Moving Files that have a Windows Zone Identifier gets permission denied from FreeNAS

[foxtrotniner]

Hi all, I'm trying to configure a windows CIF share and everything seems to work except for this issue. When I try to move a file that has a Zone Identifier from Windows 8 (NTFS volume) to FreeNAS, it gives me a permission denied.

When I right click on the file and select properties and click on Unblock. I am able to move it over to FreeNas without any issues.

I have tried to set FreeNAS as a trusted intranet zone but with no avail. Is there a way I can tell FreeNAS to ignore this Zone Identifier bit? without the hassle of doing this to every single file

 

[anodos]

Is the FreeNAS server a standalone server, AD DC, or AD member server?
Does the problem occur when using W7 client?

Post the following:

• Hardware specs of FreeNAS server
• smb4.conf file (located at /usr/local/etc/smb4.conf)

You might try loading up gpedit.msc on your client and see if there is a gpo that you can use to disable the relevant zone identifier behavior. (I'm too lazy to look it up - not a Windows guru).

 

[foxtrotniner]

I have not tried a W7 client yet. This is a stand alone freenas server, not an AD server

Specs of FreeNAS server:
FreeNAS-9.2.1.8-RELEASE-x64 (e625626)
GIGABYTE GA-H61M-S1 LGA 1155
Celeron G1610
8Gb (2x4gb ECC ram)
3 hard drives in RaidZ1 (320gb each)
2 hard drives in Mirror (150gb each)

See attached for smb4.conf file

 

[anodos]

Are the W8 workstation and FreeNAS server in the same workgroup?

 

[foxtrotniner]

Are the W8 workstation and FreeNAS server in the same workgroup?

I actually was looking for the FreeNAS workgroup setting, Not sure where that is.

 

[anodos]

I actually was looking for the FreeNAS workgroup setting, Not sure where that is.

Services --> CIFS

Once computers are in the same workgroup, try navigating to server via hostname (\\foxtrotnas) and performing copy operations

 

[foxtrotniner]

Yep it is the same workgroup but still doesn't seem to work, W8 is on WORKGROUP also

 

[anodos]

Yep it is the same workgroup but still doesn't seem to work, W8 is on WORKGROUP also
View attachment 5405

Unfortunately, this won't be fixed with a server-side config change. Currently, I believe that samba will save the zone security info as a filesystem extended attribute. If you disable this, then the server will save the data as some sort of zone info file (not desirable), and it still won't stop your client from popping up warnings.

You need to figure out how to relax the security settings in Windows. I can't really be much help because I haven't used Windows 8, but I think the proper place to start may be browsing for options through gpedit.msc. Google may turn something up. :(

 

[foxtrotniner]

Sadly Windows is a total pain especially NTFS that saves this info. If you move all the files over to a FAT32 then to FreeNAS, it works because FAT32 does not have this Zone identifier bit.

Also This link explains that you can use streams to strip all the Zone data bits from every file: http://thewayeye.net/2012/march/2/b...ternate-data-streams-downloaded-windows-files

Problem with this is everytime you download something new, Windows would still mark it with the Zone bit. Gets annoying real fast to have to do this for every new file.

 

[foxtrotniner]

I edited the gpedit.msc and now every file I download the Zone identifier bit is disabled. This might not be ideal, seems to be solving the symptoms but not the actual issue.

 

[mjws00]

I'm trying to figure out why we NEVER see this. I use win7 and win8 and routinely move downloaded files (that should have a zone bit set) to freeNAS. Everything has been ntfs forever. It's possible I got one prompt and disabled all that zone BS. But I don't think so. I'd like to know why this affects you and not everyone.

Obviously you disabled the bit. Which is where I would have landed. Seems likely there is something else going on with your permissions, or unique policy settings on your machine. Interesting.

 

[foxtrotniner]

I'm trying to figure out why we NEVER see this. I use win7 and win8 and routinely move downloaded files (that should have a zone bit set) to freeNAS. Everything has been ntfs forever. It's possible I got one prompt and disabled all that zone BS. But I don't think so. I'd like to know why this affects you and not everyone.

Obviously you disabled the bit. Which is where I would have landed. Seems likely there is something else going on with your permissions, or unique policy settings on your machine. Interesting.

At this point, I'm more curious as why this only happened to my setup. I was expecting to see more users with the same issue, but it seems this is rare. I might just blow the whole thing away and start over with a fresh usb stick install of Freenas. Just to see if it happens again.

 

[foxtrotniner]

Well I blew the whole nas away and started over from scratch from a fresh install of FreeNAS. Same issue came up, This time I just created a ZFS volume, then added a CIFS share to toss a file on there. Still no luck.

 

[anodos]

You can try bumping CIFS max protocol down to SMB2_24. This might be some SMB3 weirdness, but my best guess is still that it's a client config issue.

