FreeNAS-11.3-U4.1 - Exotic behaviour of Acrobat tmp files on smb shares

[anodos]

What user are you authenticating as smbstatus?

 

[tiberiusQ]

root@truenas[~]# getfacl /mnt/poooool/smb-share/share000
# file: /mnt/poooool/smb-share/share000
# owner: zucht
# group: zucht
owner@:rwxpDdaARWcCos:fd-----:allow
group@:rwxpDdaARWcCos:fd-----:allow
everyone@:rwxpDdaARWc--s:fd-----:allow
user:zucht:rwxpDdaARWcCos:fd-----:allow
everyone@:--------------:fd-----:allow



While trying to connect >>


root@truenas[~]# smbstatus -v
using configfile = /usr/local/etc/smb4.conf

Samba version 4.12.6
PID Username Group Machine Protocol Version Encryption Signing
----------------------------------------------------------------------------------------------------------------------------------------
37056 zucht zucht 192.168.57.162 (ipv4:192.168.57.162:50568) SMB3_11 - partial(AES-128-CMAC)

Service pid Machine Connected at Encryption Signing
---------------------------------------------------------------------------------------------
IPC$ 37056 192.168.57.162 Fri Oct 16 15:05:28 2020 CEST - -
No locked files

 

[anodos]

Looked more closely at pcaps, Adobe is explicitly setting an empty ACL as part of payload in SMB2 CREATE for the tmp file. So samba is failing on some path-based syscalls for the file (Samba is still transitioning to a fully handle-based VFS). I'll make a TrueNAS-specific fix for this case, but general FreeBSD systems will have to wait until we figure out what to do upstream.

 

[tiberiusQ]

Thanks for the update !

So you do not think that it simply solves the issue if I disable alternate data streams ?

 

[anodos]

Thanks for the update !

So you do not think that it simply solves the issue if I disable alternate data streams ?

There's a difference between working around an issue and fixing an issue. Disable ADS support works around it because it avoids the delete_all_streams() function.

 

[djb]

@tiberiusQ @anodos
I have the same issue on an SMB Share which i have full access ! i can read-write-delete-modify on that folder, but i can't clear the acrolock.tmp file. How you manage to workout on that ?

 

[anodos]

@tiberiusQ @anodos
I have the same issue on an SMB Share which i have full access ! i can read-write-delete-modify on that folder, but i can't clear the acrolock.tmp file. How you manage to workout on that ?

What version of FreeNAS/TrueNAS is this?

 

[djb]

What version of FreeNAS/TrueNAS is this?

Version:
TrueNAS-12.0-U1

 

[anodos]

Version:
TrueNAS-12.0-U1

Should have been fixed with commit 41d5f62a70e2575e786c1b6f4d1c0bf87e4a7344 in our ports repo. Please PM me a debug.

The root cause IIRC was that adobe creates temporary file with ACL containing no ACEs, sets delete-on-close flag, then closes the file. As part of the delete-on-close song-and-dance, samba iterates through all alternate datastreams on the file and deletes them. Unfortunately, at this point we no longer have rights to read the streams, the delete-on-close fails, and we no longer have access to delete the acrotmp file. So question is why it didn't auto-delete in your case.

 

[djb]

Should have been fixed with commit 41d5f62a70e2575e786c1b6f4d1c0bf87e4a7344 in our ports repo. Please PM me a debug.

The root cause IIRC was that adobe creates temporary file with ACL containing no ACEs, sets delete-on-close flag, then closes the file. As part of the delete-on-close song-and-dance, samba iterates through all alternate datastreams on the file and deletes them. Unfortunately, at this point we no longer have rights to read the streams, the delete-on-close fails, and we no longer have access to delete the acrotmp file. So question is why it didn't auto-delete in your case.

Hello Sir,
i had also read errors on my syncthing server on that folders, so i go into shell and manually rm those acrolock files.tmp

how can i send you a debug or the information you need ??

 

[anodos]

Hello Sir,
i had also read errors on my syncthing server on that folders, so i go into shell and manually rm those acrolock files.tmp

how can i send you a debug or the information you need ??

