vfs_ixnas - to uid or gid

[dvc9]

Hey!

I'm having a challenge, that I cannot manage to solve, and I'm out of ideas!
I'm running a TrueNAS-12.0-U8.1 server, within an Active Directory environment, and all works well.
Permissions on folders and files are enforced and users who connect to the server may only see what they have access to and so on.
The various clients, CentOS, and macOS are all using samba, so no NFS or AFP is enabled, and most machines are domain joined.

Then there is this application that clearly does not want to work, Pro Tools Ultimate 2020.5.0
Basically, every time it tries to write a file on the server I can see an empty file is getting created at 0kb, but no data is added, and Pro Tools are giving out this error;
"Could not complete the Bounce To Disk command because Invalid argument (22) while opening "1.wav"

On the server-side, I'm checking SAMBA Logs, and this was my first find:

from /var/log/samba4/log.smbd
[2022/04/21 19:46:36.471245, 1] ../../source3/modules/vfs_ixnas.c:1047(convert_ntace_to_bsdace)
convert_ntace_to_bsdace: Could not convert S-1-5-88-3-33206 to uid or gid
[2022/04/21 19:46:36.471337, 1] ../../source3/modules/vfs_fruit.c:4285(fruit_fset_nt_acl)
fruit_fset_nt_acl: SMB_VFS_NEXT_FSET_NT_ACL failed03_ENGINEERING/export_protools/qbpdHVMTxbphQRYX.L.wav

Then as a test, I disabled the Enable Apple SMB2/3 Protocol Extensions toggle, and I still got an error but it was much clearer.

from /var/log/samba4/log.smbd
[2022/04/21 19:48:40.378114, 1] ../../source3/modules/vfs_ixnas.c:1047(convert_ntace_to_bsdace)
convert_ntace_to_bsdace: Could not convert S-1-5-88-3-33206 to uid or gid

I did try using;
net ads sid S-1-5-88-3-33206
and after a while, it comes up with "search failed: No such object"

------------------------

So I guess my question is what is happening here?
and can anything be done with it?


Add more tests and info below.
--------------------------

wbinfo --ping-dc
checking the NETLOGON for domain[AD] dc connection to "ad01.DOMAIN.COM" succeeded

wbinfo -D AD
Name : AD
Alt_Name : ad.DOMAIN.COM
SID : S-1-5-21-2090653709-964370587-2645798926
Active Directory : Yes
Native : Yes
Primary : Yes

Some more parameters:

wbinfo -i AD+USERNAME
failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND
Could not get info for user AD+USERNAME

wbinfo -i USERNAME
USERNAME:*:100001113:100000514::/home/AD/USERNAME:/bin/sh

testparm -s

Code:

Load smb config files from /usr/local/etc/smb4.conf
Loaded services file OK.
Weak crypto is allowed
Server role: ROLE_DOMAIN_MEMBER

# Global parameters
[global]
    aio max threads = 2
    allow trusted domains = No
    bind interfaces only = Yes
    client ldap sasl wrapping = seal
    disable spoolss = Yes
    dns proxy = No
    domain master = No
    enable web service discovery = Yes
    kerberos method = secrets and keytab
    kernel change notify = No
    load printers = No
    local master = No
    logging = file
    map to guest = Bad User
    max log size = 5120
    netbios name = TRUENAS
    nsupdate command = /usr/local/bin/samba-nsupdate -g
    preferred master = No
    realm = AD.DOMAIN.COM
    registry shares = Yes
    security = ADS
    server role = member server
    server string = TrueNAS Server
    template shell = /bin/sh
    unix extensions = No
    winbind cache time = 7200
    winbind enum groups = Yes
    winbind enum users = Yes
    winbind max domain connections = 10
    winbind nss info = rfc2307
    winbind use default domain = Yes
    workgroup = AD
    idmap config *: range = 90000001-100000000
    idmap config ad: range = 100000001-200000000
    idmap config ad: backend = rid
    idmap config * : backend = tdb
    directory name cache size = 0
    dos filemode = Yes


[SHARE-A]
    ea support = No
    hosts allow = 192.168.150.0/24
    hosts deny = 0.0.0.0/0 192.168.150.1
    kernel share modes = No
    path = /mnt/S1/3
    posix locking = No
    read only = No
    vfs objects = streams_xattr shadow_copy_zfs ixnas aio_fbsd
    nfs4:chown = true


