SMB ACL Issue

daretar · Dec 18, 2021

Hello :)

I have an issue with samba. All my clients are MacOS V12.1.
When interacting with (any) samba share (browsing, storing) the system logs are bombarded with entries like that:

Code:

2021/12/18 21:01:17.771396,  0] ../../source3/smbd/open.c:3252(smbd_calculate_maximum_allowed_access_fsp)
  smbd_calculate_maximum_allowed_access_fsp: Could not get acl on file FILEPATH:com.apple.metadata_kMDItemUserTags: NT_STATUS_NOT_SUPPORTED

Could anybody give me a hint?

I am currently on: TrueNAS-SCALE-22.02-RC.1-2

testparam:

Code:

Load smb config files from /etc/smb4.conf
lpcfg_do_global_parameter: WARNING: The "syslog only" option is deprecated
Loaded services file OK.
Weak crypto is allowed

Server role: ROLE_STANDALONE

Press enter to see a dump of your service definitions

# Global parameters
[global]
    bind interfaces only = Yes
    disable spoolss = Yes
    dns proxy = No
    load printers = No
    logging = file
    max log size = 5120
    passdb backend = tdbsam:/var/run/samba-cache/passdb.tdb
    printcap name = /dev/null
    registry shares = Yes
    restrict anonymous = 2
    server min protocol = SMB2
    server multi channel support = No
    server string = Hera Filestorage
    idmap config * : range = 90000001 - 100000000
    idmap config * : backend = tdb
    create mask = 0775
    directory mask = 0775


[Backup]
    ea support = No
    kernel share modes = No
    mangled names = no
    path = /mnt/Tank/Backup
    posix locking = No
    read only = No
    smbd max xattr size = 2097152
    vfs objects = catia fruit streams_xattr shadow_copy_zfs nfs4acl_xattr zfs_core io_uring
    tn:vuid =
    fruit:time machine max size = 0
    fruit:time machine = False
    fruit:resource = stream
    fruit:metadata = stream
    nfs4:chown = True
    nfs4acl_xattr:encoding = xdr
    nfs4acl_xattr:xattr_name = system.nfs4_acl_xdr
    nfs4acl_xattr:validate_mode = False
    nfs4acl_xattr:nfs4_id_numeric = True
    fruit:encoding = native
    tn:home = False
    tn:path_suffix =
    tn:purpose = NO_PRESET


[JTMac]
    browseable = No
    ea support = No
    kernel share modes = No
    mangled names = no
    path = /mnt/Tank/Backup/JTMac/%U
    posix locking = No
    read only = No
    smbd max xattr size = 2097152
    vfs objects = tmprotect catia fruit streams_xattr shadow_copy_zfs nfs4acl_xattr zfs_core io_uring
    zfs_core:base_user_quota = 1T
    zfs_core:zfs_auto_create = true
    tn:vuid = 8edf1be5-afab-4e2a-8df0-00a89d4c6acb
    fruit:time machine max size = 0
    fruit:time machine = True
    fruit:resource = stream
    fruit:metadata = stream
    nfs4:chown = True
    nfs4acl_xattr:encoding = xdr
    nfs4acl_xattr:xattr_name = system.nfs4_acl_xdr
    nfs4acl_xattr:validate_mode = False
    nfs4acl_xattr:nfs4_id_numeric = True
    fruit:encoding = native
    tn:home = False
    tn:path_suffix = %U
    tn:purpose = ENHANCED_TIMEMACHINE


[Public]
    ea support = No
    kernel share modes = No
    mangled names = no
    path = /mnt/Tank/Public
    posix locking = No
    read only = No
    smbd max xattr size = 2097152
    vfs objects = catia fruit streams_xattr shadow_copy_zfs nfs4acl_xattr zfs_core io_uring
    tn:vuid =
    fruit:time machine max size = 0
    fruit:time machine = False
    fruit:resource = stream
    fruit:metadata = stream
    nfs4:chown = True
    nfs4acl_xattr:encoding = xdr
    nfs4acl_xattr:xattr_name = system.nfs4_acl_xdr
    nfs4acl_xattr:validate_mode = False
    nfs4acl_xattr:nfs4_id_numeric = True
    fruit:encoding = native
    tn:home = False
    tn:path_suffix =
    tn:purpose = NO_PRESET


[Privat]
    ea support = No
    kernel share modes = No
    mangled names = no
    path = /mnt/Tank/Privat
    posix locking = No
    read only = No
    smbd max xattr size = 2097152
    vfs objects = catia fruit streams_xattr shadow_copy_zfs nfs4acl_xattr zfs_core io_uring
    tn:vuid =
    fruit:time machine max size = 0
    fruit:time machine = False
    fruit:resource = stream
    fruit:metadata = stream
    nfs4:chown = True
    nfs4acl_xattr:encoding = xdr
    nfs4acl_xattr:xattr_name = system.nfs4_acl_xdr
    nfs4acl_xattr:validate_mode = False
    nfs4acl_xattr:nfs4_id_numeric = True
    fruit:encoding = native
    tn:home = False
    tn:path_suffix =
    tn:purpose = NO_PRESET


