Enable Extended Attributes for Mac OS X color tags

[Derek Humes]

Hi, I am currently running FreeNAS-9.10.2-U4 (27ae72978).

I have a number of users that are trying to use the Mac OS X color tags via their SMB connections to our FreeNAS shares. When doing this they are prompted to enter credentials, and regardless of what they type, this fails, even using root. I am running fruit, catia, streams_xattr, and aio_pthread vfs objects on my shares, if those have any relevance.

I understand from searching that it sounds like this is due to the extended attributes not having the appropriate permissions applied to allow my users to edit/set them.

I am trying to find the appropriate instructions on how to correctly configure these permissions for extended attributes, however I have been unsuccessful in my searching. Can someone point me in the right direction?

Thank you for your help on this,

 

[anodos]

Hi, I am currently running FreeNAS-9.10.2-U4 (27ae72978).

I have a number of users that are trying to use the Mac OS X color tags via their SMB connections to our FreeNAS shares. When doing this they are prompted to enter credentials, and regardless of what they type, this fails, even using root. I am running fruit, catia, streams_xattr, and aio_pthread vfs objects on my shares, if those have any relevance.

I understand from searching that it sounds like this is due to the extended attributes not having the appropriate permissions applied to allow my users to edit/set them.

I am trying to find the appropriate instructions on how to correctly configure these permissions for extended attributes, however I have been unsuccessful in my searching. Can someone point me in the right direction?

Thank you for your help on this,

Do you mind increasing the logging level to "debug" under Services->SMB, then generating a debug file System-Advanced-Debug?
Please limit this to a single client connection when you're doing this (to make it easier to sort through the debug file). Then either upload the debug or PM it to me.

 

[Derek Humes]

I should be able to do this tonight when no users are logged in. Is there a specific action I can take to limit the connections to 1? Or just manually make sure everyone is disconnected by checking each machine?

 

[anodos]

I should be able to do this tonight when no users are logged in. Is there a specific action I can take to limit the connections to 1? Or just manually make sure everyone is disconnected by checking each machine?

Sorry. I forgot to respond. You can run "smbstatus" on the FreeNAS CLI to check for active SMB connections.

 

[tobiasbp]

I am running fruit, catia, streams_xattr, and aio_pthread vfs objects on my shares, if those have any relevance.

They do, enabling streams_xattr causes the problem of not beeing able to use tags in the OS X Finder. The Finder throws error -8058.

If I turn off streams_xattr, tags work again. However, enabling fruit also enables streams_xattr (behind the scenes?). enabling streams_xatrr without fruit, also causes the problem.

Color tags not working on this share:

Code:

[TEST2]
	path = "/mnt/gort/smb_testing"
	printable = no
	veto files = /.snapshot/.windows/.mac/.zfs/
	writeable = yes
	browseable = yes
	access based share enum = yes
	vfs objects = zfs_space zfsacl fruit streams_xattr aio_pthread
	hide dot files = yes
	hosts allow = hosts allow = 172.22.33.0/24
	hosts deny = ALL
	guest ok = no
	nfs4:mode = special
	nfs4:acedup = merge
	nfs4:chown = true
	zfsacl:acesort = dontcare
	valid users = @kp-dir-it

Color tags working on this share (With no streams_xattr & fruit):

Code:

[TEST2]
	path = "/mnt/gort/smb_testing"
	printable = no
	veto files = /.snapshot/.windows/.mac/.zfs/
	writeable = yes
	browseable = yes
	access based share enum = yes
	vfs objects = zfs_space zfsacl aio_pthread
	hide dot files = yes
	hosts allow = hosts allow = 172.22.33.0/24
	hosts deny = ALL
	guest ok = no
	nfs4:mode = special
	nfs4:acedup = merge
	nfs4:chown = true
	zfsacl:acesort = dontcare
	valid users = @kp-dir-it

The man page for streams_xattr says: "The file system that is shared with this module enabled must support xattrs".

It is my understanding, that xattrs are not supported on FreeNAS (FreeBSD). The ZFS man page say:

xattr=off | on
The xattr property is currently not supported on FreeBSD.


So:

• Why does fruit enable streams_xattr? (Edit: Because the vfs_fruit man page says its needed)
• Does streams_xattr even work on ZFS on FreeBSD since extended attributes are not supported (As far as I have understood)?
• FreeNAS manual says fruit wil load catia, however this is not the case on my machine as seen in above config with fruit enabled. Enabling catia does not solve the problem.