 

[foxtrotniner]

I believe I have solved it. It was a permissions issue with FreeNAS, I'm not sure what happened the first time I installed it but the permissions were set and yet no dice. Not sure exactly which solved it as I did multiple things at the same time but these are the things I did:

1. make sure when you add a user, use your Windows login name and password

2. make sure you set FreeNas to the correct workgroup

3. In the storage tab make sure to click on the permissions button on the bottom, then leave your Owner (user) as root and change your Owner (group) as your Windows Login group name

4. Make sure to reboot your FreeNAS as well as your Windows client to complete.

No more need to edit gpedit in windows anymore! WIN!

 

[Egon Olieux]

I'm having the same problem.

The issue is not related to SMB3 in any way since it occurs on SMB2 aswell:

.

The only way to resolve this issue seems to be changing the owner of the directory to the current Windows user (the group is not needed as mentioned by foxtrotniner).

 

[anodos]

Zone identifiers are a type of alternate datastream. Samba should be able to store that info as a filesystem extended attribute. Your problem might be a config issue or a permissions issue. Post following enclosed in [ code] tags:

1) contents of /etc/local/smb4.conf
2) output of 'getfacl /path/to/share'

Or
3) debug file (click on system -> advanced -> save debug)

 

[Egon Olieux]

The "streams_xattr" vfs object is checked for all shares (by default) to store the alternate data streams.
My home directory is currently the only working share for alternate data steams since I am the owner (egonolieux).
I have multiple shares, but I'll only include the "downloads" share since the others are similar in configuration (with the same issue).

Code:

[global]
    username map = /usr/local/etc/smbusers
    server max protocol = SMB3
    interfaces = 127.0.0.1 192.168.1.11
    bind interfaces only = yes
    encrypt passwords = yes
    dns proxy = no
    strict locking = no
    oplocks = yes
    deadtime = 15
    max log size = 51200
    max open files = 469271
    load printers = no
    printing = bsd
    printcap name = /dev/null
    disable spoolss = yes
    getwd cache = yes
    guest account = guest
    map to guest = Bad User
    obey pam restrictions = yes
    directory name cache size = 0
    kernel change notify = no
    panic action = /usr/local/libexec/samba/samba-backtrace
    nsupdate command = /usr/local/bin/samba-nsupdate -g
    server string = smb.freenas.lan
    ea support = yes
    store dos attributes = yes
    lm announce = yes
    time server = yes
    acl allow execute always = true
    acl check permissions = true
    dos filemode = yes
    multicast dns register = yes
    domain logons = no
    local master = yes
    idmap config *: backend = tdb
    idmap config *: range = 90000001-100000000
    server role = standalone
    netbios name = FREENAS
    workgroup = WORKGROUP
    security = user
    pid directory = /var/run/samba
    create mask = 0666
    directory mask = 0777
    client ntlmv2 auth = yes
    dos charset = CP437
    unix charset = UTF-8
    log level = 1
    inherit acls = yes
    inherit owner = yes
    inherit permissions = yes
 
[downloads]
    path = /mnt/zpool0/downloads
    comment = Downloads
    printable = no
    veto files = /.snapshot/.windows/.mac/.zfs/
    writeable = yes
    browseable = yes
    recycle:repository = .recycle/%U
    recycle:keeptree = yes
    recycle:versions = yes
    recycle:touch = yes
    recycle:directory_mode = 0777
    recycle:subdir_mode = 0700
    vfs objects = zfs_space zfsacl aio_pthread streams_xattr recycle
    hide dot files = yes
    guest ok = yes
    nfs4:mode = special
    nfs4:acedup = merge
    nfs4:chown = true
    zfsacl:acesort = dontcare
 
[homes]
    valid users = %U
    path = /mnt/zpool0/home/%U
    comment = Home directories
    printable = no
    veto files = /.snapshot/.windows/.mac/.zfs/
    writeable = yes
    browseable = no
    recycle:repository = .recycle/%U
    recycle:keeptree = yes
    recycle:versions = yes
    recycle:touch = yes
    recycle:directory_mode = 0777
    recycle:subdir_mode = 0700
    shadow:snapdir = .zfs/snapshot
    shadow:sort = desc
    shadow:localtime = yes
    shadow:format = auto-%Y%m%d.%H%M-1w
    shadow:snapdirseverywhere = yes
    vfs objects = shadow_copy2 zfs_space zfsacl aio_pthread streams_xattr recycle
    hide dot files = yes
    guest ok = no
    nfs4:mode = special
    nfs4:acedup = merge
    nfs4:chown = true
    zfsacl:acesort = dontcare

I've checked the permissions before and they seem fine to me. The "egonolieux" user is member of the "downloads" group.
As the group permissions are set on write, this should work.
I also tried setting the permissions to 777, but as long as the owner of the directory does not equal the user of the current windows session, the access is denied.

