SOLVED If you have "file read only" after update

[kasak]

Last sunday I have updated freenas to 9.2.1.8 and it seems updating made the mini trouble:
all files that was opening properly for example in ms word or lo write, began to open with read-only error message.
To solve this i have added
nt acl support = no

to cifs auxiliary options. now it seems to work.
And i mentioned, that developers removed option to disable dos attibutes in cifs. Enabling this feature may allow network viruses to make directories in shares "hidden and system" and creating virus file with old name of folder. If you have such problem, add

store dos attributes = no

 

[anodos]

Last sunday I have updated freenas to 9.2.1.8 and it seems updating made the mini trouble:
all files that was opening properly for example in ms word or lo write, began to open with read-only error message.
To solve this i have added
nt acl support = no

That is because your permissions are not configured properly.

to cifs auxiliary options. now it seems to work.
And i mentioned, that developers removed option to disable dos attibutes in cifs. Enabling this feature may allow network viruses to make directories in shares "hidden and system" and creating virus file with old name of folder. If you have such problem, add

store dos attributes = no

Do you have a CVE applicable to samba 4.1.12 regarding those "network viruses"? If no CVE then you're just spreading FUD. The parameter "store dos attributes" causes samba to map DOS modes [hidden | system | archive | read-only] to extended attributes.

 

[cyberjock]

Yeah, disabling NT ACL support is a major no-no. You're masking whatever problem you are having with that, and you need to go back to the drawing board. Notice that *nobody* else on the forums are using that setting. That's because you shouldn't be using it.

And yes, you are just spreading FUD.

 

[kasak]

about "network viruses" i mean infected windows machines, that searching for open shares and adding attributes "hidden and system" to directories in that shares. This is not samba problem, this is infected windows machines problem. And disabling this attributes can help to solve this without searching who did this mess

about permissions - what permissions file must have? before upgrading everything worked properly.

 

[anodos]

about "network viruses" i mean infected windows machines, that searching for open shares and adding attributes "hidden and system" to directories in that shares. This is not samba problem, this is infected windows machines problem. And disabling this attributes can help to solve this without searching who did this mess.

Actually, the proper solution is to not have infected machines on your network. If you can't get rid of the malware infection, that's an indication you have a personnel / staff / hiring problem.

 

[kasak]

Actually, the proper solution is to not have infected machines on your network. If you can't get rid of the malware infection, that's an indication you have a personnel / staff / hiring problem.

ah, that dreams of windowsless utopic world :)

of course, if you have unified, corporate system, you probably never meet problems with computers, that "must-not-be-here" but, if you have some groups of engeneers, that can bring their own devices and they can be infected, and they will never ask you, they just plug in the patch cord, and you will never know who did that and where is infected machine. Because you are alone, and there are hundreds of potencial problematic machines. So it's just an easy solution, not to allow dos attributes. I know that all corporate machines have corporate antiviruses, so they will not be in trouble, but files must be visible always, regargless of brought infected machines.

 

[anodos]

I know this is off-topic, but you can configure your network so that only authorized computers can access your file server. Knowingly allowing malware-infected computers write access to your servers in a business environment is a terrible idea.
Getting management support for locking down the network is easy. Explain the problem that you're having with dos attributes, print an article on cryptolocker malware, and explain how long it will take to recover data from a tape archive.

 

[cyberjock]

ah, that dreams of windowsless utopic world :)

More like dystopic! You'll get an enema if you don't admit Windows is the bestest OS in the whole wide world, and right now! :D

of course, if you have unified, corporate system, you probably never meet problems with computers, that "must-not-be-here" but, if you have some groups of engeneers, that can bring their own devices and they can be infected, and they will never ask you, they just plug in the patch cord, and you will never know who did that and where is infected machine. Because you are alone, and there are hundreds of potencial problematic machines. So it's just an easy solution, not to allow dos attributes. I know that all corporate machines have corporate antiviruses, so they will not be in trouble, but files must be visible always, regargless of brought infected machines.

I see what you are saying. It is literally covering up the problem with a bandaid when the arm is hanging by the tendons. Not the best idea, and you should make it a higher priority to find the machines with the virus and clean them than do what you are doing. ;)

Keep in mind that some programs use the system and archive bits, so disabling them can cause undesired side effects in many programs. Just helped someone 2 weeks ago that wanted to go this route, but his backups would go to hell and a handbasket when he tried doing what you are doing. He was wanting to disable them for other reasons though.

