SMB ACL Issue

[daretar]

Hello :)

I have an issue with samba. All my clients are MacOS V12.1.
When interacting with (any) samba share (browsing, storing) the system logs are bombarded with entries like that:

Code:

2021/12/18 21:01:17.771396,  0] ../../source3/smbd/open.c:3252(smbd_calculate_maximum_allowed_access_fsp)
  smbd_calculate_maximum_allowed_access_fsp: Could not get acl on file FILEPATH:com.apple.metadata_kMDItemUserTags: NT_STATUS_NOT_SUPPORTED

Could anybody give me a hint?

I am currently on: TrueNAS-SCALE-22.02-RC.1-2

testparam:

Code:

Load smb config files from /etc/smb4.conf
lpcfg_do_global_parameter: WARNING: The "syslog only" option is deprecated
Loaded services file OK.
Weak crypto is allowed

Server role: ROLE_STANDALONE

Press enter to see a dump of your service definitions

# Global parameters
[global]
    bind interfaces only = Yes
    disable spoolss = Yes
    dns proxy = No
    load printers = No
    logging = file
    max log size = 5120
    passdb backend = tdbsam:/var/run/samba-cache/passdb.tdb
    printcap name = /dev/null
    registry shares = Yes
    restrict anonymous = 2
    server min protocol = SMB2
    server multi channel support = No
    server string = Hera Filestorage
    idmap config * : range = 90000001 - 100000000
    idmap config * : backend = tdb
    create mask = 0775
    directory mask = 0775


[Backup]
    ea support = No
    kernel share modes = No
    mangled names = no
    path = /mnt/Tank/Backup
    posix locking = No
    read only = No
    smbd max xattr size = 2097152
    vfs objects = catia fruit streams_xattr shadow_copy_zfs nfs4acl_xattr zfs_core io_uring
    tn:vuid =
    fruit:time machine max size = 0
    fruit:time machine = False
    fruit:resource = stream
    fruit:metadata = stream
    nfs4:chown = True
    nfs4acl_xattr:encoding = xdr
    nfs4acl_xattr:xattr_name = system.nfs4_acl_xdr
    nfs4acl_xattr:validate_mode = False
    nfs4acl_xattr:nfs4_id_numeric = True
    fruit:encoding = native
    tn:home = False
    tn:path_suffix =
    tn:purpose = NO_PRESET


[JTMac]
    browseable = No
    ea support = No
    kernel share modes = No
    mangled names = no
    path = /mnt/Tank/Backup/JTMac/%U
    posix locking = No
    read only = No
    smbd max xattr size = 2097152
    vfs objects = tmprotect catia fruit streams_xattr shadow_copy_zfs nfs4acl_xattr zfs_core io_uring
    zfs_core:base_user_quota = 1T
    zfs_core:zfs_auto_create = true
    tn:vuid = 8edf1be5-afab-4e2a-8df0-00a89d4c6acb
    fruit:time machine max size = 0
    fruit:time machine = True
    fruit:resource = stream
    fruit:metadata = stream
    nfs4:chown = True
    nfs4acl_xattr:encoding = xdr
    nfs4acl_xattr:xattr_name = system.nfs4_acl_xdr
    nfs4acl_xattr:validate_mode = False
    nfs4acl_xattr:nfs4_id_numeric = True
    fruit:encoding = native
    tn:home = False
    tn:path_suffix = %U
    tn:purpose = ENHANCED_TIMEMACHINE


[Public]
    ea support = No
    kernel share modes = No
    mangled names = no
    path = /mnt/Tank/Public
    posix locking = No
    read only = No
    smbd max xattr size = 2097152
    vfs objects = catia fruit streams_xattr shadow_copy_zfs nfs4acl_xattr zfs_core io_uring
    tn:vuid =
    fruit:time machine max size = 0
    fruit:time machine = False
    fruit:resource = stream
    fruit:metadata = stream
    nfs4:chown = True
    nfs4acl_xattr:encoding = xdr
    nfs4acl_xattr:xattr_name = system.nfs4_acl_xdr
    nfs4acl_xattr:validate_mode = False
    nfs4acl_xattr:nfs4_id_numeric = True
    fruit:encoding = native
    tn:home = False
    tn:path_suffix =
    tn:purpose = NO_PRESET


