CIFS Share random files can´t be copied

Status
Not open for further replies.

dropline

Dabbler
Joined
Aug 29, 2015
Messages
25
Hi everybody,

I´m new to freenas, installed the latest stable version FreeNAS-9.3-STABLE-201511040813

Installation went through smoothly, created a mirror with 2 4TB REDs, activated and configured CIFS windows share. As this is a NAS entirely for Photos, I luckily don´t need any special permissions on there, guest access or anonymous access is alright, but i can´t even get this to work properly

The Problem with the share is that there are some files, that i just can´t copy to the freenas cifs share. Totally random, same permissions as other files that work and I don´t know what to do about this.

Screen of the error:

error.jpg


Hardware specs:
Supermicro X10SLM-F
Xeon e3-1231 v3
2x crucial 8GB 1600mhz ddr3 CT102472BD160B
2x WD Red 4TB
Kingston 60GB SSD

I´m not sure if I set up my users the right way. I made a new user with the same username and password that i use on my windowsmachine to test, tried guest access, but there is no difference.

Screen of the User Setup:
users.jpg


The permissions are setup up like this:
share.jpg
permissions.jpg


I hope you guys can help me with this.
I´m happy for any help hints or tipps, as I have a night of rescuing data from an old NAS, securing this data and trying to get the FreeNAS up and the data on there behind me. I guess I´m just to exhausted to get the permissions right at the moment :)



smb4.conf:

Code:
                                                    
[global]                                                                                                                           
    server max protocol = SMB2                                                                                                     
    encrypt passwords = yes                                                                                                       
    dns proxy = no                                                                                                                 
    strict locking = no                                                                                                           
    oplocks = yes                                                                                                                 
    deadtime = 15                                                                                                                 
    max log size = 51200                                                                                                           
    max open files = 469937                                                                                                       
    load printers = no                                                                                                             
    printing = bsd                                                                                                                 
    printcap name = /dev/null                                                                                                     
    disable spoolss = yes                                                                                                         
    getwd cache = yes                                                                                                             
    guest account = guest                                                                                                         
    map to guest = Bad User                                                                                                       
    obey pam restrictions = yes                                                                                                   
    directory name cache size = 0                                                                                                 
    kernel change notify = no                                                                                                     
    panic action = /usr/local/libexec/samba/samba-backtrace                                                                       
    nsupdate command = /usr/local/bin/samba-nsupdate -g                                                                           
    server string = ROME FreeNAS                                                                                                   
    ea support = yes                                                                                                               
    store dos attributes = yes                                                                                                     
    lm announce = yes                                                                                                             
    hostname lookups = yes                                                                                                         
    time server = yes                                                                                                             
    acl allow execute always = true                                                                                               
    acl check permissions = true                                                                                                   
    dos filemode = yes                                                                                                             
    multicast dns register = yes                                                                                                   
    domain logons = no                                                                                                             
    local master = yes                                                                                                             
    idmap config *: backend = tdb                                                                                                 
    idmap config *: range = 90000001-100000000                                                                                     
    server role = standalone                                                                                                       
    netbios name = ROME                                                                                                           
    workgroup = MELBOURNE                                                                                                         
    security = user                                                                                                               
    pid directory = /var/run/samba                                                                                                 
    create mask = 0666                                                                                                             
    directory mask = 0777                                                                                                         
    client ntlmv2 auth = yes                                                                                                       



gtent passwd:

Code:
root:$6$5WevczqISFExCGbs$OGjfxr0tsc3LHmRFB3gyukuy3k/8Oyfvxk4cU/thmGQlzkSWDorku3h6E6OkIxZXuCuy05QjhkclOaGvjRZaZ1:0:0:root:/root:/bin/
csh                                                                                                                               
daemon:*:1:1:Owner of many system processes:/root:/usr/sbin/nologin                                                               
operator:*:2:5:System &:/:/usr/sbin/nologin                                                                                       
bin:*:3:7:Binaries Commands and Source:/:/usr/sbin/nologin                                                                         
tty:*:4:65533:Tty Sandbox:/:/usr/sbin/nologin                                                                                     
kmem:*:5:2:KMem Sandbox:/:/usr/sbin/nologin                                                                                       
games:*:7:13:Games pseudo-user:/:/usr/sbin/nologin                                                                                 
news:*:8:8:News Subsystem:/:/usr/sbin/nologin                                                                                     
man:*:9:9:Mister Man Pages:/usr/share/man:/usr/sbin/nologin                                                                       
sshd:*:22:22:Secure Shell Daemon:/var/empty:/usr/sbin/nologin                                                                     
smmsp:*:25:25:Sendmail Submission User:/var/spool/clientmqueue:/usr/sbin/nologin                                                   
mailnull:*:26:26:Sendmail Default User:/var/spool/mqueue:/usr/sbin/nologin                                                         
bind:*:53:53:Bind Sandbox:/:/usr/sbin/nologin                                                                                     
proxy:*:62:62:Packet Filter pseudo-user:/nonexistent:/usr/sbin/nologin                                                             
_pflogd:*:64:64:pflogd privsep user:/var/empty:/usr/sbin/nologin                                                                   
_dhcp:*:65:65:dhcp programs:/var/empty:/usr/sbin/nologin                                                                           
uucp:*:66:66:UUCP pseudo-user:/var/spool/uucppublic:/usr/local/libexec/uucp/uucico                                                 
pop:*:68:6:Post Office Owner:/nonexistent:/usr/sbin/nologin                                                                       
www:*:80:80:World Wide Web Owner:/nonexistent:/usr/sbin/nologin                                                                   
nobody:*:65534:65534:Unprivileged user:/nonexistent:/usr/sbin/nologin                                                             
avahi:*:200:200:avahi user:/nonexistent:/usr/sbin/nologin                                                                         
messagebus:*:201:201:messagebus user:/nonexistent:/usr/sbin/nologin                                                               
ftp:*:14:14::/nonexistent:/bin/csh                                                                                                 
auditdistd:*:78:77:Auditdistd unprivileged user:/var/empty:/usr/sbin/nologin                                                       
hast:*:845:845:HAST unprivileged user:/var/empty:/usr/sbin/nologin                                                                 
ladvd:*:79:78:ladvd user:/var/empty:/usr/sbin/nologin                                                                             
webdav:*:666:666:WebDAV Anonymous User:/var/empty:/usr/sbin/nologin                                                               
studio:$6$chUrixjt5y5nJUVj$G4vcJ8rwZXNylqjfe1SYUd.uTEt8OoJrdvqWtjvUx732IxsvTixSpjVkaLDUCgm.Jilk0DyJvU0HPX2CRqXLF/:1001:1001:studio:/
nonexistent:/sbin/nologin                                                                                                         
guest:*:1002:1001:guest:/nonexistent:/sbin/nologin                           



gtent group

Code:

root:$6$5WevczqISFExCGbs$OGjfxr0tsc3LHmRFB3gyukuy3k/8Oyfvxk4cU/thmGQlzkSWDorku3h6E6OkIxZXuCuy05QjhkclOaGvjRZaZ1:0:0:root:/root:/bin/
csh                                                                                                                               
daemon:*:1:1:Owner of many system processes:/root:/usr/sbin/nologin                                                               
operator:*:2:5:System &:/:/usr/sbin/nologin                                                                                       
bin:*:3:7:Binaries Commands and Source:/:/usr/sbin/nologin                                                                         
tty:*:4:65533:Tty Sandbox:/:/usr/sbin/nologin                                                                                     
kmem:*:5:2:KMem Sandbox:/:/usr/sbin/nologin                                                                                       
games:*:7:13:Games pseudo-user:/:/usr/sbin/nologin                                                                                 
news:*:8:8:News Subsystem:/:/usr/sbin/nologin                                                                                     
man:*:9:9:Mister Man Pages:/usr/share/man:/usr/sbin/nologin                                                                       
sshd:*:22:22:Secure Shell Daemon:/var/empty:/usr/sbin/nologin                                                                     
smmsp:*:25:25:Sendmail Submission User:/var/spool/clientmqueue:/usr/sbin/nologin                                                   
mailnull:*:26:26:Sendmail Default User:/var/spool/mqueue:/usr/sbin/nologin                                                         
bind:*:53:53:Bind Sandbox:/:/usr/sbin/nologin                                                                                     
proxy:*:62:62:Packet Filter pseudo-user:/nonexistent:/usr/sbin/nologin                                                             
_pflogd:*:64:64:pflogd privsep user:/var/empty:/usr/sbin/nologin                                                                   
_dhcp:*:65:65:dhcp programs:/var/empty:/usr/sbin/nologin                                                                           
uucp:*:66:66:UUCP pseudo-user:/var/spool/uucppublic:/usr/local/libexec/uucp/uucico                                                 
pop:*:68:6:Post Office Owner:/nonexistent:/usr/sbin/nologin                                                                       
www:*:80:80:World Wide Web Owner:/nonexistent:/usr/sbin/nologin                                                                   
nobody:*:65534:65534:Unprivileged user:/nonexistent:/usr/sbin/nologin                                                             
avahi:*:200:200:avahi user:/nonexistent:/usr/sbin/nologin                                                                         
messagebus:*:201:201:messagebus user:/nonexistent:/usr/sbin/nologin                                                               
ftp:*:14:14::/nonexistent:/bin/csh                                                                                                 
auditdistd:*:78:77:Auditdistd unprivileged user:/var/empty:/usr/sbin/nologin                                                       
hast:*:845:845:HAST unprivileged user:/var/empty:/usr/sbin/nologin                                                                 
ladvd:*:79:78:ladvd user:/var/empty:/usr/sbin/nologin                                                                             
webdav:*:666:666:WebDAV Anonymous User:/var/empty:/usr/sbin/nologin                                                               
studio:$6$chUrixjt5y5nJUVj$G4vcJ8rwZXNylqjfe1SYUd.uTEt8OoJrdvqWtjvUx732IxsvTixSpjVkaLDUCgm.Jilk0DyJvU0HPX2CRqXLF/:1001:1001:studio:/
nonexistent:/sbin/nologin                                                                                                         
guest:*:1002:1001:guest:/nonexistent:/sbin/nologin                           