 

[kasak]

I know this is off-topic, but you can configure your network so that only authorized computers can access your file server. Knowingly allowing malware-infected computers write access to your servers in a business environment is a terrible idea.

this was not the idea, this is the result :) just do not misunderstand me, i can't trace everything that employes plug in wall sockets. and i can't run to somebody, everytime then somebody want to access the server. And beleive me, this is not what you call "production server" this is old laggy machine, that only work is to store photos and temporary directories that employes copy one to another.

 

[kasak]

I see what you are saying. It is literally covering up the problem with a bandaid when the arm is hanging by the tendons. Not the best idea, and you should make it a higher priority to find the machines with the virus and clean them than do what you are doing. ;)

Keep in mind that some programs use the system and archive bits, so disabling them can cause undesired side effects in many programs. Just helped someone 2 weeks ago that wanted to go this route, but his backups would go to hell and a handbasket when he tried doing what you are doing. He was wanting to disable them for other reasons though.

first, the problem machines doesn't belong to our firm, they are usually owned by people who bring them, so i am not allowed to touch this machines because this is private property. I only can help owner if he ask me to, or just ask him to disconnect it from corporate network - usually i'm doing so(and mention i can't order them to do it, i can only ask). All of computers that belong to our firm is protected by corporate antivirus.
and second about programs that use dos attributes. For now we don't use such programs. Backups made with rsync.

 

[anodos]

first, the problem machines doesn't belong to our firm, they are usually owned by people who bring them, so i am not allowed to touch this machines because this is private property. I only can help owner if he ask me to, or just ask him to disconnect it from corporate network - usually i'm doing so(and mention i can't order them to do it, i can only ask). All of computers that belong to our firm is protected by corporate antivirus.
and second about programs that use dos attributes. For now we don't use such programs. Backups made with rsync.

One simple solution to avoid having BYOD laptops access the samba server is to put all corporate workstations on static addresses, and then add the parameter "hosts deny" to your CIFS config (denying your network's dynamic range).

Sometimes I set up two networks (secure and insecure). Workstations and servers get put on secure network and I set up a wifi AP on the insecure network (which I throttle the heck out of). This cuts down on the number of requests to install spotify, itunes, etc. on workstations. Employees use the insecure network for personal computers, iphones, looking at cat photos, etc.

 

[kasak]

One simple solution to avoid having BYOD laptops access the samba server is to put all corporate workstations on static addresses, and then add the parameter "hosts deny" to your CIFS config (denying your network's dynamic range).

Sometimes I set up two networks (secure and insecure). Workstations and servers get put on secure network and I set up a wifi AP on the insecure network (which I throttle the heck out of). This cuts down on the number of requests to install spotify, itunes, etc. on workstations. Employees use the insecure network for personal computers, iphones, looking at cat photos, etc.

You are undoubtedly good admin, but let's stop this polemic, i think that freenas is not only used by business, but sometimes by usual users, and they don't want blah-blah windows acl, blah-blah hidden attributes, blah-blah private cloud, blah-blah elasticity, blah-blah-blah economity, they just want "this thing to work as it was hour ago".

 

[cyberjock]

I don't think you understand.

You don't have a choice on Windows ACLs with Samba and Windows. PERIOD. Yes, it will work, but you'll find out sooner than later that your security model is horribly broken with your files as Windows permissions only (and ONLY) work with Windows ACLs on the NFSv4 permissions the way FreeNAS uses it.

I don't care whether you "want" to use them or not, that's how FreeNAS is designed. You'll find yourself with major problems if you think you can just bend FreeNAS to work however you want.

And if you spend alot of time here, you'll learn one thing. The people that "just want this thing to work as it was an hour ago" are the same people that have a dozen threads of random unexplained errors, and *still* don't have a working system after days and days of troubleshooting.

You'll be better off if you use FreeNAS the way it was designed and not how you want it to work.

Good luck though. I'm going to unsubscribe to this thread as there is nothing more to say from my position.

 

[kasak]

okay, if you say i must use acls, then please help me to understand what i'm doing wrong. here is some files from dir:

-rw-rw-rw- 1 nobody nogroup 9175 Oct 9 17:51 foo.odt
-rw-rw-rw-+ 1 kasak nogroup 475541 Feb 11 2014 addressbook.docx

as you can see, file foo.odt was uploaded today, and it opens for writing with no problem.
And file addressbook uploaded long ago, but it has + in permissions, mean than there is acl. And when I open it for writing libreoffice says "file is locked" Both of files have rw rights for unix "others" group too.
And there is tons of such files in directories, what can i do to return my access?

