SOLVED MacOS users on SAMBA shares can only change tags on own files?

T

tobiasbp

Patron
Joined
Dec 2, 2015
Messages
238
Hello there...

All my users are on MacOS. They can tag files on SAMBA shares with various colours (A feature in the MacOS FInder). However, it only works on files the user is the owner off. It does not matter if the permissions are set to 777 using chmod (R/W for everyone). The user can change file names etc. in that case, but not the tags if she is not the owner.

Configuration of SAMBA:
Code:
[global]
    bind interfaces only = Yes
    dos charset = CP437
    interfaces = 127.0.0.1 172.22.33.21 172.30.10.6 172.30.20.6
    netbios name = FREENAS01
    server string = Kurogane
    workgroup = ZFS_ULTRAMAN
    lm announce = Yes
    nsupdate command = /usr/local/bin/samba-nsupdate -g
    ldap admin dn = ****
    ldap passwd sync = yes
    ldap suffix = ***
    logging = file
    max log size = 51200
    domain logons = Yes
    kernel change notify = No
    panic action = /usr/local/libexec/samba/samba-backtrace
    disable spoolss = Yes
    load printers = No
    printcap name = /dev/null
    time server = Yes
    map to guest = Bad User
    obey pam restrictions = Yes
    passdb backend = ldapsam:ldap://****
    security = USER
    server role = member server
    deadtime = 15
    max open files = 3772811
    dns proxy = No
    idmap config zfs_ultraman: range = 10000-90000000
    idmap config zfs_ultraman: backend = ldap
    ldapsam:trusted = yes
    idmap config *: range = 90000001-100000000
    idmap config * : backend = tdb
    store dos attributes = Yes
    strict locking = No
    directory name cache size = 0
    dos filemode = Yes
    acl allow execute always = Yes
    ea support = Yes
    create mask = 0666
    directory mask = 0777

[Everland]
    path = "/mnt/storage/everland"
    delete veto files = Yes
    veto files = /*.DS_Store/.apdisk/.TemporaryItems/
    access based share enum = Yes
    force create mode = 0666
    force directory mode = 0777
    force group = everland-fileserver-write
    hosts allow = 172.30.10.0/24 172.30.11.0/24 172.22.33.0/24 172.30.30.0/24 172.30.31.0/24
    inherit permissions = Yes
    read only = No
    valid users = @everland-fileserver-write
    vfs objects = shadow_copy2 zfs_space zfsacl fruit streams_xattr
    fruit:veto_appledouble = no
    zfsacl:acesort = dontcare
    nfs4:chown = true
    nfs4:acedup = merge
    nfs4:mode = special
    shadow:snapdirseverywhere = yes
    shadow:format = auto-%Y%m%d.%H%M-1w
    shadow:localtime = yes
    shadow:sort = desc
    shadow:snapdir = .zfs/snapshot


Any suggestions?
 
anodos

anodos

Sambassador
iXsystems
Joined
Mar 6, 2014
Messages
9,554
tobiasbp said:
All my users are on MacOS. They can tag files on SAMBA shares with various colours (A feature in the MacOS FInder). However, it only works on files the user is the owner off. It does not matter if the permissions are set to 777 using chmod (R
Click to expand...

Is this 11.2-U2 or 11.2-U1?
 
T

tobiasbp

Patron
Joined
Dec 2, 2015
Messages
238
anodos said:
Is this 11.2-U2 or 11.2-U1?
Click to expand...

This is tested on FreeNAS 11.2-U2.