[SHARE-B]
    ea support = No
    guest ok = Yes
    kernel share modes = No
    path = /mnt/S1/4
    posix locking = No
    read only = No
    vfs objects = streams_xattr shadow_copy_zfs ixnas aio_fbsd
    nfs4:chown = true


[SHARE-C]
    ea support = No
    level2 oplocks = No
    oplocks = No
    path = /mnt/S1/1
    read only = No
    strict locking = Yes
    vfs objects = streams_xattr shadow_copy_zfs ixnas aio_fbsd
    nfs4:chown = true

 

[anodos]

This means that the adobe app is not bothering to check what capabilities are supported by the remote server and treating it like a MacOS SMB server (trying to chmod via special NFS ACEs). IIRC you just need to convert 33206 to octal. In this case the SMB client / application is trying to chmod 666 through a special ACL entry without actually checking what the underlying server is.

This isn't the first time I've seen problems with adobe products and probably won't be the last. :)

 

[dvc9]

Thanks for the reply, @anodos. Unfortunately, with the multiple machines in the house, I did not find an excellent way to do the magic conversions, so I set other Aux parameters for the share.

Code:

vfs objects = streams_xattr shadow_copy_zfs zfsacl aio_fbsd
streams_xattr:store_stream_type = no

Replaced ixnas with zfsacl did the trick, but I also needed to modify streams_xattr, so it did not bug the . Files from Apple.

Not ideal, as I want your magic, but it did the tick for ProTools. ( Avid btw, even worse than Adobe )

 

[anodos]

Thanks for the reply, @anodos. Unfortunately, with the multiple machines in the house, I did not find an excellent way to do the magic conversions, so I set other Aux parameters for the share.

Code:

vfs objects = streams_xattr shadow_copy_zfs zfsacl aio_fbsd
streams_xattr:store_stream_type = no

Replaced ixnas with zfsacl did the trick, but I also needed to modify streams_xattr, so it did not bug the . Files from Apple.

Not ideal, as I want your magic, but it did the tick for ProTools. ( Avid btw, even worse than Adobe )

Changing stream type basically makes file metadata unavailable (possibly corrupting files that depend on it). vfs_zfsacl just silently fails in this case btw.

It is generally speaking a really bad idea to change that without considering ramnifications.

 

[dvc9]

True, I remember the color labeling bug. Hmm...
ok, I'm checking the Enable Apple SMB2/3 Protocol Extensions
And removing the store_stream_type, I guess this would make it run a bit better.

For reference:

Code:

    vfs objects = fruit streams_xattr shadow_copy_zfs zfsacl aio_fbsd
    fruit:metadata = stream
    fruit:resource = stream

So ProTools is still bouncing fine files with this config.
Could it be some diff in how ixnas are handling ACLs than the zfsacl?

 

[anodos]

True, I remember the color labeling bug. Hmm...
ok, I'm checking the Enable Apple SMB2/3 Protocol Extensions
And removing the store_stream_type, I guess this would make it run a bit better.

For reference:

Code:

    vfs objects = fruit streams_xattr shadow_copy_zfs zfsacl aio_fbsd
    fruit:metadata = stream
    fruit:resource = stream

So ProTools is still bouncing fine files with this config.
Could it be some diff in how ixnas are handling ACLs than the zfsacl?

True, I remember the color labeling bug

Not really a bug, users affected had populated large numbers of auxiliary parameters. This will always lead to poorly-defined behavior.

Toggling fruit also can alter how metadata is written. When you're switching between ixnas and zfsacl you're also altering how DOS attributes and timestamps are stored. This also should be done with some care.

 

[anodos]

Code:

        for (i=0; i<psd->dacl->num_aces; i++) {
                ok = convert_ntace_to_bsdace(zacl, (psd->dacl->aces + i),
                                             sbuf, is_dir, &has_inheritable);
                if (!ok) {
                        acl_free(zacl);
                        return map_nt_error_from_unix(errno);
                }
        }

If client specifies an invalid SID in a set ACL request, proper response is to fail IMHO. Clients / applications should not be attempting to set invalid security descriptors.