 

[anodos]

Is this an AD environment?
If not, create an admin user and group. For instance: kasak:admins

• Create a group for your regular users. For instance: "Peons"
• Add your users to "Peons"
• Create a dataset to be shared. For instance: dataset "bar" in zpool "foo"
• Set acltype for foo/bar to "windows/mac acl"
• Share "foo/bar" with CIFS
• Using a windows workstation, navigate to //ip-address-of-server
• Right-click on your share. Go to 'properties' --> 'security' --> 'advanced'
• Find the group 'Peons' and give them permissions appropriate for your share.

If you need to reconfigure your current share, then click on 'set default permissions' in your share's config file and hit 'OK'. Then set permissions as I outlined above.

 

[anodos]

You are undoubtedly good admin, but let's stop this polemic, i think that freenas is not only used by business, but sometimes by usual users, and they don't want blah-blah windows acl, blah-blah hidden attributes, blah-blah private cloud, blah-blah elasticity, blah-blah-blah economity, they just want "this thing to work as it was hour ago".

It sounds like you're in a situation where you're using FreeNAS professionally. Your end-users aren't specialists. You don't have to explain all the details of what's going on, but you should try hard to do things right. When I take my car to the mechanic I want him to fix it right. I don't want him to jb-weld and duct-tape it together. I spent the past week at a site deploying a WDS server and re-imaging all workstations because the previous IT guy was doing just enough to keep things running - kind of. Earlier this year I had to have a client send off their file server for data recovery because the IT guy didn't bother to make sure that their backups were good. That was a $40K mistake. As they say, an ounce of prevention is better than a pound of cure.

 

[kasak]

i see now. my fault was in that we have not similar plans about windows. in my opinion, windows must be fully destroyed. In my vision, planet will be much better without microsoft. The one of the reasons is that windows uncompatible with everything.
And my goal is to help non-windows users to work, and make comfort for them. I must not make nt acls as default, because this will make problem for linux users. I don't need to use acls because i don't have users at all! i only have guests and couple of users with closed shares. So, using nt acl is bad.

 

[anodos]

i see now. my fault was in that we have not similar plans about windows. in my opinion, windows must be fully destroyed. In my vision, planet will be much better without microsoft. The one of the reasons is that windows uncompatible with everything.
And my goal is to help non-windows users to work, and make comfort for them. I must not make nt acls as default, because this will make problem for linux users. I don't need to use acls because i don't have users at all! i only have guests and couple of users with closed shares. So, using nt acl is bad.

Okay. The problem that you have with the xlsx file is because of the way that MS Office saves files. It is remedied by configuring your ACLs as I outlined above. Alternatively, you can use the "force user" parameter to make all users identical.
I have not done extensive testing, but I have not experienced problems with linux clients on a properly configured samba server with nfsv4 permissions configured as I outlined above. This is because nfsv4 permissions allow samba to behave more similar to an actual windows file server. As far as the Microsoft hate goes - in the real world you have to work with and understand both MS and *nix. Learning BSD before learning Windows server has been helpful (I learned how to do things right before learning the MS way) :) I have more compatibility problems with Macs than I do Windows machines.

 

[cyberjock]

okay, if you say i must use acls, then please help me to understand what i'm doing wrong. here is some files from dir:

-rw-rw-rw- 1 nobody nogroup 9175 Oct 9 17:51 foo.odt
-rw-rw-rw-+ 1 kasak nogroup 475541 Feb 11 2014 addressbook.docx

as you can see, file foo.odt was uploaded today, and it opens for writing with no problem.
And file addressbook uploaded long ago, but it has + in permissions, mean than there is acl. And when I open it for writing libreoffice says "file is locked" Both of files have rw rights for unix "others" group too.
And there is tons of such files in directories, what can i do to return my access?

For starters, the paste from your shell means NOTHING. those are Unix permissions. If you want ACLs you use getfacl and setfacl. Unfortunately I do not do one-on-one support with permissions because there's so many ways to get it wrong and it is so time consuming to fix that the mods and experienced users learned years ago not to try to help with permissions threads. If you read our forum rules it says this:

Topics that are likely to go unanswered: Some topics tend to be ignored either because they are already explained thoroughly in forum stickies and the documentation or they regularly turn into arguments about technology. These topics include:

• Questions involving file permissions. Permissions are hard and every network has its own unique combination of devices, operating systems, protocols, users, groups, and requirements. A Permissions Guide is forthcoming.

Sorry, but you're going to find little help. I do have that guide in-progress, but it's not 100% ready yet.

 

[mjws00]

Anodos is a glutton for punishment. ;) Btw, you've posted some Samba gems along the way. Good on ya for stepping up so often. I mostly just recoil and shudder at the thought.