted this to a size limit of zero resulting in all cross-dataset renames for the user to be rejected in a particular way that when combined wth vfs_recycle resulted in all recycle operations automatically purging the files from child datasets (rather than moving them to the recycle bin). It's all well-and-good until users start losing files unexpectedly and filing tickets.

That said, you can file suggestions (via jira tickets) if there are fields that should be added to the webui and properly supported. If you do file tickets though, please first check whether the parameters you want set are actually current samba defaults (more often than not, people are just setting parameters that are already defaults).

I still think removing the field is just making life harder for your expert/advanced users while making a minor speed bump to who blindly copy commands, now the reddit posts will just include/say "open terminal and run this command"

I will try and find time to open a jira with the params I need, but it seems it might have been a good idea to get feedback/add additional properties people are setting before removing the field to minimize disruptions

 

[etibamecus]

Hi,

I have 2 truenas servers, with same settings.

using the webUI, I had some auxiliary parameters :

[global]
strict sync = No
vfs objects = fruit streams_xattr
fruit:nfs_aces = false
fruit:posix_rename = yes
fruit:zero_file_id = false
fruit:metadata = stream
fruit:delete_empty_adfiles = yes
fruit:wipe_intentionally_left_blank_rfork = yes
fruit:model = MacSamba
fruit:veto_appledouble = no
socket options = TCP_NODELAY IPTOS_LOWDELAY SO_KEEPALIVE

I upgraded server 1 from CORE to BLUEFIN.

i had an error concerning the "socket options" parameter and i was able to delete the line, restart smb and everything was fine.

I upgraded server 2 from CORE to BLUEFIN and then straight to COBIA.

I have the same error, but i can't see the auxiliary parameters now, i can't delete the line, if i change "/etc/smb4.conf" and restart it's not loading the parameters there and testparm -t still shows the old parameters

the error i'm getting is that :

middlewared.service_exception.ValidationErrors: [EINVAL] smb_update.smb_options.smb_update.smb_options.auxsmbconf: socket options is a blacklisted auxiliary parameter. Changes to this parameter are not permitted.

any idea how to either change that parameters without the webUI or to reset SMB service ?

Thanks,

pv

update,

I found a workaround after searching for the right "midclt call smb.update '{what should have been the right command here?}' for hours...

just load bluefin boot, delete auxiliary parameters, update to cobia again, now it's working...

 

[tannisroot]

I do agree that removing the aux parameters option from UI is a bit of a crutch, and personally I don't really see how it can effectively prevent an incident like the one was that was used as the reason for the removal of the feature from happening again.
If it's people mindlessly adding dangerous options that iX is concerning about, I think a sanitize check for the field would be a far more effective solution. If the added value contains an option set to some dangerous value, at least the user will see a big angry warning explicitly stating that setting this option to this value will cause big trouble and decide to not mess with something. As others have said, by hiding it in CLI, you merely introduce a speed bump.

 

[tannisroot]

I am also a bit disappointed that after the removal of the option from the UI, iX's internal testing team has seemingly not tested whether CLI can actually replace it.
To me, "force user =" and "force group =" seems like such a popular and ubiquitous aux params combination for many home users that it would be the first thing to test, which would have immediately triggered the newline bug.

 

[UnexpectedDevelopment]

(it doesn't look like i can edit posts?)

Seems like there was opened as a bug in August: https://ixsystems.atlassian.net/jira/software/c/projects/NAS/issues/NAS-123594 - and from discussion/linked issues it has been purposely removed to "remove sharp edges" which is a shame.

If anyone knows how i can achieve the following options in a persistent way i would be eternally thankful:

Katbyte,

Did you ever figure out a way to preserve case now that the devs removed the only apparent way to do it? Like you, I need:

Code:

case sensitive=yes
preserve case=yes
short preserve case=yes

 

[katbyte]

Katbyte,

Did you ever figure out a way to preserve case now that the devs removed the only apparent way to do it? Like you, I need:

Code:

case sensitive=yes
preserve case=yes
short preserve case=yes

No I've not had the time to figure out how to do it via the API yet (which I don't think is broken?) like the cli tool is, so kinda been waiting for the CLI fix in 23.10.1 so I can just copy the midclt call sharing.smb.query commands upthread

 

[scorpoin]

Is there any way that we can use auxiliary parameters ??? That's really annoying

 

[chuck32]

I'd also be interested in a way to set them. For my syncthing dataset I'd need to disable hide dot files, otherwise all images are stored with the attribute hidden on my windows clients.

 

[Cellobita]

As of today, you can not audit access to your SMB shares without some auxiliary parameters, both at the service and share level - enough of my customers need this that, for now, moving to SCALE is not a possibility.

 

[ABain]

this is good news, do you have any rough ETA for when this will be released?

release schedule is maintained in the release notes: https://www.truenas.com/docs/scale/23.10/gettingstarted/scalereleasenotes/

 

[scorpoin]

release schedule is maintained in the release notes: https://www.truenas.com/docs/scale/23.10/gettingstarted/scalereleasenotes/

so they won't add smb auxiliary feature back in any further version?

 

[Patrick M. Hausen]

so they won't add smb auxiliary feature back in any further version?

That said, you can file suggestions (via jira tickets) if there are fields that should be added to the webui and properly supported. If you do file tickets though, please first check whether the parameters you want set are actually current samba defaults (more often than not, people are just setting parameters that are already defaults).

 

[scorpoin]

I only want to change WORM 5minute to 2minutes , I guess it's default parameter 5min and can be change but using auxiliary parameter.

 

[anodos]

SMB auditing is being added as a supported feature in DragonFish (as part of overall push to add auditing support to the product).

 

[Patrick M. Hausen]

I only want to change WORM 5minute to 2minutes , I guess it's default parameter 5min and can be change but using auxiliary parameter.

Create an issue in JIRA asking for that parameter to be added.

 

[winnielinnie]

Create an issue in JIRA asking for that parameter to be added.

I think the main grievance is that we current have (had) the ability to use whatever auxiliary parameters we wanted, which only required a single text box. But now it's going to be an uphill climb to justify why each and every parameter should have its own GUI element.

Something like this seems to address the problem for everyone, including iXsystems:

A simple "Unlock" button with a bold red warning can cover their butts. It can also trigger a flag when they submit a bug report that they are using unsupported / discouraged features.

It can look like this:

1. Visit your share settings
2. At the very bottom is a button to "unlock" auxiliary parameters
3. If you click it, a big, bold, red popup warns you that this is discouraged and unsupported, USE AT YOUR OWN RISK
4. You have to check "confirm" if you want to continue
5. Everyone is happy

 

[crkinard]

I stopped using TrueNAS because of serious grievances in the software they use (no option to NOT to use Kubernetes and the UI is god awful. Hevin forbid you click off that right hand slider and it closes erasing all your inputs. No solid way to script deployments.) and went to rolling my own in Ubuntu. I eventually got a separate box to run Docker so I did not need to run anything like that on my NAS anymore and it could be a file server only. So I decided to go back to TrueNAS because it was easy to deal with for this purpose.

Now I learn this. Just wow. Taking away features (screwing people over) to 'protect' some fools misconfiguring the software they install and run. If they screw it op its on them. If you nanny protected the software TrueNAS would just have a on and off switch.

And no, submitting a ticket to add a option IS NOT AN ANSWER. Is every single person who needs to alter a samba setting from default to do this? Are you actually going to dd all of those? How long would it take for those to be added? This kind of response is just so tone deaf and canned it is not even funny.

Bring back the Auxiliary Parameters field.