The Perniciously Perennial Problem of CIFS Permissions

Status
Not open for further replies.
ewhac

ewhac

Contributor
Joined
Aug 20, 2013
Messages
177
I thought I had CIFS permissions licked and, so long as the CIFS share was simply treated like a place to dump archival files, it worked fine. But then I tried treating it like a directory to actually work in, and things went sideways. Over the weekend, I've learned a fair bit more about ACLs, and how Samba maps ZFS native ACLs to CIFS ACLs, and how merely creating a directory owned by you and with 0755 mode bits is not entirely sufficient to make Windows happy if you want to do anything more than copy whole files in and out.

The problem I'm having, basically stated, is that the Win7 client reports directories created on the share as having read-only attributes. Yet the ACLs show I have "full control" over the share, and directories created on that share.

Following guides posted here, I created a new dataset and share (labrat) for the express purpose of conducting experiments. The image below shows the general permissions of the share; the Read-Only attribute is clear:

labrat-general.png


The advanced security settings for the share further supports this, showing my user as having full control:

labrat-sec-adv.png


Next, from the Win7 client, I created a new folder within the labrat share, and looked at its properties. Somehow it has acquired a shaded Read-Only attribute:

labrat-nf-general.png


However, inspecting the advanced security settings for the folder reveals:

labrat-nf-sec-adv.png


Once again, my user has full control. Even when we edit the permissions, we see:

labrat-nf-sec-adv-edit.png


All the permissions are enabled and inherited from the parent folder (the share itself). Yet the shaded Read-Only checkbox persists. This appears to be enough to cause certain Windows applications to complain that they can't write/modify files on the share (Visual Studio 2017, to be precise).

Anyone have any clues?
 
anodos

anodos

Sambassador
iXsystems
Joined
Mar 6, 2014
Messages
9,554
More info needed. Try the following:
smbclient //127.0.0.1/SMB_SHARE --user=THEGIBSON\\nisuser
(substitute your user / share)

Then type "allinfo <dir>" and post output. Should look something like this:

Code:
smb: \> allinfo "New folder"
altname: NUJRHW~7
create_time:	Mon Jun 25 03:47:30 2018 PDT
access_time:	Mon Jul  2 15:32:07 2018 PDT
write_time:	 Mon Jun 25 03:47:30 2018 PDT
change_time:	Mon Jun 25 03:47:30 2018 PDT
attributes: D (10)


Once you've done that. Use "mkdir" in the smbclient session and then type "allinfo <dir2>" and post output.

Also post contents of /usr/local/etc/smb4.conf.
 
ewhac

ewhac

Contributor
Joined
Aug 20, 2013
Messages
177
anodos said:
Then type "allinfo <dir>" and post output.
Click to expand...
Code:
smb: \> allinfo "New folder"
altname: NUJRHW~7
create_time:	Mon Jul  9 04:36:18 PM 2018 PDT
access_time:	Mon Jul  9 05:08:50 PM 2018 PDT
write_time:	 Mon Jul  9 04:44:23 PM 2018 PDT
change_time:	Mon Jul  9 04:44:23 PM 2018 PDT
attributes: D (10)

Once you've done that. Use "mkdir" in the smbclient session and then type "allinfo <dir2>" and post output.
Click to expand...
Code:
smb: \> mkdir newer-folder
smb: \> ls
  .								   D		0  Tue Jul 10 03:33:48 2018
  ..								  D		0  Mon Jul  9 14:55:13 2018
  New Text Document.txt			   A	   28  Mon Jul  9 16:36:40 2018
  New folder						  D		0  Mon Jul  9 16:44:22 2018
  newer-folder						D		0  Tue Jul 10 03:33:48 2018

	   10916814387 blocks of size 1024. 10916814211 blocks available
smb: \> allinfo newer-folder
altname: NNHULV~9
create_time:	Tue Jul 10 03:33:48 AM 2018 PDT
access_time:	Tue Jul 10 03:33:48 AM 2018 PDT
write_time:	 Tue Jul 10 03:33:48 AM 2018 PDT
change_time:	Tue Jul 10 03:33:48 AM 2018 PDT
attributes: D (10)