[Vault]
    ea support = No
    kernel share modes = No
    mangled names = no
    path = /mnt/Tank/Vault
    posix locking = No
    read only = No
    smbd max xattr size = 2097152
    spotlight = Yes
    vfs objects = catia fruit streams_xattr shadow_copy_zfs nfs4acl_xattr zfs_core io_uring
    tn:vuid =
    fruit:time machine max size = 0
    fruit:time machine = False
    fruit:resource = stream
    fruit:metadata = stream
    nfs4:chown = True
    nfs4acl_xattr:encoding = xdr
    nfs4acl_xattr:xattr_name = system.nfs4_acl_xdr
    nfs4acl_xattr:validate_mode = False
    nfs4acl_xattr:nfs4_id_numeric = True
    fruit:encoding = native
    tn:home = False
    tn:path_suffix =
    tn:purpose = NO_PRESET


[Zeus]
    browseable = No
    ea support = No
    kernel share modes = No
    path = /mnt/Tank/Backup/Zeus/%U
    posix locking = No
    read only = No
    smbd max xattr size = 2097152
    vfs objects = tmprotect fruit streams_xattr shadow_copy_zfs nfs4acl_xattr zfs_core io_uring
    zfs_core:base_user_quota = 1T
    zfs_core:zfs_auto_create = true
    tn:vuid = 54cca4ad-4b85-46e7-b815-49847a5be151
    fruit:time machine max size = 0
    fruit:time machine = True
    tn:path_suffix = %U
    fruit:resource = stream
    fruit:metadata = stream
    tn:home = False
    nfs4:chown = True
    nfs4acl_xattr:encoding = xdr
    nfs4acl_xattr:xattr_name = system.nfs4_acl_xdr
    nfs4acl_xattr:validate_mode = False
    nfs4acl_xattr:nfs4_id_numeric = True
    tn:purpose = ENHANCED_TIMEMACHINE

jeroenst · Nov 2, 2022

+1 Samba ACL is not working:

Error: Traceback (most recent call last): File "/usr/lib/python3/dist-packages/middlewared/main.py", line 177, in call_method result = await self.middleware._call(message['method'], serviceobj, methodobj, params, app=self) File "/usr/lib/python3/dist-packages/middlewared/main.py", line 1294, in _call return await methodobj(*prepared_call.args) File "/usr/lib/python3/dist-packages/middlewared/service.py", line 931, in update rv = await self.middleware._call( File "/usr/lib/python3/dist-packages/middlewared/main.py", line 1294, in _call return await methodobj(*prepared_call.args) File "/usr/lib/python3/dist-packages/middlewared/schema.py", line 1140, in nf res = await f(*args, **kwargs) File "/usr/lib/python3/dist-packages/middlewared/schema.py", line 1272, in nf return await func(*args, **kwargs) File "/usr/lib/python3/dist-packages/middlewared/plugins/smb_/sharesec.py", line 429, in do_update await self.setacl({"share_name": old_acl["share_name"], "share_acl": data["share_acl"]}) File "/usr/lib/python3/dist-packages/middlewared/plugins/smb_/sharesec.py", line 249, in setacl await self._sharesec(share=data['share_name'], action='--replace', args=','.join(ae_list)) File "/usr/lib/python3/dist-packages/middlewared/plugins/smb_/sharesec.py", line 142, in _sharesec raise CallError(f'sharesec {action} failed with error: {sharesec.stderr.decode()}') middlewared.service_exception.CallError: [EFAULT] sharesec --replace failed with error: lpcfg_do_global_parameter: WARNING: The "syslog only" option is deprecated Failed to parse acl

jeroenst · Nov 2, 2022

Ok at my Truenas SCALE it seems that a wrong SID causes this error.

It's not very userfriendly that a user has to search for an SID in the console before it can change permissions.
At least there should be a drop down of users with SID's in this Samba ACL window.

Important Announcement for the TrueNAS Community.

SMB ACL Issue

daretar

Cadet

jeroenst

Cadet

jeroenst

Cadet

Similar threads

Important Announcement for the TrueNAS Community.

SMB ACL Issue

daretar

Cadet

jeroenst

Cadet

jeroenst

Cadet

Important Announcement for the TrueNAS Community.

Related topics on forums.truenas.com for thread: "SMB ACL Issue"

Similar threads