Hello and Happy New Year!
I have a strange access control situation.
I’m using FreeNAS-11.2-U7. I have one parent dataset and multiple child datasets.
I have the child datasets shared via SMB.
Earlier last year I had to assign different permissions to different users/groups. I tried using Windows ACLs but there was a weird issue, couldn’t get is working as it should’ve. So I went back to UNIX ACLs and got it working properly. One of the child datasets has a user set as the owner. The owner has write premissions and there is a group set with read and execute permissions.
Now the strange part:
The owner has read-write permissions as intended. The group has read permissions on the existing folders and files, as intended. BUT, if the owner creates a new folder, the group has write permissions inside the new folder as follows:
They can create files and folders.
They can rename files created by the owner.
They can’t modify the content of the files created by the owner.
I already ran this command: find directory/ | setfacl -b to remove any residual Windows ACLs that were present. I ran the command on the parent dataset and on the child dataset in question also.
The shares are accessed via Windows 10 PCs.
Please advise. What is going on?
Is there a domain controller on the network? If so attaching that to the FreeNAS would solve the issue as it would handle the permissions.
Thanks for the reply.
Unfortunately there is no AD at the site. I eventually found a solution, albeit, not the best one for sure. I had to change my dataset’s typte to Windows and edit permissions via Windows, Properties-Security tab. While this time I only have Windows 10 guests accessing the shares, I seriously doubt this solution would work in a mixed OS environment.
So if I distill the problem with the UNIX ACL, the problem was specifically that a new folder or file created by the owner of the folder would give 777 rights to any newly created file or folder. The existing files and folder did have permissions as intended. I have no idea even where to start with this. Is there a scenario you guys think that would be fine with Windows and Unix based OSs alike?
I’m not sure I’m going to be able to solve your solution. I’ve had a lot of issues with SMB and Freenas and I’ve posted a lot on the FreeNAS forums. There is going to be some major changes with FreeNAS/smb in the upcoming 11.3 release so I hope that doesn’t break things.
In terms of Windows permissions – I’ve always been advised that when using FreeNAS set things up with basic ACLs but configure everything on a Windows machine. I think it was of the mantra let Windows control everything.
I’m not sure where this leaves SMB when working with a mixed OS environment. Honestly you can mess with the
… create mask
…force create mode
…force directory mode
variables, however something tells me they might disrupt the settings between Windows clients. I never have gotten that far since usually by this point I’m ready to pull my hair out.
Thanks for the insight. I’ve seen @LTS_Tom use UNIX ACLs for Windows shares (in his guides and videos) and the first time I set it up, it was working as it should’ve. At that time I was trying to edit Windows permissions via Security tab but got nowhere. It was such a pain, I got no solution. This time I was able to reset permissions via CLI and modified dataset type and permission type to Windows and editing permissions in Windows worked. However, I’m not sure how it would influence things if I would mount the share in Linux for instance. Maybe creating an NFS share for the Linux client would be a better solution, maybe the UNIX ACLs remain in the background. Dataset permissions on folder level look good in the CLI with the “ls -l” command, so maybe the NFS share would play ball with the Windows permissions, don’t know.
Anyone has any ideas and experience with this usecase?
I must say I have had similar issues when I was testing FreeNAS. I also had issues with mapped drives via shares randomly dropping out or having permissions errors.
Personally I was never able to resolve it so I was forced to dump freenas as a whole. I am still working on building my own NAS via ZFS on Linux, but it’s slow going and misses a nice webUI.
I am looking into becoming a synology partner as it will also work with my offsite provider as well.
I am sorry to hear that. FreeNAS is great in a lot of ways. I’ve been using it in production for about 2 years now at different small business clients. I have automatic snapshots, snapshot replication to my Backup NAS within my sysadmin network, all via OpenVPN through pfSense. Recently I started using XCP-ng and XenOrchestra instead of ESXi free. I must say, I have great appreciation and love for all these open source technologies. In my opinion it is the way to go for a big number of small businesses, startups where every penny counts. It is in our hands as sysadmins and IT architects to stay up to date with these great products and make an effort to learn and experiment.
Regarding my problems with permissions in caused by Samba specifically, a component of FreeNAS. Samba being an independent component, it is up to it’s developers to figure these bugs out. On the other hand, the ZFS filesystem and FreeNAS’ implementation with the GUI and everything I think is a great software package.
I am truly grateful for this community here at LawrenceSystems and also the broad opensource community. Thank you for your help, guys!