 

[anodos]

• Does streams_xattr even work on ZFS on FreeBSD since extended attributes are not supported (As far as I have understood)?

They are supported. https://www.freebsd.org/cgi/man.cgi?query=lsextattr

 

[tobiasbp]

They are supported. https://www.freebsd.org/cgi/man.cgi?query=lsextattr

OK. I'll try to enable them then:

Code:

root@kisaragi:/mnt/gort/smb_testing # zfs get xattr gort/smb_testing
NAME			  PROPERTY  VALUE  SOURCE
gort/smb_testing  xattr	 off	temporary

root@kisaragi:/mnt/gort/smb_testing # zfs set xattr=on gort/smb_testing
property 'xattr' not supported on FreeBSD: permission denied

xattr on ZFS on FreeBSD do not look very supported to me?

Is this not a problem since the documentation for streams_xattrs says "The file system that is shared with this module enabled must support xattrs".

I have not upgraded my zpool to the latest vesrsion (I'm running FreeNAS 11.1). Could support for xattr be a new feature in that version of ZFS?

 

[anodos]

OK. I'll try to enable them then:

Code:

root@kisaragi:/mnt/gort/smb_testing # zfs get xattr gort/smb_testing
NAME			  PROPERTY  VALUE  SOURCE
gort/smb_testing  xattr	 off	temporary

root@kisaragi:/mnt/gort/smb_testing # zfs set xattr=on gort/smb_testing
property 'xattr' not supported on FreeBSD: permission denied

xattr on ZFS on FreeBSD do not look very supported to me?

Is this not a problem since the documentation for streams_xattrs says "The file system that is shared with this module enabled must support xattrs".

I have not upgraded my zpool to the latest vesrsion (I'm running FreeNAS 11.1). Could support for xattr be a new feature in that version of ZFS?

Xattr support doesn't work that way in FreeBSD. Your APIs will be lsextattr, getextattr, rmextattr. There's nothing to enable or disable in FreeNAS to get xattr support at the OS-level.

 

[tobiasbp]

Xattr support doesn't work that way in FreeBSD. Your APIs will be lsextattr, getextattr, rmextattr. There's nothing to enable or disable in FreeNAS to get xattr support at the OS-level.

OK. Thanks for taking the time to explain.

Do you have any ideas as to why enabling streams_xattr makes the the color tag feature of Mac OS X not work on SAMBA shares on FreeNAS 11.1? It works if I disable streams_xattr.

 

[anodos]

Well, if you set logging to "debug" under services->SMB, reproduce the problem, then shoot me a debug file in a PM I could probably tell you why.

No promises about when I'll be able to read it though. Probably next week.

 

[tobiasbp]

Hello... Here is the debug information.

Configuration of the SAMBA share:

[TEST2]
path = "/mnt/gort/smb_testing"
printable = no
veto files = /.snapshot/.windows/.mac/.zfs/
writeable = yes
browseable = yes
access based share enum = yes
vfs objects = zfs_space zfsacl catia fruit streams_xattr aio_pthread
hide dot files = yes
hosts allow = hosts allow = 172.22.33.0/24
hosts deny = ALL
guest ok = no
nfs4:mode = special
nfs4:acedup = merge
nfs4:chown = true
zfsacl:acesort = dontcare
valid users = @kp-dir-it
fruit:veto_appledouble=no


What I'm trying to accomplish:
Add two color tags to directory "/FOO/FOO/TAG_TEST" (As seen by the user with the share mounted) on SMB share "TEST2".

How I do it:
1: Right click "/FOO/FOO/TAG_TEST" and add tag "red" (Tag appears to be added OK).
2: Right click "/FOO/FOO/TAG_TEST" and add tag "orange" (Finder throws an error).

Finder throws this error:
"The operation can't be completed.
An unexpected error occured (error code -8058)"

Logs:
I have set the SAMBA logging to "debug".

The last 200 lines of the debug log on pastebin.

Full debug log.