This is the log showing a user (plj) not able to add tags to file (plj_is_not_the_owner) owned by someone else (Rights are 777). On a file owned by the user (plj_is_the_owner), tags can be added and removed.
Code:
...
...
[2019/02/27 13:29:36.876369,  2] ../source3/smbd/open.c:1447(open_file)
  plj opened file FREE/.DS_Store read=No write=No (numopen=4)
[2019/02/27 13:29:36.876719,  2] ../source3/smbd/open.c:1447(open_file)
  plj opened file FREE/.DS_Store:AFP_AfpInfo read=Yes write=No (numopen=5)
[2019/02/27 13:29:36.876895,  2] ../source3/smbd/close.c:802(close_normal_file)
  plj closed file FREE/.DS_Store:AFP_AfpInfo (numopen=4) NT_STATUS_OK
[2019/02/27 13:29:36.876962,  2] ../source3/smbd/close.c:802(close_normal_file)
  plj closed file FREE/.DS_Store (numopen=3) NT_STATUS_OK
...
...
  plj opened file FREE/plj_is_not_the_owner read=No write=No (numopen=3)
[2019/02/27 13:29:39.633999,  2] ../source3/smbd/close.c:802(close_normal_file)
  plj closed file FREE/plj_is_not_the_owner (numopen=2) NT_STATUS_OK
[2019/02/27 13:29:39.647067,  2] ../source3/smbd/open.c:1447(open_file)
  plj opened file FREE/plj_is_not_the_owner read=Yes write=No (numopen=3)
[2019/02/27 13:29:39.647612,  2] ../source3/smbd/close.c:802(close_normal_file)
  plj closed file FREE/plj_is_not_the_owner (numopen=2) NT_STATUS_OK
[2019/02/27 13:29:39.648039,  2] ../source3/smbd/open.c:1447(open_file)
  plj opened file FREE/plj_is_not_the_owner read=No write=No (numopen=3)
[2019/02/27 13:29:39.648330,  2] ../source3/smbd/close.c:802(close_normal_file)
  plj closed file FREE/plj_is_not_the_owner (numopen=2) NT_STATUS_OK
[2019/02/27 13:29:39.648946,  2] ../source3/smbd/open.c:1447(open_file)
  plj opened file FREE/plj_is_not_the_owner read=Yes write=No (numopen=3)
[2019/02/27 13:29:39.649442,  2] ../source3/smbd/close.c:802(close_normal_file)
  plj closed file FREE/plj_is_not_the_owner (numopen=2) NT_STATUS_OK
[2019/02/27 13:29:39.650010,  2] ../source3/smbd/open.c:1447(open_file)
  plj opened file FREE/plj_is_not_the_owner read=Yes write=No (numopen=3)
[2019/02/27 13:29:39.650544,  2] ../source3/smbd/close.c:802(close_normal_file)
  plj closed file FREE/plj_is_not_the_owner (numopen=2) NT_STATUS_OK
[2019/02/27 13:29:39.651508,  2] ../source3/smbd/open.c:1447(open_file)
  plj opened file FREE/plj_is_not_the_owner read=Yes write=No (numopen=3)
[2019/02/27 13:29:39.652243,  2] ../source3/smbd/close.c:802(close_normal_file)
  plj closed file FREE/plj_is_not_the_owner (numopen=2) NT_STATUS_OK
[2019/02/27 13:29:39.656659,  2] ../source3/smbd/open.c:1447(open_file)
  plj opened file FREE/plj_is_not_the_owner read=No write=No (numopen=3)
[2019/02/27 13:29:39.656963,  2] ../source3/smbd/close.c:802(close_normal_file)
  plj closed file FREE/plj_is_not_the_owner (numopen=2) NT_STATUS_OK
[2019/02/27 13:29:39.659426,  2] ../source3/smbd/open.c:1447(open_file)
  plj opened file FREE/plj_is_not_the_owner read=Yes write=No (numopen=3)
