Upgrade from 12.0-BETA2.1 to 12.0-RC1 broke SMB shares

[b4bblefish]

Hi All,

I had my SMB shares working after initially setting up TrueNAS. I have verified that the datasets in my pools have 777 permissions and also that the ACL for @Everyone is set to full control and applied recursively. This was working just fine however last night I did an upgrade which also involved a reboot and now I am stuck getting a popup error for "Windows cannot access..." for my SMB share. I also tried reapplying 777 permissions, removing shares, acls, and recreating home user account i use for SMB access. I don't really know how to fix this or diagnose further at this point any help would be greatly appreciated.

Thanks!

 

[hescominsoon]

first go through and strip all of the ac;'s. then reset the permissions..do not use acl's..then yeverything shoudl work fine. Ever since the ac's were introduced it's been proboematic for me and my clients..i now jsut strip all acl's and set only permissions..thyings work better then..:)

 

[anodos]

Hi All,

I had my SMB shares working after initially setting up TrueNAS. I have verified that the datasets in my pools have 777 permissions and also that the ACL for @Everyone is set to full control and applied recursively. This was working just fine however last night I did an upgrade which also involved a reboot and now I am stuck getting a popup error for "Windows cannot access..." for my SMB share. I also tried reapplying 777 permissions, removing shares, acls, and recreating home user account i use for SMB access. I don't really know how to fix this or diagnose further at this point any help would be greatly appreciated.

Thanks!

Please PM me a debug.

 

[anodos]

first go through and strip all of the ac;'s. then reset the permissions..do not use acl's..then yeverything shoudl work fine. Ever since the ac's were introduced it's been proboematic for me and my clients..i now jsut strip all acl's and set only permissions..thyings work better then..:)

Please don't advise users to strip ACLs from SMB shares. This can lead to undefined behavior. I've built what hacks I can into samba to not break when people do these things, but it's better to configure things correctly.

 

[hescominsoon]

Please don't advise users to strip ACLs from SMB shares. This can lead to undefined behavior. I've built what hacks I can into samba to not break when people do these things, but it's better to configure things correctly.

if acl's break basic functionality..i do and reccommend what works. I've deployed it several times the way i have stated without ill affects...care to give some concrete examples of actual bad things..not just..you shouldn't do this?

 

[anodos]

if acl's break basic functionality.

How do ACLs break basic functionality? Do note that from the standpoint of samba's VFS, there's no difference between an ACL that's applied through our permissions manager or one that's applied through the ACL manager. We still retrieve this information through the syscall acl_get_fd_np() or acl_get_file().

I've deployed it several times the way i have stated without ill affects...care to give some concrete examples of actual bad things..not just..you shouldn't do this?

Code:

root@homenas[/mnt/dozer]# getfacl .
# file: .
# owner: root
# group: wheel
            owner@:rwxp--aARWcCos:-------:allow
            group@:rwx---a-R-c--s:-------:allow
         everyone@:r-x---a-R-c--s:-------:allow

^^^ this is a POSIX mode (775) expressed as an ACL.

Code:

root@homenas[/mnt/dozer]# getfacl SMB   
# file: SMB
# owner: root
# group: wheel
            owner@:rwxpDdaARWcCos:fd-----:allow
            group@:rwxpDdaARWcCos:fd-----:allow
         everyone@:r-x---a-R-c---:fd-----:allow

This is an ACL granting full control to "root" and "wheel, and readonly access to everyone else.
The two permissions sets above are roughly analogous.

_If_ I were to simply convert the top ACL into a Windows Security Descriptor, Group would lose ability to properly write to the share because they lack permission to write attributes and extended attributes. Everyone in this case also loses ability to delete files.

So I introduced a hack into vfs_ixnas where on share connection, if acl_is_trivial_np() returns that for some reason someone has stripped ACLs from the share, I set a flag on the share to re-map the "write data" bit to also "write attributes", "write extended attributes", and add the delete bits as well. Basically (w) gets re-mapped to MODIFY and presented to the SMB client as such.

This is sufficient to give basic functionality, but it's still not a great place to be because windows clients can still read and set ACLs, and the fset_nt_acl_fn() in samba will eventually call acl_set_fd_np() on TrueNAS and set the requested ACL. This means that you will still have ACLs set in the share, but they will possibly appear in a poorly-defined manner.

Short version, you're always using ACLs in one form or other. The question is whether you take advantage of GUI-based tools or not. The initial BETA had a bug in the ACL manager. That's been fixed.

 

[hescominsoon]

so far every time i allow ac's i have issues with windows 10 not being able to access them. it doesn't matter what i do..windows 10 looses access. i nuke explicit ac's and use only permissions and I have the control I need AND users can access their files. After hours and hours of non-billable time..this is what works..so i use it.

