FreeNAS-11.3-U4.1 - Exotic behaviour of Acrobat tmp files on smb shares

[tiberiusQ]

Dear all,

I do struggle with exotic file rights behaviour which acrobat reader do generate if you edit eg. comment a pdf file and save it.
It then creates a file called eg. acrolock4976.2.3798144383.tmp
See attached the screenshot and cmd line shows:

----------+ 1 user group 0 Sep 8 17:27 acrolock4976.2.3798144383.tmp

It is not possible to delete or change the rights of this file not with the owner and even not with one of the admin. smd users!


To do not play around on production shares I just created a new subdataset to reproduce it with the following settings:

For perf. reasons I created all cifs related datasets as share type smb = acl mode resticted and case sensitivity = insensitiv.
Then normally I set the acls group based and done. To test it I tried to set the rights with the default open preset as well + all users and groups does have full control but the acolock.tmp file comes up again in this strange acl style ;-(

Does somebody has an idea ?

Thx & Greets!

 

[anodos]

What is the ACL on the parent directory "getfacl <path>"?

 

[tiberiusQ]

The parent dir is in this case test which is also the dataset itself:
getfacl test/
# file: test/
# owner: architect
# group: architect
group:boss:rwxpDdaARWcCos:fd-----:allow
owner@:rwxpDdaARWcCos:fd-----:allow
group@:rwxpDdaARWcCos:fd-----:allow
everyone@:--------------:fd-----:allow

 

[tiberiusQ]

Sry. this it the correct one:

getfacl test/
# file: test/
# owner: architect
# group: architect
group:boss:rwxpDdaARWcCos:fd-----:allow
owner@:rwxpDdaARWcCos:fd-----:allow
group@:rwxpDdaARWcCos:fd-----:allow
everyone@:rwxpDdaARWcCos:fd-----:allow

 

[tiberiusQ]

Bonus info -In the past it was fine to leave the owner and group default to root and wheel BUT since I don't know exaclty a while It was necessary to change the group to a real smb user and group per the acl manager in freenas OTHERWISE eg. Libre office documents which also creates a tmp file during creation of the document itself has wrong rights > root and wheel - Pretty strange !

 

[tiberiusQ]

Update- It is reproducible On Truenas as well ;-(

 

[anodos]

What is getfacl output for the acrolock file?

 

[tiberiusQ]

root@truenas[/mnt/poooool/smb-share/share000]# getfacl *
# file: acrolock6036.2.1427384599.tmp
# owner: zucht
# group: wheel
everyone@:--------------:-------:allow

# file: Bestellformular.pdf
# owner: zucht
# group: wheel
owner@:rwxpDdaARWcCos:------I:allow
group@:rwxpDdaARWcCos:------I:allow
user:zucht:rwxpDdaARWcCos:------I:allow
everyone@:--------------:------I:allow

# file: New folder
# owner: zucht
# group: wheel
owner@:rwxpDdaARWcCos:fd----I:allow
group@:rwxpDdaARWcCos:fd----I:allow
user:zucht:rwxpDdaARWcCos:fd----I:allow
everyone@:--------------:fd----I:allow
root@truenas[/mnt/poooool/smb-share/share000]#

 

[anodos]

Oh. That's fascinating. Looks like adobe is cutting its feet out from under itself. Are you able to reproduce this on demand? If so can you get a packet capture of it tcpdump -i <your interface name> -w /tmp/smb.pcap host <IP of your client>.

 

[anodos]

I need to verify that this is what adobe is sending over the wire.

 

[tiberiusQ]

Here we go:

Filebin :: bin zq5u1hnc1qe18fer

Upload files and make them available for your friends. Think of it as Pastebin for files. Registration is not required. Large files are supported.

filebin.net

Btw. Libreoffice tends to do the same!

 

[anodos]

What is output of

Code:

getfacl /mnt/poooool/smb-share/
getfacl /mnt/poooool/

 

[tiberiusQ]

root@truenas[~]# getfacl /mnt/poooool/smb-share/
# file: /mnt/poooool/smb-share/
# owner: root
# group: wheel
owner@:rwxp--aARWcCos:-------:allow
group@:r-x---a-R-c--s:-------:allow
everyone@:r-x---a-R-c--s:-------:allow


root@truenas[~]# getfacl /mnt/poooool/
# file: /mnt/poooool/
# owner: root
# group: wheel
owner@:rwxp--aARWcCos:-------:allow
group@:r-x---a-R-c--s:-------:allow
everyone@:r-x---a-R-c--s:-------:allow

 

[anodos]

What is share configuration? testparm -s

 

[tiberiusQ]

root@truenas[~]# testparm -s
Load smb config files from /usr/local/etc/smb4.conf
Loaded services file OK.
Server role: ROLE_STANDALONE

# Global parameters
[global]
aio max threads = 2
bind interfaces only = Yes
disable spoolss = Yes
dns proxy = No
enable web service discovery = Yes
kernel change notify = No
load printers = No
logging = file
max log size = 51200
nsupdate command = /usr/local/bin/samba-nsupdate -g
registry shares = Yes
restrict anonymous = 2
server role = standalone server
server string = TrueNAS Server
unix extensions = No
idmap config *: range = 90000001-100000000
idmap config * : backend = tdb
directory name cache size = 0
dos filemode = Yes


[share000]
ea support = No
kernel share modes = No
path = /mnt/poooool/smb-share/share000
posix locking = No
read only = No
vfs objects = aio_fbsd streams_xattr shadow_copy_zfs ixnas
nfs4:chown = true
root@truenas[~]#

 

[anodos]

Okay. With this particular configuration, an appropriate ACL _must_ be set on the share for reliable behavior. Try recursively setting an ACL in which you explicitly grant "zucht" FULL_CONTROL. You can select the ACL template OPEN, then change the everyone@ entry to READ and add a new entry for "zucht" a group that "zucht is a member of. Once you have fine-tuned the template, check the "recursive" box and click "apply".

 

[anodos]

Hmm.. this is a 12.0 box. A second alternative is to ensure that the "ACL" checkbox is unchecked for the SMB share in the GUI.

 

[tiberiusQ]

Okay. With this particular configuration, an appropriate ACL _must_ be set on the share for reliable behavior. Try recursively setting an ACL in which you explicitly grant "zucht" FULL_CONTROL. You can select the ACL template OPEN, then change the everyone@ entry to READ and add a new entry for "zucht" a group that "zucht is a member of. Once you have fine-tuned the template, check the "recursive" box and click "apply".

I tried that already...doesn't help....

 

[anodos]

Sorry. I was looking at wrong path. What is ACL on /mnt/poooool/smb-share/share000?

 

[tiberiusQ]

Hmm.. this is a 12.0 box. A second alternative is to ensure that the "ACL" checkbox is unchecked for the SMB share in the GUI.

If I strip the acl on this share and edit the share to disable the acl checkbox I get the attached error message (client) So I decided to add specific acls on this share and I get the same error message..