[2019/02/27 13:29:39.659923,  2] ../source3/smbd/close.c:802(close_normal_file)
  plj closed file FREE/plj_is_not_the_owner (numopen=2) NT_STATUS_OK
[2019/02/27 13:29:39.660964,  2] ../source3/smbd/open.c:1447(open_file)
  plj opened file FREE/plj_is_not_the_owner read=No write=No (numopen=3)
[2019/02/27 13:29:39.661241,  2] ../source3/smbd/close.c:802(close_normal_file)
  plj closed file FREE/plj_is_not_the_owner (numopen=2) NT_STATUS_OK
[2019/02/27 13:29:39.662031,  2] ../source3/smbd/open.c:1447(open_file)
  plj opened file FREE/plj_is_not_the_owner read=Yes write=No (numopen=3)
[2019/02/27 13:29:39.662482,  2] ../source3/smbd/close.c:802(close_normal_file)
  plj closed file FREE/plj_is_not_the_owner (numopen=2) NT_STATUS_OK
[2019/02/27 13:29:39.663030,  2] ../source3/smbd/open.c:1447(open_file)
  plj opened file FREE/plj_is_not_the_owner read=No write=No (numopen=3)
[2019/02/27 13:29:39.663317,  2] ../source3/smbd/close.c:802(close_normal_file)
  plj closed file FREE/plj_is_not_the_owner (numopen=2) NT_STATUS_OK
[2019/02/27 13:29:39.877899,  2] ../source3/smbd/open.c:1447(open_file)
  plj opened file FREE/plj_is_not_the_owner read=Yes write=No (numopen=3)
[2019/02/27 13:29:39.878393,  2] ../source3/smbd/close.c:802(close_normal_file)
  plj closed file FREE/plj_is_not_the_owner (numopen=2) NT_STATUS_OK
[2019/02/27 13:29:41.888080,  2] ../source3/smbd/open.c:1447(open_file)
  plj opened file FREE/plj_is_not_the_owner read=Yes write=No (numopen=3)
[2019/02/27 13:29:41.888942,  2] ../source3/smbd/close.c:802(close_normal_file)
  plj closed file FREE/plj_is_not_the_owner (numopen=2) NT_STATUS_OK
[2019/02/27 13:29:41.890751,  2] ../source3/smbd/open.c:1447(open_file)
  plj opened file FREE/plj_is_not_the_owner read=Yes write=No (numopen=3)
[2019/02/27 13:29:41.891264,  2] ../source3/smbd/close.c:802(close_normal_file)
  plj closed file FREE/plj_is_not_the_owner (numopen=2) NT_STATUS_OK
[2019/02/27 13:29:41.946658,  2] ../source3/smbd/open.c:1447(open_file)
  plj opened file FREE/plj_is_not_the_owner read=No write=No (numopen=3)
[2019/02/27 13:29:41.946968,  2] ../source3/smbd/close.c:802(close_normal_file)
  plj closed file FREE/plj_is_not_the_owner (numopen=2) NT_STATUS_OK
[2019/02/27 13:29:43.742133,  2] ../source3/smbd/open.c:1447(open_file)
  plj opened file FREE/plj_is_not_the_owner read=No write=No (numopen=3)
[2019/02/27 13:29:43.742571,  2] ../source3/smbd/close.c:802(close_normal_file)
  plj closed file FREE/plj_is_not_the_owner (numopen=2) NT_STATUS_OK
[2019/02/27 13:29:43.743824,  2] ../source3/smbd/open.c:1447(open_file)
  plj opened file FREE/plj_is_not_the_owner read=No write=No (numopen=3)
[2019/02/27 13:29:43.744129,  2] ../source3/smbd/close.c:802(close_normal_file)
  plj closed file FREE/plj_is_not_the_owner (numopen=2) NT_STATUS_OK
[2019/02/27 13:29:56.484025,  2] ../source3/smbd/server.c:807(remove_child_pid)
  Could not find child 33246 -- ignoring