 

[johnlocke]

Not really a bug, users affected had populated large numbers of auxiliary parameters.

Hi.

I think my problem has similar root cause but I'm not sure. I'm seeing a lot of ixnas_fset_dos_attributes: Setting dosmode failed in TrueNAS samba log when I browse my files using Finder in MacOS:

Code:

# cat /var/log/samba4/log.smbd
[2022/07/15 15:20:24.756453,  1] ../../source3/modules/vfs_ixnas.c:134(ixnas_set_native_dosmode)
  ixnas_set_native_dosmode: Setting dosmode failed for Movies/Widows/
Widows (1080p HD).mp4:com.apple.metadatakMDLabel_gdt2v2vb2jxv7rgild3umddlfm: Invalid argument

[2022/07/15 15:19:17.520884,  1] ../../source3/modules/vfs_ixnas.c:134(ixnas_set_native_dosmode)
 ixnas_set_native_dosmode: Setting dosmode failed for
Movies/The Sixth Sense:com.apple.finder.copy.source.volumeuuid#N: Invalid argument

[2022/07/15 15:19:17.527604,  1] ../../source3/modules/vfs_ixnas.c:134(ixnas_set_native_dosmode)
 ixnas_set_native_dosmode: Setting dosmode failed for
Movies/The Sixth Sense:com.apple.finder.copy.checkpoint#N: Invalid argument

# testparm -s
...
    fruit:nfs_aces = No
    idmap config * : backend = tdb
    directory name cache size = 0
    dos filemode = Yes

[Media]
    ea support = No
    kernel share modes = No
    path = /mnt/Server/Media
    posix locking = No
    read only = No
    smbd max xattr size = 2097152
    vfs objects = fruit streams_xattr shadow_copy_zfs ixnas zfs_core aio_fbsd
    fruit:metadata = stream
    fruit:resource = stream
    nfs4:chown = true

The errors are fired on pretty much any access to the files. Is this correct: "ea support = No" as default? I have suspicion it is related to ixnas vfs.

 

[anodos]

Hi.

I think my problem has similar root cause but I'm not sure. I'm seeing a lot of ixnas_fset_dos_attributes: Setting dosmode failed in TrueNAS samba log when I browse my files using Finder in MacOS:

Code:

# cat /var/log/samba4/log.smbd
[2022/07/15 15:20:24.756453,  1] ../../source3/modules/vfs_ixnas.c:134(ixnas_set_native_dosmode)
  ixnas_set_native_dosmode: Setting dosmode failed for Movies/Widows/
Widows (1080p HD).mp4:com.apple.metadatakMDLabel_gdt2v2vb2jxv7rgild3umddlfm: Invalid argument

[2022/07/15 15:19:17.520884,  1] ../../source3/modules/vfs_ixnas.c:134(ixnas_set_native_dosmode)
 ixnas_set_native_dosmode: Setting dosmode failed for
Movies/The Sixth Sense:com.apple.finder.copy.source.volumeuuid#N: Invalid argument

[2022/07/15 15:19:17.527604,  1] ../../source3/modules/vfs_ixnas.c:134(ixnas_set_native_dosmode)
 ixnas_set_native_dosmode: Setting dosmode failed for
Movies/The Sixth Sense:com.apple.finder.copy.checkpoint#N: Invalid argument

# testparm -s
...
    fruit:nfs_aces = No
    idmap config * : backend = tdb
    directory name cache size = 0
    dos filemode = Yes

[Media]
    ea support = No
    kernel share modes = No
    path = /mnt/Server/Media
    posix locking = No
    read only = No
    smbd max xattr size = 2097152
    vfs objects = fruit streams_xattr shadow_copy_zfs ixnas zfs_core aio_fbsd
    fruit:metadata = stream
    fruit:resource = stream
    nfs4:chown = true

The errors are fired on pretty much any access to the files. Is this correct: "ea support = No" as default? I have suspicion it is related to ixnas vfs.

This is also fixed in the hotpatch I placed here: https://www.truenas.com/community/threads/truenas-13-0-u1-is-now-available.102326/page-3#post-705282

 

[johnlocke]

This is also fixed in the hotpatch

Thanks, it fixed my issue, no more errors like ixnas_fset_dos_attributes: Setting dosmode failed