For what it's worth, these are the lines from the debug log matching the text "request_error"

[2018/02/02 09:45:23.918568, 3, pid=14665, effective(2000, 1008), real(0, 0)] ../source3/smbd/smb2_server.c:3115(smbd_smb2_request_error_ex)
smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1] status[NT_STATUS_OBJECT_NAME_NOT_FOUND] || at ../source3/smbd/smb2_create.c:293
[2018/02/02 09:45:23.919217, 3, pid=14665, effective(2000, 1008), real(0, 0)] ../source3/smbd/smb2_server.c:3115(smbd_smb2_request_error_ex)
smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[5] status[NT_STATUS_FILE_CLOSED] || at ../source3/smbd/smb2_server.c:2529
[2018/02/02 09:45:23.919938, 3, pid=14665, effective(2000, 1008), real(0, 0)] ../source3/smbd/smb2_server.c:3115(smbd_smb2_request_error_ex)
smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[9] status[NT_STATUS_FILE_CLOSED] || at ../source3/smbd/smb2_server.c:2529
[2018/02/02 09:45:24.100412, 3, pid=14665, effective(2000, 1008), real(0, 0)] ../source3/smbd/smb2_server.c:3115(smbd_smb2_request_error_ex)
smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1] status[STATUS_NO_MORE_FILES] || at ../source3/smbd/smb2_query_directory.c:155
[2018/02/02 09:45:24.117573, 3, pid=14665, effective(2000, 1008), real(0, 0)] ../source3/smbd/smb2_server.c:3115(smbd_smb2_request_error_ex)
smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1] status[NT_STATUS_OBJECT_NAME_COLLISION] || at ../source3/smbd/smb2_create.c:293
[2018/02/02 09:45:24.300856, 3, pid=14665, effective(2000, 1008), real(0, 0)] ../source3/smbd/smb2_server.c:3115(smbd_smb2_request_error_ex)
smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1] status[NT_STATUS_NO_MEMORY] || at ../source3/smbd/smb2_create.c:293
[2018/02/02 09:45:24.757887, 3, pid=14665, effective(2000, 1008), real(0, 0)] ../source3/smbd/smb2_server.c:3115(smbd_smb2_request_error_ex)
smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1] status[STATUS_NO_MORE_FILES] || at ../source3/smbd/smb2_query_directory.c:155
[2018/02/02 09:45:25.363651, 3, pid=14665, effective(2000, 1008), real(0, 0)] ../source3/smbd/smb2_server.c:3115(smbd_smb2_request_error_ex)
smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1] status[STATUS_NO_MORE_FILES] || at ../source3/smbd/smb2_query_directory.c:155
[2018/02/02 09:45:28.669959, 3, pid=14665, effective(2000, 1008), real(0, 0)] ../source3/smbd/smb2_server.c:3115(smbd_smb2_request_error_ex)
smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1] status[NT_STATUS_OBJECT_NAME_COLLISION] || at ../source3/smbd/smb2_create.c:293
[2018/02/02 09:45:28.852307, 3, pid=14665, effective(2000, 1008), real(0, 0)] ../source3/smbd/smb2_server.c:3115(smbd_smb2_request_error_ex)
smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1] status[NT_STATUS_NO_MEMORY] || at ../source3/smbd/smb2_create.c:293
[2018/02/02 09:45:28.970472, 3, pid=14665, effective(2000, 1008), real(0, 0)] ../source3/smbd/smb2_server.c:3115(smbd_smb2_request_error_ex)
smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1] status[NT_STATUS_OBJECT_NAME_COLLISION] || at ../source3/smbd/smb2_create.c:293
[2018/02/02 09:45:28.990269, 3, pid=14665, effective(2000, 1008), real(0, 0)] ../source3/smbd/smb2_server.c:3115(smbd_smb2_request_error_ex)
smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1] status[NT_STATUS_NO_MEMORY] || at ../source3/smbd/smb2_create.c:293
[2018/02/02 09:45:29.017597, 3, pid=14665, effective(2000, 1008), real(0, 0)] ../source3/smbd/smb2_server.c:3115(smbd_smb2_request_error_ex)
smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1] status[STATUS_NO_MORE_FILES] || at ../source3/smbd/smb2_query_directory.c:155
[2018/02/02 09:45:29.681470, 3, pid=14665, effective(2000, 1008), real(0, 0)] ../source3/smbd/smb2_server.c:3115(smbd_smb2_request_error_ex)
smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1] status[STATUS_NO_MORE_FILES] || at ../source3/smbd/smb2_query_directory.c:155


 

[tobiasbp]

Well, if you set logging to "debug" under services->SMB, reproduce the problem, then shoot me a debug file in a PM I could probably tell you why.

