After much hesitation i upgraded from v9.10 to core 13.0U6.2.
Now there is a problem when I save the file in illustrator. Illustrator will display a message that the file has already been modified. But it certainly wasn’t and no one modified it before saving it. There was no problem with this on version 9.10.
Where did I go wrong?
smb testparm -s:
[global]
bind interfaces only = Yes
disable spoolss = Yes
dns proxy = No
enable web service discovery = Yes
interfaces = 127.0.0.1 192.168.0.22
kernel change notify = No
load printers = No
logging = file
map to guest = Bad User
max log size = 5120
netbios aliases = fileserver1
nsupdate command = /usr/local/bin/samba-nsupdate -g
registry shares = Yes
server multi channel support = No
server role = standalone server
server string = fileserver
unix extensions = No
idmap config *: range = 90000001-100000000
fruit:nfs_aces = No
rpc_server:mdssvc = disabled
rpc_daemon:mdssd = disabled
idmap config * : backend = tdb
directory name cache size = 0
dos filemode = Yes
[work]
access based share enum = Yes
admin users = @smbadministrator
case sensitive = No
comment = work
delete veto files = Yes
ea support = No
hide files = /~*/.windows/.zfs/
kernel share modes = No
path = /mnt/volume0/work
posix locking = No
read only = No
smbd max xattr size = 2097152
valid users = @work @smbadministrator
veto files = /Thumbs.db/thumbs.db/*.exe/*.com/*.dll/*.bat/*.vbs/*.mp3/*.mp4/*.wmv/*.wma/
vfs objects = aio_pthread zfs_space fruit streams_xattr recycle
write list = @work @smbadministrator
ixnas:dosattrib_xattr = true
recycle:noversions = *.tmp,*.temp,*.bak*,.DS_Store
recycle:exclude = *.tmp,*~,~*.*,*.temp,*.bak*,.DS_Store
recycle:excludedir = /recycle,/tmp,/temp,/.*
recycle:versions = yes
recycle:keeptree = yes
recycle:repository = .recycle
fruit:resource = stream
fruit:metadata = stream
nfs4:chown = true
My system: supermicro, 64GB RAM, TrueNAS Core 13.0.U6.2, ZFS RAID-Z3
one note - as soon as I use the vfs module in auxiliary parameters in smb sharing, the settings in the GUI are automatically ignored (for example, recycle bin).
Before i use some samba share aux parameters for full_audit, recycle, users. And in share ACL was everyone read full.
After reset, for now, in TESTING, i dont get any warning from illustrator, but this warning was very sporadic and unpredictable. So i will test next 3…5 days.
So I had a similar issue again when upgrading from an older FreeNAS version and if I recall correctly it was the owner@ and/or group@ that were causing me issues. Perhaps try losing them and see what happens.
PS: I think I also had an issue with the share ACL and came to the conclusion that I should leave that as default.
To clarify further your auxiliary parameters (vfs objects) will totally break ACL handling on the NAS. This is generally the reason why they are considered an unsupported configuration. Behavior is undefined from our standpoint.
Ok. But how than solve, if i want “samba full audit” (loging samaba is normal for SOHO, or with ISO), or want deleted files move to another location in recycle bin (not .recycle/%U but only .recycle). Or want veto files…
Also, now i have reset share to default and i think, that ACL share dont work. Only filesystem ACL work.
maybe I’m misunderstanding but I thought ACL_share took precedence over ACL_filesystem, just like in windows.
Have “user1” and “user2” and they are in the group “users” and have dataset “volume0”.
The dataset “volume0” has the assigned user “smbadmin” with R/W and the group “users” with R/W (ACL_filesystem).
In the SMB shares setting, in ACL_share “user1” has only R and “user2” has R/W, but both have still R/W.
Edit Share ACL
This is separate from file system permissions, and applies at the level of the entire SMB share.
............
Enabling Access Based Share Enumeration uses this ACL to determine the browse list.
Ah ok we are clearly managing permissions differently.
I don’t use access based share enumeration. I nest groups in Active Directory AD to get the desired affect. Each dataset / share I create I assign a ‘t’ traverse and a ‘m’ modify group. The ‘t’ group gets read access with no inheritance and the ‘m’ gets modify with inheritance. Then I make the ‘m’ group a member of the ‘t’ in AD and assign users to the ‘m’ group. If I need more granular permissions within the datasets on directories then I continue this process creating and assigning ‘t’ and ‘m’ groups making ‘m’ members of the parent ‘t’. This way when you assign a user to a group four levels deep they can traverse but can’t actually see the content until they reach their destination.
