4

I have a FreeNAS box with 40 or so SMB shares. Mostly works no problem. Except for this one share where I can't create folder sometimes based on the name of the folder.

I noticed, because if I browse to the share within Windows and create a "New Folder", I just get a "permission denied" error (I assume this is because explorer makes a folder named "New Folder" first and then changes the name later). But if I browse to the directory from within my WLS instance, and create the folder named 'test' via mkdir, it creates it no problem.

Unless I try to make a folder 'New Folder' with mkidr.

This seems to be the case with a bunch of random folders, and from the FreeNAS box itself, I can create these folders no problem. The folders also certainly don't exist before hand, but if I create with FreeNAS, I'm able to delete them no problem from the places mounting these shares. But then not able to create them again.

This sounds like one of those problems where I'd just reboot the box, but around ~100 or so people are using it so I am trying to do this with as little down time as possible.

EDIT

This is still happening and I have no clue as to what's going on. Some test cases/examples that make no sense together

  • Making a new folder in my Documents named "New Folder" and copying it to my share results in permission deined.
  • Making a new folder called "New Folderx" in my Documents and copying it over works just fine. I can also rename this folder to anything except "New Folder"
  • On the server itself, running su -m brian -c 'mkdir "New Folder"' works no problem, and from Windows, I can rename or delete this folder.
  • "New Folder" is just an example folder that doesn't work, other folder names also randomly have these exact same issues
  • This is only true for the root of the share, inside other folders, I don't have these issues

some sanity checks

$ getfacl .
# file: ../Share
# owner: root
# group: company
       group:super:rwxpDdaARWcCos:fd-----:allow
            owner@:rwxpDdaARWcCos:fd-----:allow
            group@:rwxpDdaARWcCos:fd-----:allow


$ groups brian
brian super

$ sharesec -v 'Share'
REVISION:1
CONTROL:SR|DP
OWNER:
GROUP:
ACL:S-1-5-21-4096896313-3432959665-639265334-1283:ALLOWED/0x0/FULL
ACL:S-1-5-21-4096896313-3432959665-639265334-1287:ALLOWED/0x0/FULL