[Privat]
    ea support = No
    kernel share modes = No
    mangled names = no
    path = /mnt/Tank/Privat
    posix locking = No
    read only = No
    smbd max xattr size = 2097152
    vfs objects = catia fruit streams_xattr shadow_copy_zfs nfs4acl_xattr zfs_core io_uring
    tn:vuid =
    fruit:time machine max size = 0
    fruit:time machine = False
    fruit:resource = stream
    fruit:metadata = stream
    nfs4:chown = True
    nfs4acl_xattr:encoding = xdr
    nfs4acl_xattr:xattr_name = system.nfs4_acl_xdr
    nfs4acl_xattr:validate_mode = False
    nfs4acl_xattr:nfs4_id_numeric = True
    fruit:encoding = native
    tn:home = False
    tn:path_suffix =
    tn:purpose = NO_PRESET


[Vault]
    ea support = No
    kernel share modes = No
    mangled names = no
    path = /mnt/Tank/Vault
    posix locking = No
    read only = No
    smbd max xattr size = 2097152
    spotlight = Yes
    vfs objects = catia fruit streams_xattr shadow_copy_zfs nfs4acl_xattr zfs_core io_uring
    tn:vuid =
    fruit:time machine max size = 0
    fruit:time machine = False
    fruit:resource = stream
    fruit:metadata = stream
    nfs4:chown = True
    nfs4acl_xattr:encoding = xdr
    nfs4acl_xattr:xattr_name = system.nfs4_acl_xdr
    nfs4acl_xattr:validate_mode = False
    nfs4acl_xattr:nfs4_id_numeric = True
    fruit:encoding = native
    tn:home = False
    tn:path_suffix =
    tn:purpose = NO_PRESET


[Zeus]
    browseable = No
    ea support = No
    kernel share modes = No
    path = /mnt/Tank/Backup/Zeus/%U
    posix locking = No
    read only = No
    smbd max xattr size = 2097152
    vfs objects = tmprotect fruit streams_xattr shadow_copy_zfs nfs4acl_xattr zfs_core io_uring
    zfs_core:base_user_quota = 1T
    zfs_core:zfs_auto_create = true
    tn:vuid = 54cca4ad-4b85-46e7-b815-49847a5be151
    fruit:time machine max size = 0
    fruit:time machine = True
    tn:path_suffix = %U
    fruit:resource = stream
    fruit:metadata = stream
    tn:home = False
    nfs4:chown = True
    nfs4acl_xattr:encoding = xdr
    nfs4acl_xattr:xattr_name = system.nfs4_acl_xdr
    nfs4acl_xattr:validate_mode = False
    nfs4acl_xattr:nfs4_id_numeric = True
    tn:purpose = ENHANCED_TIMEMACHINE

 

[jeroenst]

+1 Samba ACL is not working:

Error: Traceback (most recent call last): File "/usr/lib/python3/dist-packages/middlewared/main.py", line 177, in call_method result = await self.middleware._call(message['method'], serviceobj, methodobj, params, app=self) File "/usr/lib/python3/dist-packages/middlewared/main.py", line 1294, in _call return await methodobj(*prepared_call.args) File "/usr/lib/python3/dist-packages/middlewared/service.py", line 931, in update rv = await self.middleware._call( File "/usr/lib/python3/dist-packages/middlewared/main.py", line 1294, in _call return await methodobj(*prepared_call.args) File "/usr/lib/python3/dist-packages/middlewared/schema.py", line 1140, in nf res = await f(*args, **kwargs) File "/usr/lib/python3/dist-packages/middlewared/schema.py", line 1272, in nf return await func(*args, **kwargs) File "/usr/lib/python3/dist-packages/middlewared/plugins/smb_/sharesec.py", line 429, in do_update await self.setacl({"share_name": old_acl["share_name"], "share_acl": data["share_acl"]}) File "/usr/lib/python3/dist-packages/middlewared/plugins/smb_/sharesec.py", line 249, in setacl await self._sharesec(share=data['share_name'], action='--replace', args=','.join(ae_list)) File "/usr/lib/python3/dist-packages/middlewared/plugins/smb_/sharesec.py", line 142, in _sharesec raise CallError(f'sharesec {action} failed with error: {sharesec.stderr.decode()}') middlewared.service_exception.CallError: [EFAULT] sharesec --replace failed with error: lpcfg_do_global_parameter: WARNING: The "syslog only" option is deprecated Failed to parse acl

 

[jeroenst]

Ok at my Truenas SCALE it seems that a wrong SID causes this error.

It's not very userfriendly that a user has to search for an SID in the console before it can change permissions.
At least there should be a drop down of users with SID's in this Samba ACL window.