This is the user interacting with a file he owns:
Code:
...
...
[2019/02/27 13:31:38.442422,  2] ../source3/smbd/open.c:1447(open_file)
  plj opened file FREE/plj_is_the_owner read=No write=No (numopen=3)
[2019/02/27 13:31:38.442820,  2] ../source3/smbd/close.c:802(close_normal_file)
  plj closed file FREE/plj_is_the_owner (numopen=2) NT_STATUS_OK
[2019/02/27 13:31:38.444018,  2] ../source3/smbd/open.c:1447(open_file)
  plj opened file FREE/plj_is_the_owner read=No write=No (numopen=3)
[2019/02/27 13:31:38.444316,  2] ../source3/smbd/close.c:802(close_normal_file)
  plj closed file FREE/plj_is_the_owner (numopen=2) NT_STATUS_OK
[2019/02/27 13:31:38.445052,  2] ../source3/smbd/open.c:1447(open_file)
  plj opened file FREE/plj_is_the_owner read=No write=No (numopen=3)
[2019/02/27 13:31:38.445507,  2] ../source3/smbd/open.c:1447(open_file)
  plj opened file FREE/plj_is_the_owner:AFP_AfpInfo read=Yes write=Yes (numopen=4)
[2019/02/27 13:31:38.446048,  0] ../source3/modules/vfs_fruit.c:4181(fruit_pread_meta_stream)
  fruit_pread_meta_stream: Removing [FREE/plj_is_the_owner:AFP_AfpInfo] after short read [0]
[2019/02/27 13:31:38.446134,  0] ../source3/modules/vfs_fruit.c:4185(fruit_pread_meta_stream)
  fruit_pread_meta_stream: Removing [FREE/plj_is_the_owner:AFP_AfpInfo] failed
[2019/02/27 13:31:38.448577,  2] ../source3/smbd/close.c:802(close_normal_file)
  plj closed file FREE/plj_is_the_owner:AFP_AfpInfo (numopen=3) NT_STATUS_OK
[2019/02/27 13:31:38.448705,  2] ../source3/smbd/close.c:802(close_normal_file)
  plj closed file FREE/plj_is_the_owner (numopen=2) NT_STATUS_OK
[2019/02/27 13:31:38.451036,  2] ../source3/smbd/open.c:1447(open_file)
  plj opened file FREE/plj_is_the_owner read=No write=No (numopen=4)
[2019/02/27 13:31:38.451339,  2] ../source3/smbd/open.c:1447(open_file)
  plj opened file FREE/plj_is_the_owner:AFP_AfpInfo read=Yes write=No (numopen=5)
[2019/02/27 13:31:38.451490,  2] ../source3/smbd/close.c:802(close_normal_file)
  plj closed file FREE/plj_is_the_owner:AFP_AfpInfo (numopen=4) NT_STATUS_OK
[2019/02/27 13:31:38.451555,  2] ../source3/smbd/close.c:802(close_normal_file)
  plj closed file FREE/plj_is_the_owner (numopen=3) NT_STATUS_OK
[2019/02/27 13:31:38.452784,  2] ../source3/smbd/open.c:1447(open_file)
  plj opened file FREE/plj_is_the_owner read=No write=No (numopen=3)
[2019/02/27 13:31:38.453219,  2] ../source3/smbd/open.c:1447(open_file)
  plj opened file FREE/plj_is_the_owner:com.apple.metadata_kMDItemUserTags read=No write=Yes (numopen=4)
[2019/02/27 13:31:38.455679,  2] ../source3/smbd/close.c:802(close_normal_file)
  plj closed file FREE/plj_is_the_owner:com.apple.metadata_kMDItemUserTags (numopen=3) NT_STATUS_OK
[2019/02/27 13:31:38.455817,  2] ../source3/smbd/close.c:802(close_normal_file)
  plj closed file FREE/plj_is_the_owner (numopen=2) NT_STATUS_OK
[2019/02/27 13:31:38.457921,  2] ../source3/smbd/open.c:1447(open_file)
  plj opened file FREE/plj_is_the_owner read=Yes write=No (numopen=3)
[2019/02/27 13:31:38.458520,  2] ../source3/smbd/close.c:802(close_normal_file)
  plj closed file FREE/plj_is_the_owner (numopen=2) NT_STATUS_OK
[2019/02/27 13:31:38.459414,  2] ../source3/smbd/open.c:1447(open_file)
  plj opened file FREE/plj_is_the_owner read=Yes write=No (numopen=3)
[2019/02/27 13:31:38.459911,  2] ../source3/smbd/close.c:802(close_normal_file)
  plj closed file FREE/plj_is_the_owner (numopen=2) NT_STATUS_OK
[2019/02/27 13:31:38.460836,  2] ../source3/smbd/open.c:1447(open_file)
  plj opened file FREE/plj_is_the_owner read=No write=No (numopen=3)
[2019/02/27 13:31:38.461152,  2] ../source3/smbd/open.c:1447(open_file)
  plj opened file FREE/plj_is_the_owner:com.apple.metadata_kMDItemUserTags read=No write=Yes (numopen=4)
[2019/02/27 13:31:38.462927,  2] ../source3/smbd/close.c:802(close_normal_file)
  plj closed file FREE/plj_is_the_owner:com.apple.metadata_kMDItemUserTags (numopen=3) NT_STATUS_OK
[2019/02/27 13:31:38.463065,  2] ../source3/smbd/close.c:802(close_normal_file)
  plj closed file FREE/plj_is_the_owner (numopen=2) NT_STATUS_OK
[2019/02/27 13:31:38.465241,  2] ../source3/smbd/open.c:1447(open_file)
  plj opened file FREE/plj_is_the_owner read=No write=No (numopen=4)
[2019/02/27 13:31:38.465537,  2] ../source3/smbd/open.c:1447(open_file)
  plj opened file FREE/plj_is_the_owner:AFP_AfpInfo read=Yes write=No (numopen=5)
[2019/02/27 13:31:38.465677,  2] ../source3/smbd/close.c:802(close_normal_file)
  plj closed file FREE/plj_is_the_owner:AFP_AfpInfo (numopen=4) NT_STATUS_OK...
...


