Does anyone succeed to install by clicking on this damn web?
I kill 6 hours trying, and totally disappointed did it “the old way” via ssh.
takes about 5 min.
Who invented this damn thing?
Next “faut pas” was with Samba. Presumably I have to click-directly-to-happiness my ACLs but after an hour of clicking I’ve lost my will and switched to whiskey.
This ACLs is not clearest thing in the world, but with this…
BTW Even if it was set once, it shifts by it’s own will, and I don’t know what to do, except to cook a script which will set it right. @LTS_Tom if it’s not so much troubles, make a video about ACLs for laughfull numbers (about several hundreds) users about a dozen subfolders with custom rights on each. And one condition: No AD allowed.
My mistake was during creation I choose “General” instead of “Samba”, it’s easy mistake (?) to made, if consider a SAMBA domain.
But things is not too bad, if
chmod -R 775 ./ # default is 600
setfacl -R -k ./ #get rid of default::
after that all “miracles” (such as 6 “New Folder(1-6)” w/o access as a responce to create folder command") vanishes.
It’s useful to save your acl-s to file
getfacl -R ./ > acl-01.txt
But Openvpn via web is an absolute nightmare.
I’ve done thousands clients sets-up. But this…
If for Scale it’s possible to configure all I need via ssh shell, the Core is whole other story.
What a stupid messages “Root CA must have CRL Sign set for KeyUsage extension.”
WTF?? Guys from iX System, you kinda overengeneere this. Maybe you had a stomach flu, because I can’t imagine that reasonable man will do it intentionally.
My root CA (cooked in my kitchen) must Not! OKay?
I almost start to become desperate, as manually configured OVPN causes system reboot, but thereafter I discover a dirty little secret in TN Core. It has fully functional wireguard module, and it works!
After a minute I had my tunnel for management. So it’s about all.
So my task is done.
Some basic things deserves to take into account.
There is two interfered types of permissions. Filesystem perms and SAMBA perms.
In common case we set root:wheel on our SAMBA share, run smbd which can thereafter set it’s own set of permissions, due to impersonate “samba-user”
Let say we have /mnt/pool1/smb folder (with subfolders)
1 strip all FS perms down.
chown -R root:wheel /mnt/pool1/smb
OK nice start. Now strip all SMB perms by
cd /mnt/pool1
find smb | setfacl -b
Now a “short” description of FreeBSD ACLs:
ACLs are made up of one or more ACE’s (Access Control Entries)
ACLs are evaluated on server
Order matters
ACLs are processed until access is allowed
ACE’s are made up of 4 or 5 colon delimited fields
Principal
Access Permissions
Inheritance flags
Type
*Principal (are made of tag or qualifier)
ACL Tag
owner@ *Access permissions apply to the owner
group@ *Access permissions apply to the goup owner (!!!)
everyone@ *AP apply to everyone (inc owner and group)
u or user *AP apply to user specified in qualifier
g or group *AP app. to the group spec in qualifier
ACL qualifier
Username *AP apply to this user
Groupname *AP apply to this group
ACCESS PERMISSIONS
r - read data * R - read_xattr
w - write data * W - write_xattr
p - append_data * c - read_acl
D - delete_child * C - write_acl
d - delete * o - write_owner
a - read_attributes * s - synchronize
A - write_attributses
** addedd Access permission !!! p-flag !!!
p – append_data (it’s a flag ignored for files and MUST be set in order to create subdirs)
D – delete child (ability to Delete subdirs)
Inheritance
f – file_inherit (Files inherit ACE setfacl -m owner@full_set:f:allow,group@full_set:f:allow,everyone@full_set:f:allow)
d – dir_inherit (same shit)
i – inherit_only ( Used with f,d - Only files/dirs BENEATH directory will inherit the ACE)
n – no_propagate (only the first dir beneath propagate, others will)
I – inherited (shows)
Compare to Linux perms:
Octal number Access permissions given
0 rwx read, write and execute
1 rw- read and write
2 r-x read and execute
3 r-- read only
4 -wx write and execute
5 -w- write only
6 --x execute only
7 --- no permissions
After that we may at least set our samba(nfs4) permissions on our will for a folder FOLD
for users “user1” “user2” and group “Company-adms”
it’s about it. Now we can script it in any way.
But it worth to remember that TrueNas fails to concatenate ACE so each command must be on it’s own row.
NFS troubles. Again.
I had a humle intention to connect my vShpere to NFS share out of TrueNas but stuck. All I’ve got is read only share.
All this is consequences of root permissions, than root haven’t on this share.
I it takes to go under Advanced → map user (root) → map group (wheel)
and only after that I had normal (from ESXi perspective) NFS share.
One questions stays - this thing makes the NFS share in SYNC mode, but I prefer ASYNC (due to my humble capaicities)
A solution still is not found but even in current mode is … acceptable because all I do is transfer VMDK-s to qcow2 for my PVE.
TN-Scale gives me a various range of surprises.
So time is flew, and I face with the same problem.
In my case the bottleneck of NFS share on TN-Scale was definitely in “SYNC”
Haven’t find any web handlers for tuning, just add in /etc/exports async and happily after #service nfs-kernel-server restart
saturate my interfaces.
Sure it will be gone after nfs restart, but fortunately no one can access it.
Speed improvement is … visible at least. I’ve got 400-300 MB/s write instead of 20 MB/s in “SYNC” mode.
Sure it’s not so safe, but in my case I should migrate from ESXi to PVE. Hope it withstand that.
and downside of this is
ESXi really lose lock on running machines under heavy load. It’s a bummer.
I revert all of this to v3 it helps … kinda. Can’t get courage to repeat experiment on my prod environment.
At the end of the day I revert all to sync… Consistency of data is more important.