 

[anodos]

so far every time i allow ac's i have issues with windows 10 not being able to access them. it doesn't matter what i do..windows 10 looses access. i nuke explicit ac's and use only permissions and I have the control I need AND users can access their files. After hours and hours of non-billable time..this is what works..so i use it.

If you can reproduce an issue on demand, file a bug ticket with detailed instructions and we can fix it.

 

[b4bblefish]

Please PM me a debug.

Which debug log are you referring to? Sorry if this is a dumb question

 

[anodos]

Which debug log are you referring to? Sorry if this is a dumb question

System->Advanced->Save Debug

 

[anodos]

Summary of underlying issue:
Windows client was sending credentials for a Microsoft account rather than those stored in the credential manager.

 

[b4bblefish]

Summary of underlying issue:
Windows client was sending credentials for a Microsoft account rather than those stored in the credential manager.

I uh... sort of don't agree with that one? There was a log error where with my windows account as I did try to just login after I cleared out my credentials and I did show that it was logging in with the the right account, but even with using the homeuser linux account I was unable to to login to the local ip of my nas. It worked only when I used hostname \\truenas\myshare.

 

[b4bblefish]

But I guess it's strange, no matter what I do in the logs if I try to access by IP it sends my microsoft account even though I'm literally typing in the "homeuser" account and login in the credential popup. And then it throws a NT_STATUS_NO_SUCH_USER. Which is what you said oh well not sure how to fix this I don't think it's a TrueNAS issue.

 

[anodos]

But I guess it's strange, no matter what I do in the logs if I try to access by IP it sends my microsoft account even though I'm literally typing in the "homeuser" account and login in the credential popup. And then it throws a NT_STATUS_NO_SUCH_USER. Which is what you said oh well not sure how to fix this I don't think it's a TrueNAS issue.

Can you perhaps PM me a packet capture of the exchange? tcpdump -i <interface name> -w /tmp/smb.pcap host <ip of windows client>.
I'm not following exactly, and these things tend to be quite clear in a packet capture.

 

[Dohmar]

The SMB issues I've found so far are ; user account loses password (non domained, local account for fileshare browsing). Not sure if its resolved, but I will reboot and see if the issue comes back.
Also, file transfers keep failing when more than 1 SMB thread is open (ie browsing folders, even if its not on the same pool.)
Keeps failing and needing to be resumed.

 

[anodos]

The SMB issues I've found so far are ; user account loses password (non domained, local account for fileshare browsing).

Is the account "root"?

Also, file transfers keep failing when more than 1 SMB thread is open (ie browsing folders, even if its not on the same pool.)
Keeps failing and needing to be resumed.

One internal team was recently testing with simultaneous traffic from 12 Windows clients IIRC. I'll need more info about this one and perhaps a debug (System->Advanced->Save Debug). You may also want to verify that AIO isn't getting overloaded sysctl -a | grep vfs.aio. Check for a backed-up queue.

 

[Dohmar]

Hi - no, the account isn't root (lets say its 'John') however it is a member of 'wheel' rather than users. I know this isn't recommended but is this the root cause?

I'll PM you the debug - thanks for the assist!

 

[Dohmar]

To add - I have a pool (Protected) and a pool (Data). If I am streaming a tv show from Data and I browse the SMB share for Protected, the thumbnails populating their metadata can stop the media stream from Data. It also happens if I browse another share on Data, so its not limited to separate shares.

I should add that Protected is just there temporarily as it is a GELI share I had to manually import so I could access the data and copy across to Data, so next reboot that should disappear.

Right now my Data pool is doing a scrub since for some reason the SATA controller didn't initialize one of the disks properly and the pool is degraded. Once that is done I'll reboot and see if anything else has changed.

 

[Dohmar]

also ; Ive been posting here -

Reddit - Dive into anything

www.reddit.com

others have reported high 'services' memory usage, though I think there is something borked thanks to BSD 12.2 PR and not the middleware.
you'll see my posts replying to darkfiberiru from IXsystems with 2 screenshots.
not sure if related but if the SMB service is leaking bad then it'd explain why ZFS cache is getting neutered

 

[anodos]

also ; Ive been posting here -

Reddit - Dive into anything

www.reddit.com

others have reported high 'services' memory usage, though I think there is something borked thanks to BSD 12.2 PR and not the middleware.
you'll see my posts replying to darkfiberiru from IXsystems with 2 screenshots.
not sure if related but if the SMB service is leaking bad then it'd explain why ZFS cache is getting neutered

A memory leak in samba would show visibly in `top` output for smbd processes.