This is the configuration of SAMBA. User is logged in to share tftproot:
Code:
root@ultraman:/mnt/ultraman/tftproot/FREE # testparm -s
Registered MSG_REQ_POOL_USAGE
Registered MSG_REQ_DMALLOC_MARK and LOG_CHANGED
Load smb config files from /usr/local/etc/smb4.conf
Processing section "[FRUITTEST]"
Processing section "[tftproot]"
Loaded services file OK.
Server role: ROLE_DOMAIN_PDC

# Global parameters
[global]
    deadtime = 15
    disable spoolss = Yes
    dns proxy = No
    domain logons = Yes
    dos charset = CP437
    hostname lookups = Yes
    kernel change notify = No
    ldap admin dn = ***
    ldap suffix = ***
    lm announce = Yes
    load printers = No
    local master = No
    logging = file
    max log size = 51200
    max open files = 6603833
    nsupdate command = /usr/local/bin/samba-nsupdate -g
    obey pam restrictions = Yes
    panic action = /usr/local/libexec/samba/samba-backtrace
    passdb backend = ldapsam:ldap://ldap10.kontrapunkt.com
    printcap name = /dev/null
    security = USER
    server min protocol = SMB2_02
    server role = member server
    server string = FreeNAS Server
    winbind nested groups = No
    workgroup = ZFS_ULTRAMAN
    idmap config zfs_ultraman: range = 10000-90000000
    idmap config zfs_ultraman: backend = ldap
    ldapsam:trusted = yes
    idmap config *: range = 90000001-100000000
    idmap config * : backend = tdb
    acl allow execute always = Yes
    create mask = 0666
    directory mask = 0777
    directory name cache size = 0
    dos filemode = Yes
    strict locking = No


[FRUITTEST]
    browseable = No
    guest only = Yes
    path = "/mnt/ultraman/FRUITTEST"
    read only = No
    veto files = /.snapshot/.windows/.mac/.zfs/
    vfs objects = zfs_space zfsacl fruit streams_xattr
    zfsacl:acesort = dontcare
    nfs4:chown = true
    nfs4:acedup = merge
    nfs4:mode = special
    fruit:resource = stream
    fruit:metadata = stream


[tftproot]
    path = "/mnt/ultraman/tftproot"
    read only = No
    veto files = /.snapshot/.windows/.mac/.zfs/
    vfs objects = zfs_space zfsacl fruit streams_xattr
    zfsacl:acesort = dontcare
    nfs4:chown = true
    nfs4:acedup = merge
    nfs4:mode = special
    fruit:resource = stream
    fruit:metadata = stream
 
T

tobiasbp

Patron
Joined
Dec 2, 2015
Messages
238
anodos said:
Post getfacl output for file that he can't edit tags on.
Click to expand...

Hmmm... I had not even considered ACLs. How do I use those form SAMBA? I have no Windows system for manipulating ACLs.

The file the user (plj) CAN add tags to:
Code:
getfacl plj_is_the_owner


# file: plj_is_the_owner
# owner: plj
# group: nobody
            owner@:rwxp--aARWcCos:-------:allow
            group@:rwxp--a-R-c--s:-------:allow
         everyone@:rwxp--a-R-c--s:-------:allow


The file the user (plj) can NOT add tags to:
Code:
getfacl plj_is_not_the_owner

# file: plj_is_not_the_owner
# owner: root
# group: nobody
            owner@:rwxp--aARWcCos:-------:allow
            group@:rwxp--a-R-c--s:-------:allow
         everyone@:rwxp--a-R-c--s:-------:allow
 
Last edited:
T

tobiasbp

Patron
Joined
Dec 2, 2015
Messages
238
So, the problem was, as seen above, that the group has no rights to allow tagging of the file. This can be fixed by setting appropriate rights like this:

setfacl -m group@:full_set:allow plj_is_not_the_owner

Problem solved. Thanks.

This is the configuration of the share used for testing this:
Code:
[Everland]
    path = "/mnt/storage/everland"
    delete veto files = Yes
    veto files = /*.DS_Store/.apdisk/.TemporaryItems/.windows/.mac/
    access based share enum = Yes
    force create mode = 0666
    force directory mode = 0777
    inherit acls = Yes
    inherit permissions = Yes
    read only = No
    vfs objects = zfs_space zfsacl fruit streams_xattr
    zfsacl:expose_snapdir = True
    zfsacl:acesort = dontcare
    nfs4:chown = true
    nfs4:acedup = merge
    nfs4:mode = special
 
Last edited:
You must log in or register to reply here.

Similar threads

T
  • Locked
Ugggh! Can't connect to samba share
Replies
4
Views
2K
tdukes
T
M
  • Locked
Samba CIFS : prevent extented attributes ?
Replies
4
Views
3K
anodos
anodos
X
  • Locked
Regarding CIFS directory date modified.
Replies
12
Views
5K
xCatalystx
X
M
  • Locked
CIF/windows share not seen on network
Replies
5
Views
2K
Mr Panda Pants
M
T
  • Locked
Can not delete files on CIFS Share
Replies
9
Views
8K
Tom7320
T
Top