I have updated the thread with debug information including a link to the full debug log.

Thank you,
Tobias

 

[anodos]

Out of curiosity, what errors are thrown when you try to add a tag with the following:
vfs objects = zfs_space zfsacl catia fruit streams_xattr aio_pthread

Note that you will need to disable fruit on ALL of your shares, then umount ALL volumes from the mac. Once you have established a new smb session use smbutil statshares -a on the mac to verify that the FreeNAS server is no longer identified as an OSX server.

I hope to get some time this week to investigate this issue further.

 

[tobiasbp]

Out of curiosity, what errors are thrown when you try to add a tag with the following:
vfs objects = zfs_space zfsacl catia fruit streams_xattr aio_pthread

I'm unsure what you are asking med to do. The above configuration is the configuration of the share I used to produce the debug log I have added to this thread. These are the vfs objects enabled on the share:

Code:

vfs objects = zfs_space zfsacl catia fruit streams_xattr aio_pthread

Note that you will need to disable fruit on ALL of your shares, then umount ALL volumes from the mac. Once you have established a new smb session use smbutil statshares -a on the mac to verify that the FreeNAS server is no longer identified as an OSX server.

I have not done that. But, disabeling fruit & streams_xattr solves the problem on the share without me having to do any change in the configuration of the other shares on the machine.

Also note, that streams_xattr seems to be the reason for the problem. Enabling streams_xattr, without fruit, causes the error to appear. I do not understand the implications of that observation.

I'll have to move testing to a different machine (With no users) for me to be able to reconfigure all shares for testing.

 

[tobiasbp]

I'm now on a machine with a single share:

Default Samba share does not allow me to add color tags:
vfs objects = zfs_space zfsacl streams_xattr aio_pthread

I create a new dir called "WITH_STREAM":

-rw-rw-rw- 1 bj wheel 6.0K Feb 9 10:20 .DS_Store
drwxrwxrwx 2 bj wheel 2B Feb 9 10:20 WITH_STREAM


If I disable streams_xattr, everything works as expected:
vfs objects = zfs_space zfsacl aio_pthread

I create a new dir called "NO_STREAM". A resource for is created (._.DS_Store):

-rw-rw-rw- 1 bj wheel 4.0K Feb 9 10:30 ._.DS_Store
-rw-rw-rw- 1 bj wheel 6.0K Feb 9 10:30 .DS_Store
drwxrwxrwx 2 bj wheel 2B Feb 9 10:30 NO_STREAM


Since enabling fruit, also enables streams_xattr, my conclusion is, that the only solution
to my problem is to disable streams_xattr, thus not allowing me to use fruit, which is ironic, since fruit is supposed to improve the Samba experince for OS X users.

Alternatively, streams_xattr is supposed to save the resource fork data somewhere else, but that does not appear to work (out of the box).

Please note, that fruit is not involved at this point.

We have also seen other symptoms of this (we assume) problem:
Can't create Adobe inDesign package files on the server.
MS Excel files can't be saved directly to the server.
Color tags (this thread) do not work correctly.
Zip files can be extracted on the server.

Any suggestions?

 

[Quack66]

Sorry for reviving an old thread but we have the same exact issue in 11.2 and wanted to know if someone fixed the issue ? We want to use fruit for the better performance yet we can't since it break the color tags.

EDIT: Forgot to say that when I try to set the color tags the finder ask for a password but with the right password it says "Permission Denied" Disabling streams_xattr or fruit does not cause the issue.

 

[anodos]

Sorry for reviving an old thread but we have the same exact issue in 11.2 and wanted to know if someone fixed the issue ? We want to use fruit for the better performance yet we can't since it break the color tags.

The issue was fixed in code. If you have an issue, it's probably something new. Give full details.

 

[tobiasbp]

Sorry for reviving an old thread but we have the same exact issue in 11.2 and wanted to know if someone fixed the issue ? We want to use fruit for the better performance yet we can't since it break the color tags.

EDIT: Forgot to say that when I try to set the color tags the finder ask for a password but with the right password it says "Permission Denied" Disabling streams_xattr or fruit does not cause the issue.

Maybe you are having incorrect rights in ACL. Have a look at my thread here.