System->Advanced->Save Debug

 

[tiberiusQ]

System->Advanced->Save Debug

Hi,

Unfortunately It seems that the acrolock temp files are back + the user report that file locking does not work anymore just with pdf files !
Still the same box and permissions since last time....It looks that the issue came back with TruenasU6!

 

[anodos]

Hi,

Unfortunately It seems that the acrolock temp files are back + the user report that file locking does not work anymore just with pdf files !
Still the same box and permissions since last time....It looks that the issue came back with TruenasU6!

Hmm... this area was not touched in U5.1 -> U6 update.

 

[anodos]

Did you upgrade from U5.1 to U6?

 

[tiberiusQ]

Did you upgrade from U5.1 to U6?

Well I upgraded since Frennas times but recently I upgraded to U6 from U5 I never was on 5.1 because it was not necessary...

 

[anodos]

Adobe sets empty ACL on file, which is failing with EINVAL (because that's invalid in FreeBSD / ZFS). This was working until following commit that fixed an incredibly frustrating Linux behavior (from the standpoint of sysadmins who like to have predictable permissions)

Problematic commit was

Code:

commit fe8914e5e39cc89993841a18e75e416ca9b93c06
Author: Andrew Walker <awalker@ixsystems.com>
Date:   Thu Jan 28 13:32:55 2021 -0500

    s3:modules:ixnas - fix ntacl handling for linux clients with cifsacl
    
    When an SMB share is mounted by linux client with option cifsacl,
    chmod requests are converted into SETINFO requests with an approximation
    of the POSIX mode and inheritance flags removed. In this case, we need
    to not add our locking entry to directories and thereby allow zfs_acl_chmod()
    in ZFS to add default ACL entries.

Basically fix will be to:

Code:

diff --git a/source3/modules/vfs_ixnas.c b/source3/modules/vfs_ixnas.c
index 42282be695f..8916c3391c8 100644
--- a/source3/modules/vfs_ixnas.c
+++ b/source3/modules/vfs_ixnas.c
@@ -1126,7 +1126,7 @@ static NTSTATUS ixnas_set_nfs4_acl(vfs_handle_struct *handle,
         * special entries to ZFS ACL on file creation on absence of inheriting
         * special entries in the parent directory.
         */
-       if (config->zfs_acl_ignore_empty_mode && has_inheritable) {
+       if ((naces == 0) || (config->zfs_acl_ignore_empty_mode && has_inheritable)) {
                if (acl_create_entry(&zacl, &hidden_entry) < 0) {
                        DBG_ERR("Failed to create new ACL entry: %s\n", strerror(errno));
                }

Which will set an empty everyone@ ALLOW entry in the ACL if the client specifies a NULL dacl.

 

[vinjoza]

I have the same issue on TrueNAS-13.0-U3.1
They didn't bother me much before, but now when I do a backup task from a Synology device via SMB, it gives me access rights errors. Since this is a fileserver for the entire company, no messing with ACL. For now I've filtered out the files from the backhup, as they're all named acrolock*.tmp, but thought i'd post here just in case it helps track the problem

 

[seanm]

We've just run into similar with TrueNAS-13.0-U3.1.

On an SMB share Windows users were seeing 8 items but Mac users were seeing only 3 items (via both Finder and Terminal). Tried from several Macs, several macOS versions, magic reboots, disconnect/reconnect, different user accounts, etc. Finally we noticed these `acrolock` files and deleted them by sshing to the NAS. Disconnect and reconnect from a Mac and tada 8 items shown by Finder.

So perhaps macOS also freaks out when encountering a file with an empty ACL and gives up enumerating the directory?!

 

[ragametal]

In my case, the creation of the "acrolock####.tmp" files was related to the security (Enhanced) features of the recent version of adobe acrobat reader. It had nothing to do with either Truenas nor FreeBSD.
I disabled those functions in adobe acrobat and now it doesn't create the "acrolock#####.tmp" files anymore.

To disable them

1. Open adobe acrobat reader, click on the menu Edit – Preferences
2. Choose Security (Enhanced) in the left categories, and make sure to disable the options “Enable Protected Mode at startup”; “Enable Enhanced Security” and “Automatically trust sites from my Win OS security zones”.

I honestly don't know what kind of compromises I'm taking by disabling these functions but at least the "acrolock" files are not being created.

I hope this helps others with this issue.