 

Attachments

  • users.jpg
    users.jpg
    53.2 KB · Views: 468
  • share.jpg
    share.jpg
    52.8 KB · Views: 503
  • error.jpg
    error.jpg
    59 KB · Views: 491
  • permissions.jpg
    permissions.jpg
    68.2 KB · Views: 459
Last edited:

dropline

Dabbler
Joined
Aug 29, 2015
Messages
25
Thanks for your reply.

Its the same user named "studio" that I created.

dataset.jpg


I´m actually not even sure if i created the users the right way.
 

SweetAndLow

Sweet'NASty
Joined
Nov 6, 2013
Messages
6,421
When you mounted the share did you use the studio user? You have your share configured to try both normal auth and guest auth. So if normal auth fails you get a guest account. I have a feeling this is what is happening and causing confusion. If you want just guest auth you need to check both boxes on the cifs service settings. Then make the owner of the dataset the same as your guest user that is configured under your cifs service settings.
 

dropline

Dabbler
Joined
Aug 29, 2015
Messages
25
@SweetAndLow I set up guest access the way you described, but still get the same error :( I can´t figure it out, does somebody still have some tipps? And how do i set up the guest user correctly? I checked the boxes Microsoft Account and Disable Password Login?
 
Last edited:

anodos

Sambassador
iXsystems
Joined
Mar 6, 2014
Messages
9,553
@SweetAndLow I set up guest access the way you described, but still get the same error :( I can´t figure it out, does somebody still have some tipps? And how do i set up the guest user correctly? I checked the boxes Microsoft Account and Disable Password Login?
'Disable password login' makes it impossible for your user to authenticate. I.e. no CIFS access. Uncheck that and set a password for the user.

Then you need to fix the permissions for your share. Go to 'volumes' -> permissions for your dataset and check 'recursively apply permissions', and click OK. Then go to your share config, check 'apply default permissions' and click 'OK'.
 

dropline

Dabbler
Joined
Aug 29, 2015
Messages
25
I tried that with the guest user, but i still get the same error. What´s the requirements for the password? I guess I don´t need to match the password that the windows guest accounts have?
 

dropline

Dabbler
Joined
Aug 29, 2015
Messages
25
Thanks for your help so far. Files of the debug are attached.
 

Attachments

  • debug-rome-20151118141952..tgz
    341.2 KB · Views: 531

dropline

Dabbler
Joined
Aug 29, 2015
Messages
25
Alright, thanks for all the help so far, I really appreciate this!

I´m starting to run into problems with storage-space because I can´t use this NAS (actually I even have another NAS, exactly the same hardware like this one, which obviously has the same problem), so I will look into alternatives to the CIFS share. I need to figure out if AFP or NFS is suitable for our needs. FTP would be awesome but people need to be able to work with the files while on the server, so this won´t be a solution. Anyway, I´ll open another thread for this, will post a link here tough.

edit:

That´s the new thread:
https://forums.freenas.org/index.php?threads/suitable-alternative-because-cifs-doesn´t-work.39395/

Also, my colleague in our main studio has the same problem, his thread can be found here:
https://forums.freenas.org/index.ph...e-copied-to-freenas-server.39038/#post-239239
 
Last edited:

depasseg

FreeNAS Replicant
Joined
Sep 16, 2014
Messages
2,874
In your first post, the error message has a different domain ("SERVER") than the permissions box ("ROME"). Is ROME a domain? Are you using Active Directory? If it is, I would make the owner of the dataset (not the share settings itself) a local user like root, and make the group "ROME\domain users".