$ net groupmap list | grep super
super (S-1-5-21-4096896313-3432959665-639265334-1287) -> super
Brian Leishman
  • 61
  • 9
  • I have some questions for you. What file system you are using? What version os Samba is there? What are the cpu/io stats for the FreeNas box when everyone is using it? My guess is this issue is caused by Samba timeouts. – tukan May 14 '20 at 07:33
  • File system is zfs, smb is version 4.10.12, usage stats are quite low, this box isn't one that's constantly being hit – Brian Leishman May 14 '20 at 12:09
  • Do you get something like `NT_STATUS_ACCESS_DENIED`? What version of zfs? (the 0.7.x?) – tukan May 14 '20 at 12:17
  • where would I be able to see an error message like `NT_STATUS_ACCESS_DENIED`? I'm trying to figure out how to find the zfs version now – Brian Leishman May 14 '20 at 12:20
  • For the samba, you maybe suffering from this bug -> https://bugzilla.samba.org/show_bug.cgi?id=14121. The log file would be smb.log – tukan May 14 '20 at 12:24
  • Checking for zfs version just shows me a dash, and running all the other zfs version checking commands mentions something about being compiled with "feature flags" – Brian Leishman May 14 '20 at 12:25
  • As for zfs version that is my bad. I'm using zfs on linux (ZoL) but you are using ZoF. You need to run ` zpool get version `. – tukan May 14 '20 at 12:44
  • yeah, that command just shows a dash `NAME PROPERTY VALUE SOURCE p1 version - default` – Brian Leishman May 14 '20 at 12:47
  • I see, then you are using feature flags (pool version "5000"). Then you should run `zpool get all | grep feature@`. Anyways, I think you need to update your samba. – tukan May 14 '20 at 12:55
  • Can you upgrade individual components of a FreeNAS server, like smb? – Brian Leishman May 14 '20 at 12:59
  • So yes, I do get this error in the samba log (took a while to figure out where FreeNAS stores it's samba conf/logs) `filename_convert_internal: check_name failed for name New folder with NT_STATUS_ACCESS_DENIED` – Brian Leishman May 14 '20 at 13:10
  • I'm far from being a FreeNAS expert, but from what I understand how it works you are not supposed to updage the packages, but since you are running FreeBSD under the hood you could use `pkg`, but you need to know what you are doing! You must be able to clean up the env - `/usr/local/etc/pkg/repos/FreeBSD.conf.` – tukan May 14 '20 at 13:10
  • So that is definitely a samba problem. From the message there could be a problem with the case of the directory naming. For more I would need to have your `smb.conf` and also debug level 10 (use pastebin or such to poste longer posts) – tukan May 14 '20 at 13:19
  • So I have everything from the log when trying to create that folder https://pastebin.com/E4fLfWyQ, and the smb.conf https://pastebin.com/zjYZJxBN – Brian Leishman May 14 '20 at 13:30
  • Humour me please ... quote the share's `path` definition in your `smb.conf`, so `path = "/mnt/p2/Signature Patches"` – roaima May 14 '20 at 13:49
  • Nope, lol, that would have been interesting, "New Folder" throws same error, but "New Folder 2" works just fine, just for the heck of it I even opened the perms on the share to 777 and added `everyone@:rwxpDdaARWcCos:fd-----:allow` to the acl – Brian Leishman May 14 '20 at 13:59
  • No, he thinks in the configuration path: `path = "/mnt/p2/Signature Patches"` – tukan May 14 '20 at 14:01
  • Yes I changed it to be quoted in my conf file but it didn't change the behavior – Brian Leishman May 14 '20 at 14:05
  • I've _just_ got to that point on a Samba configuration here and determined that, too. Thanks for checking though. (I'd always had it in my head that phrases containing a space had to be quoted in the `smb.conf`.) – roaima May 14 '20 at 14:07
  • 1
    Ok, I wanted to make sure you have mutual understanding. I think I know where it crashes (the source code), but don't know the reason. Does it fail on names without any space? – tukan May 14 '20 at 14:13
  • I don't think I've run into an example without a space in the name, no (although I don't think I have a lot of folders that created without spaces, they're almost exclusively names of customers) – Brian Leishman May 14 '20 at 14:22
  • 1
    My guess is that the issue has to do with the ACL (samba and zfs (zfsacl)) could you try adding these flags to your share? `nfs4:mode = special` `nfs4:acedup = merge` `nfs4:chown = yes` (taken from here https://www.samba.org/samba/docs/current/man-html/vfs_zfsacl.8.html) – tukan May 14 '20 at 14:23
  • Those are already set except for the `nfs4: mode = special` one, but that one didn't change it either – Brian Leishman May 14 '20 at 14:26
  • 1
    Not sure if this helps, but this is also the only share I have where random new folders fail to inherit the permissions from the share folder correctly, maybe 1-2 times a day I have to manually set a folders permissions correctly (folders created by a service I have running on this machine) – Brian Leishman May 14 '20 at 14:29
  • First note the difference between `true` (your config) and `yes` at `nfs4:chown = yes` (according to the man). Of course, that is **very** important. That is the issue you are having at your Samba `check_reduced_name: couldn't get realpath for New folder`. The issue is that the Samba tries to create the 'New Folder', which succeeds at the beginning, but then a last step when it tries to check the permissions for the "New Folder" it fails with a generic error which you can see at: `vfs.c` source. If you fix the permission inheritance you probably solve your samba issue. – tukan May 14 '20 at 16:30
  • What fails is a function which to quote the source code: *This is called by every routine before it allows an operation on a filename. It does any final confirmation necessary to ensure that the filename is a valid one for the user to access.* – tukan May 14 '20 at 16:34
  • 1
    Ahh interesting, I didn't think about the inheritance problems being the source of it, it makes sense actually because it's the same problem for both folders. And the folder gets created with root only access, hmmm, somewhere else to look now – Brian Leishman May 14 '20 at 17:41
  • 1
    I'll post that as an answer, which probably is not worth the bounty as it does not solve the issue, but you know what to look for now. – tukan May 14 '20 at 18:11
  • Why the folder gets created with root only access? Who is the owner? – tukan May 14 '20 at 18:25
  • Any chance that you are using links? – tukan May 14 '20 at 18:32
  • Nope, no links being created at all, there's a service that creates folders for new orders in our system that runs as root and sometimes (only in this one share/folder though, and never sub folders) they just don't inherit the permissions correctly – Brian Leishman May 14 '20 at 19:16
  • I see. Please read the following *very* detailed document about ACLs perhaps it can help you - https://www.ixsystems.com/community/threads/methods-for-fine-tuning-samba-permissions.50739/ – tukan May 15 '20 at 07:57

1 Answers1

2

It appears that the root cause is connected to the fact that Brian has to:

This is also the only share I have where random new folders fail to inherit the permissions from the share folder correctly, maybe 1-2 times a day I have to manually set a folders permissions correctly (folders created by a service I have running on this machine)

The samba fails at the last moment when it tries to resolve already created filename at default: branch (!resolved_name) check_reduced_name function (you can follow the code further). The solution is connected to the resolution of the permission inheritance issue, where service has the same problems.

tukan
  • 4,876
  • 6
  • 19
  • I'll come back to accept this for sure once I confirm that solving the inheritance issues is indeed the issue, but I've awarded the bounty anyway since you've been so helpful so far – Brian Leishman May 15 '20 at 12:36
  • Oof, I was going to try just making a new ZFS dataset and point the samba share there instead, but the FreeNAS UI won't let me with the error "Error getting pool data", maybe there's larger issues at play here – Brian Leishman May 15 '20 at 14:03
  • 1
    @BrianLeishman that sounds nasty, you definitely need to check your HW and zfs integrity. Thank you for the reward. – tukan May 17 '20 at 18:24