SMB Permission Issues on macOS Ventura

[gordon19284]

When trying to write files to my SMB shares with macOS Ventura, I keep getting permission issues. If I use the Finder the write hangs for a minute before creating an empty file and complaining there are no write permissions to the destination. If I try to write data via the command line I get no errors but just get zero-length files. I’ve tried every variation of permissions I can think of, full ACLs, POSIX only, rwx permissions for everyone for all files. Nothing seems to make a difference. Sometimes files can be written properly, but usually not.

I can’t reproduce the issue with Samba on Ubuntu or with Synology shares.

If I look at log.smbd, I see a ton of errors like the following when macOS attempts to write to the share:

Code:

[2022/09/13 22:33:30.528535,  1] ../../source3/modules/nfs4_acls.c:846(nfs4_acl_add_sec_ace)
  nfs4_acl_add_sec_ace: Could not convert S-1-5-21-2002625207-2383344455-1456683947-513 to uid or gid

“

This is with TrueNAS SCALE 22.02.3

 

[anodos]

I haven't investigated closely yet, but the SMB client in Ventura appears to be problematic (possibly prematurely closing files with in-flight IO). Error handling in samba closes the uring fd in vfs_io_uring and a spurious STATUS_ACCESS_DENIED on further async ops. Try disabling aio on the share by setting the following auxiliary parameters

Code:

aio write size = 0
aio read size = 0

Note this is something I only just started to look at in the lab. You are using beta software and so client bugs are somewhat expected.

 

[gordon19284]

Thanks for the info. Sadly, setting these options does not seem to fix the problem.

 

[anodos]

What is output of testparm -s? I'm not seeing write errors from my client.

 

[gordon19284]

Code:

Load smb config files from /etc/smb4.conf
lpcfg_do_global_parameter: WARNING: The "syslog only" option is deprecated
Loaded services file OK.
Weak crypto is allowed

Server role: ROLE_STANDALONE

# Global parameters
[global]
    bind interfaces only = Yes
    disable spoolss = Yes
    dns proxy = No
    load printers = No
    logging = file
    max log size = 5120
    passdb backend = tdbsam:/var/run/samba-cache/passdb.tdb
    printcap name = /dev/null
    registry shares = Yes
    restrict anonymous = 2
    server min protocol = SMB2
    server multi channel support = No
    server string = TrueNAS Server
    username map = /etc/smbusername.map
    idmap config * : range = 90000001 - 100000000
    fruit:zero_file_id  =  yes
    idmap config * : backend = tdb
    aio read size = 0
    aio write size = 0
    create mask = 0775
    directory mask = 0775


[Misc Backups]
    ea support = No
    kernel share modes = No
    path = /mnt/backups/misc_backups
    posix locking = No
    read only = No
    smbd max xattr size = 2097152
    vfs objects = fruit streams_xattr shadow_copy_zfs nfs4acl_xattr zfs_core io_uring
    tn:vuid = db894413-615f-48aa-8da7-29ac86904912
    fruit:time machine max size = 0
    fruit:time machine = False
    fruit:resource = stream
    fruit:metadata = stream
    nfs4:chown = True
    nfs4acl_xattr:encoding = xdr
    nfs4acl_xattr:xattr_name = system.nfs4_acl_xdr
    nfs4acl_xattr:validate_mode = False
    nfs4acl_xattr:nfs4_id_numeric = True
    tn:home = False
    tn:path_suffix =
    tn:purpose = NO_PRESET


[All Backups]
    comment = Entire contents of Backup array
    ea support = No
    kernel share modes = No
    path = /mnt/backups
    posix locking = No
    read only = No
    smbd max xattr size = 2097152
    vfs objects = fruit streams_xattr shadow_copy_zfs nfs4acl_xattr zfs_core io_uring
    tn:vuid =
    fruit:time machine max size = 0
    fruit:time machine = False
    fruit:resource = stream
    fruit:metadata = stream
    nfs4:chown = True
    nfs4acl_xattr:encoding = xdr
    nfs4acl_xattr:xattr_name = system.nfs4_acl_xdr
    nfs4acl_xattr:validate_mode = False
    nfs4acl_xattr:nfs4_id_numeric = True
    tn:home = False
    tn:path_suffix =
    tn:purpose = DEFAULT_SHARE


