SOLVED Samba MS Office compatibility problem

[AndrewH]

I'm having issues with my shares again. This time it seems to be MS Office in particular.

I can open any file over the network with any other peace of software, but multiple users have complained that office opens files on the share really slow and in protected view. I've added the share to trusted locations, have enabled "Trust files from the network" but still, office opens file in protected view and downloads the files first(this is a very big issues when working with 100mb+ powerpoints over WiFi). Based on the error message Office thinks the files come from the internet and can't be trusted. My guess is that Office is downloading the files for a virus scan or validation or something. I have turned all the settings I can think of or find through google that might cause this behavior.

Considering that the old QNAP office NAS wasn't getting these issues, I'm going to guess that some features or option of samba isn't setup correctly. QNAP is also running a UNIX-based system, and uses Samba for its shares.

Anyone else have similar issues in the past and managed to get a fix for them?

 

[anodos]

I'm having issues with my shares again. This time it seems to be MS Office in particular.

I can open any file over the network with any other peace of software, but multiple users have complained that office opens files on the share really slow and in protected view. I've added the share to trusted locations, have enabled "Trust files from the network" but still, office opens file in protected view and downloads the files first(this is a very big issues when working with 100mb+ powerpoints over WiFi). Based on the error message Office thinks the files come from the internet and can't be trusted. My guess is that Office is downloading the files for a virus scan or validation or something. I have turned all the settings I can think of or find through google that might cause this behavior.

Considering that the old QNAP office NAS wasn't getting these issues, I'm going to guess that some features or option of samba isn't setup correctly. QNAP is also running a UNIX-based system, and uses Samba for its shares.

Anyone else have similar issues in the past and managed to get a fix for them?

Post following:

• Contents of /usr/local/etc/smb4.conf
• Client type
• Whether this occurs over wired connection

Are you using AD?

 

[AndrewH]

Post following:

• Contents of /usr/local/etc/smb4.conf
• Client type
• Whether this occurs over wired connection

Are you using AD?

Thank you for having a look at this. I'm not in a AD with the clients. They are all Windows 10 Pro. I have tried this with both LibreOffice, WPS Office and only MS Office seems to need to download the files and opens them as "unsafe" .
I just checked a few moments ago. Reinstalled the old nas and turned it on. It does indeed just open the files without copying them and does enable editing straight away.

Here is the smb4.conf contents:

Code:

[global]
	server max protocol = SMB3
	encrypt passwords = yes
	dns proxy = no
	strict locking = no
	oplocks = yes
	deadtime = 15
	max log size = 51200
	max open files = 933824
	logging = file
	load printers = no
	printing = bsd
	printcap name = /dev/null
	disable spoolss = yes
	getwd cache = yes
	guest account = nobody
	map to guest = Bad User
	obey pam restrictions = yes
	ntlm auth = no
	directory name cache size = 0
	kernel change notify = no
	panic action = /usr/local/libexec/samba/samba-backtrace
	nsupdate command = /usr/local/bin/samba-nsupdate -g
	server string = FreeNAS Server
	ea support = yes
	store dos attributes = yes
	lm announce = yes
	hostname lookups = yes
	time server = yes
	acl allow execute always = true
	dos filemode = yes
	multicast dns register = yes
	domain logons = no
	local master = yes
	idmap config *: backend = tdb
	idmap config *: range = 90000001-100000000
	server role = standalone
	netbios name = NAS1
	workgroup = WORKGROUP
	security = user
	pid directory = /var/run/samba
	create mask = 0666
	directory mask = 0777
	client ntlmv2 auth = yes
	dos charset = CP437
	unix charset = UTF-8
	log level = 1
	create mask = 0775
	directory mask = 0770
	force create mode = 0710
   

[EDV]
	path = "/mnt/ESSOffice/BIGShare/Management/EDV"
	printable = no
	veto files = /.snapshot/.windows/.mac/.zfs/
	writeable = yes
	browseable = no
	vfs objects = zfs_space shadow_copy streams_xattr aio_pthread
	hide dot files = yes
	guest ok = no
	nfs4:mode = special
	nfs4:acedup = merge
	nfs4:chown = true
	zfsacl:acesort = dontcare
   

