SOLVED Unable to write to root directory of SMB share on macOS

[gdarends]

Hi,

It might be after the 11.2-U2 update or it might be changes I made to the share (not sure).
But I've noticed that since a few weeks ago, I can't write to one of the SMB root directories. I can write to subfolders, just not the root.
From a Windows PC it works fine with no issues, just not on macOS.
The "New Folder" option in the Finder menu is grayed out.
I can rename a file or folder in the root from a Mac. Just not create new files or folders.
I've tested this on multiple Mac computers and PC's. Also tried different user accounts. All users, groups and permissions are managed on a Windows 2012 Active Directory Server.

The only changes I made were that I added `fruit,streams_xattr`, and I updated from 11.2-U1 to U2.
I made these changes to all the shares I have, and none of the other shares have this problem.
Only one specific share has this problem.

I've updated to 11.2-U3 and there is no change.

Any help would be much appreciated.

Thanks.

 

[anodos]

Hi,

It might be after the 11.2-U2 update or it might be changes I made to the share (not sure).
But I've noticed that since a few weeks ago, I can't write to one of the SMB root directories. I can write to subfolders, just not the root.
From a Windows PC it works fine with no issues, just not on macOS.
The "New Folder" option in the Finder menu is grayed out.
I can rename a file or folder in the root from a Mac. Just not create new files or folders.
I've tested this on multiple Mac computers and PC's. Also tried different user accounts. All users, groups and permissions are managed on a Windows 2012 Active Directory Server.

The only changes I made were that I added `fruit,streams_xattr`, and I updated from 11.2-U1 to U2.
I made these changes to all the shares I have, and none of the other shares have this problem.
Only one specific share has this problem.

I've updated to 11.2-U3 and there is no change.

Any help would be much appreciated.

Thanks.

Post output of testparm -s

 

[gdarends]

The "clients" share is having problems.
But as you can see, there is no difference with the other shares.

Code:

gd@nas ~]$ testparm -s
Load smb config files from /usr/local/etc/smb4.conf
Processing section "[accounting]"
Processing section "[archive]"
Processing section "[clients]"
Processing section "[data]"
Processing section "[share]"
Loaded services file OK.
Server role: ROLE_DOMAIN_MEMBER

# Global parameters
[global]
    allow trusted domains = No
    client ldap sasl wrapping = plain
    deadtime = 15
    disable spoolss = Yes
    dns proxy = No
    domain master = No
    dos charset = CP437
    hostname lookups = Yes
    kernel change notify = No
    lm announce = Yes
    load printers = No
    local master = No
    logging = file
    max log size = 51200
    max open files = 941744
    nsupdate command = /usr/local/bin/samba-nsupdate -g
    obey pam restrictions = Yes
    preferred master = No
    printcap name = /dev/null
    realm = INTERPRINT.LOCAL
    security = ADS
    server min protocol = SMB2_02
    server role = member server
    server string = FreeNAS Server
    template shell = /bin/sh
    winbind cache time = 7200
    winbind enum groups = Yes
    winbind enum users = Yes
    winbind offline logon = Yes
    winbind refresh tickets = Yes
    workgroup = INTERPRINT
    idmap config interprint: range = 10000-90000000
    idmap config interprint: backend = rid
    idmap config *: range = 90000001-100000000
    idmap config * : backend = tdb
    acl allow execute always = Yes
    create mask = 0666
    directory mask = 0777
    directory name cache size = 0
    dos filemode = Yes
    strict locking = No


[accounting]
    delete veto files = Yes
    path = "/mnt/storage/persistent/accounting"
    read only = No
    veto files = /._*/.DS_Store/Thumbs.db
    vfs objects = shadow_copy2 fruit streams_xattr recycle crossrename
    zfsacl:acesort = dontcare
    nfs4:chown = true
    nfs4:acedup = merge
    nfs4:mode = special
    shadow:snapdirseverywhere = yes
    shadow:format = auto-%Y%m%d.%H%M-2w
    shadow:localtime = yes
    shadow:sort = desc
    shadow:snapdir = .zfs/snapshot
    recycle:subdir_mode = 0700
    recycle:directory_mode = 0777
    recycle:touch = yes
    recycle:versions = yes
    recycle:keeptree = yes
    recycle:repository = .recycle/%U
    fruit:resource = stream
    fruit:metadata = stream


[archive]
    delete veto files = Yes
    path = "/mnt/storage/persistent/archive"
    read only = No
    veto files = /._*/.DS_Store/Thumbs.db
    vfs objects = shadow_copy2 fruit streams_xattr recycle crossrename
    zfsacl:acesort = dontcare
    nfs4:chown = true
    nfs4:acedup = merge
    nfs4:mode = special
    shadow:snapdirseverywhere = yes
    shadow:format = auto-%Y%m%d.%H%M-2w
    shadow:localtime = yes
    shadow:sort = desc
    shadow:snapdir = .zfs/snapshot
    recycle:subdir_mode = 0700
    recycle:directory_mode = 0777
    recycle:touch = yes
    recycle:versions = yes
    recycle:keeptree = yes
    recycle:repository = .recycle/%U
    fruit:resource = stream
    fruit:metadata = stream


[clients]
    delete veto files = Yes
    path = "/mnt/storage/persistent/clients"
    read only = No
    veto files = /._*/.DS_Store/Thumbs.db
    vfs objects = shadow_copy2 fruit streams_xattr recycle crossrename
    zfsacl:acesort = dontcare
    nfs4:chown = true
    nfs4:acedup = merge
    nfs4:mode = special
    shadow:snapdirseverywhere = yes
    shadow:format = auto-%Y%m%d.%H%M-2w
    shadow:localtime = yes
    shadow:sort = desc
    shadow:snapdir = .zfs/snapshot
    recycle:subdir_mode = 0700
    recycle:directory_mode = 0777
    recycle:touch = yes
    recycle:versions = yes
    recycle:keeptree = yes
    recycle:repository = .recycle/%U
    fruit:resource = stream
    fruit:metadata = stream