Code:

[root@freenas] /mnt/zpool0# getfacl downloads/
# file: downloads/
# owner: root
# group: downloads
            owner@:rwxp--aARWcCos:------:allow
            group@:rwxp--a-R-c--s:------:allow
            everyone@:r-x---a-R-c--s:------:allow

[root@freenas] /mnt/zpool0/home# getfacl egonolieux/
# file: egonolieux/
# owner: egonolieux
# group: egonolieux
            owner@:rwxp--aARWcCos:------:allow
            group@:r-x---a-R-c--s:------:allow
            everyone@:------a-R-c--s:------:allow

 

[anodos]

The "streams_xattr" vfs object is checked for all shares (by default) to store the alternate data streams.
My home directory is currently the only working share for alternate data steams since I am the owner (egonolieux).
I have multiple shares, but I'll only include the "downloads" share since the others are similar in configuration (with the same issue).

Code:

[global]
    username map = /usr/local/etc/smbusers
    server max protocol = SMB3
    interfaces = 127.0.0.1 192.168.1.11
    bind interfaces only = yes
    encrypt passwords = yes
    dns proxy = no
    strict locking = no
    oplocks = yes
    deadtime = 15
    max log size = 51200
    max open files = 469271
    load printers = no
    printing = bsd
    printcap name = /dev/null
    disable spoolss = yes
    getwd cache = yes
    guest account = guest
    map to guest = Bad User
    obey pam restrictions = yes
    directory name cache size = 0
    kernel change notify = no
    panic action = /usr/local/libexec/samba/samba-backtrace
    nsupdate command = /usr/local/bin/samba-nsupdate -g
    server string = smb.freenas.lan
    ea support = yes
    store dos attributes = yes
    lm announce = yes
    time server = yes
    acl allow execute always = true
    acl check permissions = true
    dos filemode = yes
    multicast dns register = yes
    domain logons = no
    local master = yes
    idmap config *: backend = tdb
    idmap config *: range = 90000001-100000000
    server role = standalone
    netbios name = FREENAS
    workgroup = WORKGROUP
    security = user
    pid directory = /var/run/samba
    create mask = 0666
    directory mask = 0777
    client ntlmv2 auth = yes
    dos charset = CP437
    unix charset = UTF-8
    log level = 1
    inherit acls = yes
    inherit owner = yes
    inherit permissions = yes

[downloads]
    path = /mnt/zpool0/downloads
    comment = Downloads
    printable = no
    veto files = /.snapshot/.windows/.mac/.zfs/
    writeable = yes
    browseable = yes
    recycle:repository = .recycle/%U
    recycle:keeptree = yes
    recycle:versions = yes
    recycle:touch = yes
    recycle:directory_mode = 0777
    recycle:subdir_mode = 0700
    vfs objects = zfs_space zfsacl aio_pthread streams_xattr recycle
    hide dot files = yes
    guest ok = yes
    nfs4:mode = special
    nfs4:acedup = merge
    nfs4:chown = true
    zfsacl:acesort = dontcare

[homes]
    valid users = %U
    path = /mnt/zpool0/home/%U
    comment = Home directories
    printable = no
    veto files = /.snapshot/.windows/.mac/.zfs/
    writeable = yes
    browseable = no
    recycle:repository = .recycle/%U
    recycle:keeptree = yes
    recycle:versions = yes
    recycle:touch = yes
    recycle:directory_mode = 0777
    recycle:subdir_mode = 0700
    shadow:snapdir = .zfs/snapshot
    shadow:sort = desc
    shadow:localtime = yes
    shadow:format = auto-%Y%m%d.%H%M-1w
    shadow:snapdirseverywhere = yes
    vfs objects = shadow_copy2 zfs_space zfsacl aio_pthread streams_xattr recycle
    hide dot files = yes
    guest ok = no
    nfs4:mode = special
    nfs4:acedup = merge
    nfs4:chown = true
    zfsacl:acesort = dontcare

I've checked the permissions before and they seem fine to me. The "egonolieux" user is member of the "downloads" group.
As the group permissions are set on write, this should work.
I also tried setting the permissions to 777, but as long as the owner of the directory does not equal the user of the current windows session, the access is denied.

Code:

[root@freenas] /mnt/zpool0# getfacl downloads/
# file: downloads/
# owner: root
# group: downloads
            owner@:rwxp--aARWcCos:------:allow
            group@:rwxp--a-R-c--s:------:allow
            everyone@:r-x---a-R-c--s:------:allow

[root@freenas] /mnt/zpool0/home# getfacl egonolieux/
# file: egonolieux/
# owner: egonolieux
# group: egonolieux
            owner@:rwxp--aARWcCos:------:allow
            group@:r-x---a-R-c--s:------:allow
            everyone@:------a-R-c--s:------:allow

Your group lacks the permission to "write_xattr". This permission is required to copy zone identifier metadata. That's why you're getting "ACCESS_DENIED" errors. Fix your permissions and it will go away. See my guide here: https://forums.freenas.org/index.ph...-of-how-to-configure-share-permissions.35276/