Also post contents of /usr/local/etc/smb4.conf.
Click to expand...
Code:
[global]
	interfaces = 127.0.0.1 10.0.0.4
	bind interfaces only = yes
	encrypt passwords = yes
	dns proxy = no
	strict locking = no
	oplocks = yes
	deadtime = 15
	max log size = 51200
	max open files = 937478
	logging = file
	load printers = no
	printing = bsd
	printcap name = /dev/null
	disable spoolss = yes
	getwd cache = yes
	guest account = nobody
	map to guest = Bad User
	obey pam restrictions = yes
	ntlm auth = no
	directory name cache size = 0
	kernel change notify = no
	panic action = /usr/local/libexec/samba/samba-backtrace
	nsupdate command = /usr/local/bin/samba-nsupdate -g
	server string = FreeNAS Server
	ea support = yes
	store dos attributes = yes
	lm announce = yes
	hostname lookups = yes
	time server = yes
	acl allow execute always = true
	dos filemode = yes
	multicast dns register = yes
	domain logons = no
	local master = yes
	idmap config *: backend = tdb
	idmap config *: range = 90000001-100000000
	server role = standalone
	netbios name = ALEXANDRIA
	workgroup = EWHAC-LAN
	security = user
	create mask = 0644
	directory mask = 0755
	client ntlmv2 auth = yes
	dos charset = CP437
	unix charset = UTF-8
	log level = 1
  

[homes]
	valid users = %U
	path = "/mnt/saturn/home/%U"
	comment = Home Directories
	printable = no
	veto files = /.snapshot/.windows/.mac/.zfs/
	writeable = yes
	browseable = yes
	access based share enum = no
	vfs objects = zfs_space zfsacl streams_xattr
	hide dot files = yes
	guest ok = no
	nfs4:mode = special
	nfs4:acedup = merge
	nfs4:chown = true
	zfsacl:acesort = dontcare
  

[labrat]
	path = "/mnt/saturn/labrat"
	printable = no
	veto files = /.snapshot/.windows/.mac/.zfs/
	writeable = yes
	browseable = yes
	access based share enum = no
	vfs objects = zfs_space zfsacl streams_xattr
	hide dot files = yes
	guest ok = no
	nfs4:mode = special
	nfs4:acedup = merge
	nfs4:chown = true
	zfsacl:acesort = dontcare
 
anodos

anodos

Sambassador
iXsystems
Joined
Mar 6, 2014
Messages
9,554
ewhac said:
Code:
smb: \> allinfo "New folder"
altname: NUJRHW~7
create_time:	Mon Jul  9 04:36:18 PM 2018 PDT
access_time:	Mon Jul  9 05:08:50 PM 2018 PDT
write_time:	 Mon Jul  9 04:44:23 PM 2018 PDT
change_time:	Mon Jul  9 04:44:23 PM 2018 PDT
attributes: D (10)


Code:
smb: \> mkdir newer-folder
smb: \> ls
  .								   D		0  Tue Jul 10 03:33:48 2018
  ..								  D		0  Mon Jul  9 14:55:13 2018
  New Text Document.txt			   A	   28  Mon Jul  9 16:36:40 2018
  New folder						  D		0  Mon Jul  9 16:44:22 2018
  newer-folder						D		0  Tue Jul 10 03:33:48 2018

	   10916814387 blocks of size 1024. 10916814211 blocks available
smb: \> allinfo newer-folder
altname: NNHULV~9
create_time:	Tue Jul 10 03:33:48 AM 2018 PDT
access_time:	Tue Jul 10 03:33:48 AM 2018 PDT
write_time:	 Tue Jul 10 03:33:48 AM 2018 PDT
change_time:	Tue Jul 10 03:33:48 AM 2018 PDT
attributes: D (10)
Click to expand...

The above output indicates that the readonly bit is not set on these directories.
 
ewhac

ewhac

Contributor
Joined
Aug 20, 2013
Messages
177
anodos said:
The above output indicates that the readonly bit is not set on these directories.
Click to expand...
Well, all-righty then. So where else might the shaded checkmark in the general properties window be coming from?
 
ewhac

ewhac

Contributor
Joined
Aug 20, 2013
Messages
177
anodos said:
That may indicate an indeterminate state.
Click to expand...
(*blink* *blink*)

Is it possible that DOSATTRIBs are involved somehow (he said, grasping at straws)?
 
Status
Not open for further replies.

Similar threads

anodos
  • Locked
How to edit CIFS permissions from the CLI
Replies
7
Views
18K
Cheejyg
Cheejyg
anodos
  • Locked
Overambitious Overview of CIFS Permissions
Replies
3
Views
2K
anodos
anodos
cincibcat9
  • Locked
Copy Paste From Windows to CIFS share
Replies
8
Views
3K
LAYGO
LAYGO
J
Newbie question about setting up SMB permissions
Replies
0
Views
735
Juliean
J
Brian Moore
  • Locked
CIFS - Windows share permissions issues
Replies
1
Views
1K
GeoffK
G
Top