[data]
    delete veto files = Yes
    path = "/mnt/storage/persistent/data"
    read only = No
    veto files = /._*/.DS_Store/Thumbs.db
    vfs objects = shadow_copy2 fruit streams_xattr recycle crossrename
    zfsacl:acesort = dontcare
    nfs4:chown = true
    nfs4:acedup = merge
    nfs4:mode = special
    shadow:snapdirseverywhere = yes
    shadow:format = auto-%Y%m%d.%H%M-2w
    shadow:localtime = yes
    shadow:sort = desc
    shadow:snapdir = .zfs/snapshot
    recycle:subdir_mode = 0700
    recycle:directory_mode = 0777
    recycle:touch = yes
    recycle:versions = yes
    recycle:keeptree = yes
    recycle:repository = .recycle/%U
    fruit:resource = stream
    fruit:metadata = stream


[share]
    delete veto files = Yes
    path = "/mnt/storage/ephemeral/share"
    read only = No
    veto files = /._*/.DS_Store/Thumbs.db
    vfs objects = fruit streams_xattr
    zfsacl:acesort = dontcare
    nfs4:chown = true
    nfs4:acedup = merge
    nfs4:mode = special
    fruit:resource = stream
    fruit:metadata = stream

 

[anodos]

Post output of following:

Code:

getfacl /mnt/storage/persistent/clients
getfacl /mnt/storage/persistent
lsextattr user /mnt/storage/persistent/clients

 

[gdarends]

Here is the output of said commads.

Code:

[gd@nas ~]$ getfacl /mnt/storage/persistent/clients
# file: /mnt/storage/persistent/clients
# owner: INTERPRINT\administrator
# group: INTERPRINT\domain users
            owner@:rwxpDdaARWcCos:fd-----:allow
            group@:rwxpDdaARWcCos:fd-----:allow
         everyone@:r-x---a-R-c---:fd-----:allow
[gd@nas ~]$ getfacl /mnt/storage/persistent
# file: /mnt/storage/persistent
# owner: root
# group: wheel
            owner@:rwxp--aARWcCos:-------:allow
            group@:r-x---a-R-c--s:-------:allow
         everyone@:r-x---a-R-c--s:-------:allow
[gd@nas ~]$ lsextattr user /mnt/storage/persistent/clients
/mnt/storage/persistent/clients    DOSATTRIB

EDIT:
I also ran `lsextattr` on the other datasets and none have `DOSATTRIB`.
That might be the problem. How do I remove that attribute?

 

[anodos]

Here is the output of said commads.

Code:

[gd@nas ~]$ getfacl /mnt/storage/persistent/clients
# file: /mnt/storage/persistent/clients
# owner: INTERPRINT\administrator
# group: INTERPRINT\domain users
            owner@:rwxpDdaARWcCos:fd-----:allow
            group@:rwxpDdaARWcCos:fd-----:allow
         everyone@:r-x---a-R-c---:fd-----:allow
[gd@nas ~]$ getfacl /mnt/storage/persistent
# file: /mnt/storage/persistent
# owner: root
# group: wheel
            owner@:rwxp--aARWcCos:-------:allow
            group@:r-x---a-R-c--s:-------:allow
         everyone@:r-x---a-R-c--s:-------:allow
[gd@nas ~]$ lsextattr user /mnt/storage/persistent/clients
/mnt/storage/persistent/clients    DOSATTRIB

EDIT:
I also ran `lsextattr` on the other datasets and none have `DOSATTRIB`.
That might be the problem. How do I remove that attribute?

Before you remove it, can you post output of the following
getextattr -qq user DOSATTRIB /mnt/storage/persistent/clients | b64encode -

My best guess is that the DOS readonly attribute is set on that share. You can remove the DOSATTRIB xattr through the command rmextattr user DOSATTRIB /mnt/storage/persistent/clients

 

[anodos]

Short version of this story is that MacOS SMB clients interpret the DOS readonly bit in a non-standard way. It is basically mapped to the "locked" property in Finder.

 

[gdarends]

This is the output. Can't say that I understand it though.

Code:

[gd@nas ~]$ getextattr -qq user DOSATTRIB /mnt/storage/persistent/clients | b64encode -
begin-base64 644 -
MHgxMQAAAwADAAAAEQAAABEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACMAMo1LL9ABAAAAAAAAAAA=
====

 

[anodos]

This is the output. Can't say that I understand it though.

Code:

[gd@nas ~]$ getextattr -qq user DOSATTRIB /mnt/storage/persistent/clients | b64encode -
begin-base64 644 -
MHgxMQAAAwADAAAAEQAAABEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACMAMo1LL9ABAAAAAAAAAAA=
====

It allows me to b64decode the DOSATTRIB and write it to a local file for inspection.

 

[anodos]

The DOSATTRIB has "readonly" set. Remove the xattr using the command I gave above.

 

[gdarends]

The DOSATTRIB has "readonly" set. Remove the xattr using the command I gave above.

That did the trick.
I don't know how that got added though. I rarely use the CLI and it doesn't seem you can do that via the GUI.

 

[seanm]

I don't know how that got added though. I rarely use the CLI and it doesn't seem you can do that via the GUI.

The macOS Finder's Get Info window has a checkbox to make a file 'locked'. Maybe it was used?