[Time Machine]
    ea support = No
    kernel share modes = No
    path = /mnt/backups/time_machine/%U
    posix locking = No
    read only = No
    smbd max xattr size = 2097152
    vfs objects = tmprotect fruit streams_xattr shadow_copy_zfs nfs4acl_xattr zfs_core io_uring
    zfs_core:zfs_auto_create = true
    tn:vuid = abeac530-9191-4999-8236-c463c8133d22
    fruit:time machine max size = 0
    fruit:time machine = True
    fruit:resource = stream
    fruit:metadata = stream
    nfs4:chown = True
    nfs4acl_xattr:encoding = xdr
    nfs4acl_xattr:xattr_name = system.nfs4_acl_xdr
    nfs4acl_xattr:validate_mode = False
    nfs4acl_xattr:nfs4_id_numeric = True
    tn:home = False
    tn:path_suffix = %U
    tn:purpose = ENHANCED_TIMEMACHINE


[Archived Backups]
    ea support = No
    kernel share modes = No
    path = /mnt/backups/archived_backups
    posix locking = No
    read only = No
    smbd max xattr size = 2097152
    vfs objects = fruit streams_xattr shadow_copy_zfs nfs4acl_xattr zfs_core io_uring
    tn:vuid =
    fruit:time machine max size = 0
    fruit:time machine = False
    fruit:resource = stream
    fruit:metadata = stream
    nfs4:chown = True
    nfs4acl_xattr:encoding = xdr
    nfs4acl_xattr:xattr_name = system.nfs4_acl_xdr
    nfs4acl_xattr:validate_mode = False
    nfs4acl_xattr:nfs4_id_numeric = True
    tn:home = False
    tn:path_suffix =
    tn:purpose = DEFAULT_SHARE


[Video]
    ea support = No
    kernel share modes = No
    path = /mnt/media/video
    posix locking = No
    read only = No
    smbd max xattr size = 2097152
    vfs objects = fruit streams_xattr shadow_copy_zfs nfs4acl_xattr zfs_core io_uring
    tn:vuid =
    fruit:time machine max size = 0
    fruit:time machine = False
    fruit:resource = stream
    fruit:metadata = stream
    nfs4:chown = True
    nfs4acl_xattr:encoding = xdr
    nfs4acl_xattr:xattr_name = system.nfs4_acl_xdr
    nfs4acl_xattr:validate_mode = False
    nfs4acl_xattr:nfs4_id_numeric = True
    tn:home = False
    tn:path_suffix =
    tn:purpose = DEFAULT_SHARE

 

[gordon19284]

After some more testing, it looks like setting strict sync = no fixes this issue.

 

[anodos]

Still looking into this.

 

[duderuud]

After some more testing, it looks like setting strict sync = no fixes this issue.

Thanks for this. Just updated to the latest public beta and ran into the same issue.

 

[anodos]

Thanks for this. Just updated to the latest public beta and ran into the same issue.

MacOS Ventura is compounding SMB2_FLUSH | SMB_CLOSE which is new behavior. Samba rejects this cancelling the in-flight AIO fsync() request via io_uring, and in some error cases closing the ring_fd which kills subsequent AIO.

 

[anodos]

I've fixed the AIO issue in a WIP branch, but need to consult upstream about impact.

 

[anodos]

I've attached the WIP fix for 22.02.3. You can snapshot your boot environment, then unzip, copy over, and install via dpkg -i /<path>/wip_samba_fix.deb. Once you do that, restart SMB service and test without disabling sync.

 

[gordon19284]

I get this message when installing the DEB:

One or more of the files
/etc/pam.d/common-{auth,account,password,session} have been locally
modified. Please indicate whether these local changes should be
overridden using the system-provided configuration. If you decline this
option, you will need to manage your system's authentication
configuration by hand.

What's the correct choice here to avoid hosing my setup?

 

[gordon19284]

I've attached the WIP fix for 22.02.3. You can snapshot your boot environment, then unzip, copy over, and install via dpkg -i /<path>/wip_samba_fix.deb. Once you do that, restart SMB service and test without disabling sync.

I just tried this and removed the strict sync option. So far things seem to be working normally. I have not encountered any errors when copying files.

 

[anodos]

I just tried this and removed the strict sync option. So far things seem to be working normally. I have not encountered any errors when copying files.

Okay. Please PM me if you encounter further problems. We're getting ready to release 22.02.4 and this won't make the cut (have to push this upstream). If you upgrade, be sure to re-install samba from above package.