[Public]
	path = "/mnt/ESSOffice/BIGShare"
	printable = no
	veto files = /.snapshot/.windows/.mac/.zfs/
	writeable = yes
	browseable = yes
	shadow:snapdir = .zfs/snapshot
	shadow:sort = desc
	shadow:localtime = yes
	shadow:format = auto-%Y%m%d.%H%M-4h
	shadow:snapdirseverywhere = yes
	vfs objects = shadow_copy2 zfs_space shadow_copy shadow_copy_test streams_xattr aio_pthread
	hide dot files = yes
	guest ok = no
	nfs4:mode = special
	nfs4:acedup = merge
	nfs4:chown = true
	zfsacl:acesort = dontcare

 

[anodos]

Code:

shadow_copy shadow_copy_test

These shouldn't be enabled.

Try removing "streams_xattr" from your shares, then reboot your client.

 

[anodos]

To clarify a bit further, the information that Windows clients use to identify whether something comes from an untrusted zone is contained in a "zone.identifier" Alternate Data Stream (ADS). FreeNAS by default will store ADS in a filesystem extended attribute (streams_xattr). Many NAS vendors choose not to enable this functionality by default. Turn it off, and see if the problem goes away.

 

[AndrewH]

Code:

shadow_copy shadow_copy_test

These shouldn't be enabled.

Try removing "streams_xattr" from your shares, then reboot your client.

Ok did this, restarted samba service, and it seems to have solved the protected view thing. The files still get downloaded locally though, but still its a win.

Any idea why office might still need to download the file locally instead of opening it straight from the share?

EDIT: Just noticed that without the shadow_copy modules active I don't have previous versions anymore. I need those so can you please explain to me why I need to have them turned off?

 

[jvedula]

i tried the same. removing attribute (streams_xattr) and rebooting. still have an issue. I am unable to open the ms office docs from windows 10 computer with office 2016. works with windows 10 office 2010. what am i missing?

 

[AndrewH]

i tried the same. removing attribute (streams_xattr) and rebooting. still have an issue. I am unable to open the ms office docs from windows 10 computer with office 2016. works with windows 10 office 2010. what am i missing?

Hi jvedula,

this has been a recent change for us as well, Office 2016 recently(about 4-6months ago) started introducing/forcing Trusted Locations. It took us a while to find what was causing the problem as it was opening the same file about 3 times before you could actually edit something. Quite a long time if you have 400mb ppts like my boss.

Have a look at this: https://support.office.com/en-us/ar...location-7ee1cdc2-483e-4cbb-bcb3-4e7c67147fb4

We eventually created a GPO to turn this off because it is to big of a hassle to do it on each PC and each office product(that's right you have to do this, in Word, in Excell, in Powerpoint, in whatever else you use).

We as of yet haven't found any combination of trusted locations that actually works with the network share, so we eventually decided to turn it off completely.

EDIT: also worth noting, we did get Windows AD running since then and we did trun on xattr again as the permissions were now changed to windows permissions and managed by the AD users/groups permissions.

Hope this helps you.
Cheers
Andrei

 

[jvedula]

Hi Andrei,
Thank you. i went in and added the trusted location for word, excel, ppt. still no luck. i don't have a AD. this is for home use.
what else can i do to disable this "feature" from ms office? using guest access and no named users for home installation.

 

[AndrewH]

Hi Andrei,
Thank you. i went in and added the trusted location for word, excel, ppt. still no luck. i don't have a AD. this is for home use.
what else can i do to disable this "feature" from ms office? using guest access and no named users for home installation.

View attachment 25804

Hi jvedula,

Sorry for such a delayed response. But under the next tab down, under Trusted Documents you can completely turn off this feature and it won't require you adding any trusted locations. It will just stop checking for it. It can obviously be dangerous for some files, but if you have an antivirus running as well I think it will be ok.

Hope this helps.
Cheers