If you can't get CIFS working and you don't have experience with AFP and NFS, I see no value in switching protocols (good luck getting windows setup to speak NFS, let alone AFP).
 

dropline

Dabbler
Joined
Aug 29, 2015
Messages
25
rome is the computername of the Freenas , server is the computername of the machine that i have the files i try to copy on at the moment. I don´t have a domain, I wish I had though. We have a workgroup (called melbourne). All the windows users are local users. I was not sure how to deal with this in freenas, so i just created the users without much attention to the domain. So instead of trying to create a group with the not existing domain name (what you suggested), I´ll try to create a groups with the computernames, and then the respective users?
 

depasseg

FreeNAS Replicant
Joined
Sep 16, 2014
Messages
2,874

dropline

Dabbler
Joined
Aug 29, 2015
Messages
25
the files are all created with full access for "everyone". I double checked this, and have no other problems anywhere with permissions. Thanks for the thread, I´ll read through this tomorrow at work ( its 2 am here in australia :) )

edit:
hang on, you mean on the freenas? There is no entry for "everyone" in users. The files have permissions set for "server/studio". I can´t set permissions in my windows for "rome/studio" because I can´t choose any other users in the permission config than local windows users.
I´m used to having a domain with AD for User Management and Permissions. It´s a pain without a domain, and I never really used local user accounts an permission management in a productive environment.
 
Last edited:

anodos

Sambassador
iXsystems
Joined
Mar 6, 2014
Messages
9,553
You have set "windows permissions" type for your pool (studio). Windows permissions type should only be set for your windows share (studio/share). Change permissions type to "Unix" for your pool.
Disable hostname lookups in your CIFS config. Try increasing CIFS logging verbosity, replicate the problem, and upload the contents of /var/log/samba4/log.smbd.

Also check for the presence of alternate data streams (ADS) on the files that don't copy right. See here: http://blogs.technet.com/b/askcore/archive/2013/03/24/alternate-data-streams-in-ntfs.aspx
If an ADS exceeds 64KB, then copies to a CIFS share can fail.
 

dropline

Dabbler
Joined
Aug 29, 2015
Messages
25
You have set "windows permissions" type for your pool (studio). Windows permissions type should only be set for your windows share (studio/share). Change permissions type to "Unix" for your pool.
Disable hostname lookups in your CIFS config. Try increasing CIFS logging verbosity, replicate the problem, and upload the contents of /var/log/samba4/log.smbd.

Also check for the presence of alternate data streams (ADS) on the files that don't copy right. See here: http://blogs.technet.com/b/askcore/archive/2013/03/24/alternate-data-streams-in-ntfs.aspx
If an ADS exceeds 64KB, then copies to a CIFS share can fail.


I just tested all of this, and it really is the ADS! Wow, I´m very happy to finally know what it is :D Thank you so much for this, I would have never figured this out! I didn´t even hear of ADS before.

I´ll do some testing now, and have to further look into this. Obviously, I don´t just want to delete the ADS blindly. Best case would be to find a way to get this to work without modifying the files. I´ll see, any further input is still much appreciated :)
 

anodos

Sambassador
iXsystems
Joined
Mar 6, 2014
Messages
9,553
I just tested all of this, and it really is the ADS! Wow, I´m very happy to finally know what it is :D Thank you so much for this, I would have never figured this out! I didn´t even hear of ADS before.

I´ll do some testing now, and have to further look into this. Obviously, I don´t just want to delete the ADS blindly. Best case would be to find a way to get this to work without modifying the files. I´ll see, any further input is still much appreciated :)
You're right, deleting them blindly may not be good. More often then not you can remove them for nas-destined files. You should do the following:

1) verify that "streams_xattr" is enabled for your share. If it's not, enable it, restart the CIFS service, and try copying the files again. If it is enabled, proceed to (2)

2) figure out what's being stored in the ads, and whether it can be safely removed. If so, remove them and carry on. If not, proceed to (3)

3) enable and configure vfs_streams_depot. Note that it is marked 'experimental'. I'm not sure what this means, but if it's a bleeding-edge feature I expect it to be as stable as the schizophenic lady who was off her meds and stalking my roommate when I was a student.

Note that there isn't a graceful way to switch between methods of storing datastreams. If you decide to test streams_depot, create a new share. If it works, transfer files through a CIFS client from the existing streams_xattr share to the streams_depot share.
 

dropline

Dabbler
Joined
Aug 29, 2015
Messages
25
The problem came down to photos, especially jpgs, that had been edited on Macs. Macs add the ADS called "AFP_Resource:$DATA". I can remove them and it all seems to be fine. If I copy the jpgs on to the FreeNAS, Macs can open, edit and do everything with them, seems to be no problem. Macs still put in a "AFP_Resource:$DATA" entry, but it doesn´t exceed 64bit on the NAS.

So it seems alright to me, I´ll just delete them all and start using the FreeNAS from now on.

Thanks for all the help here!
 
Status
Not open for further replies.
Top