AaronLS
Dabbler
- Joined
- Jul 9, 2013
- Messages
- 18
Upgraded to 9.2.1.5 x64.
Using Windows ACLs
Background: Have had alot of issues with ACLs not being inherited previously. It seems randomly(there's probably some pattern I've yet to figure out) some folders or files I no longer have access to. This has always been the case even before upgrading. I did a test setup and things seemed to work well, but in practice it seems things randomly loose permissions or stop inheriting permissions. It has been giving me lots of trouble. So I will describe a very specific case and maybe discovering the issue will help me troubleshoot these issues better myself in the future or adjust my setup.
Problem: If I am logged into windows as aaron, who is the owner for everything, I can browse these folders/files, but when I try to create a folder or file in the Gaming directory, then it fails with permission denied. If I copy a single file it is fine. If I copy a folder it fails. Here are the permissions of the Gaming dir:
[root@freenas /mnt/tank/main]# ls -l
drwxrwx---+ 26 aaron wheel 28 Jun 21 18:18 Gaming
[root@freenas /mnt/tank/main]# getfacl Gaming
#file:Gaming
#owner:aaron
#group: wheel
everyone@:------a-R-c---:------:allow
user:kevin:r-x---a-R-c---:fd----:allow
group@:rwxpD-a-R-c---:------:allow
owner@:rwxpD-aARWcCo-:------:allow
Creating a File/Folder:
Here is a folder I created from Windows with context menu-> New folder, and then typing a name. What I believe is happening is a create folder+rename is being sent to the server, the first succeeds but because of the permissions it has then the rename fails.
[aaron@freenas] /mnt/tank/main/Gaming% ls -l
----------+ 1 aaron wheel 0 Jun 21 18:55 New Text Document.txt
d---------+ 2 aaron wheel 2 Jun 21 18:36 New folder/
[aaron@freenas] /mnt/tank/main/Gaming% getfacl "New Text Document.txt"
# file: New Text Document.txt
# owner: aaron
# group: wheel
user:kevin:r-x---a-R-c---:------:allow
[aaron@freenas] /mnt/tank/main/Gaming% getfacl "New folder"
# file: New folder
# owner: aaron
# group: wheel
user:kevin:r-x---a-R-c---:fd----:allow
Only the Kevin ACLs was inherited(I assume because it has the ":fd----:" inherit flags). Additionally, you can see the default chmod permissions were not set as per the Create File/Dir Mask I have set for CIFS service(0660/0770). I have these masks to prevent other/Everyone from getting access to things by default. At a minimum, if those file/dir creation masks had worked, then I'd have access since I am owner.
My configuration:
CIFS share
Name: main
Path: /mnt/tank/main
-Browsable
-Inherit Owner
(Inh. Permiss: FALSE)
-Inherit ACL's
(All other fields:false)
CIFs service
-Local Master
-Time Server
-Guest Account: nobody
-File mask: 0660
-Dir mask: 0770
-Support DOS File Attributes
-Unix Extensions
-Zeroconf share disc
-Hostnames lookup
-Server min protocol: -------
-Server max protocol: SMB3
-Allow execute always
(All other fields:false)
/mnt/tank
Permissions
Owner user: aaron
Owner group: wheel
Mode: read for all, execute for all, write for Owner
Type of ACL: Unix
Set recursively: false
/mnt/tank/main
Permissions
Owner user: aaron
Owner group: wheel
Mode: read for all, execute for all, write for Owner
Type of ACL: Windows
Set recursively: false
Using Windows ACLs
Background: Have had alot of issues with ACLs not being inherited previously. It seems randomly(there's probably some pattern I've yet to figure out) some folders or files I no longer have access to. This has always been the case even before upgrading. I did a test setup and things seemed to work well, but in practice it seems things randomly loose permissions or stop inheriting permissions. It has been giving me lots of trouble. So I will describe a very specific case and maybe discovering the issue will help me troubleshoot these issues better myself in the future or adjust my setup.
Problem: If I am logged into windows as aaron, who is the owner for everything, I can browse these folders/files, but when I try to create a folder or file in the Gaming directory, then it fails with permission denied. If I copy a single file it is fine. If I copy a folder it fails. Here are the permissions of the Gaming dir:
[root@freenas /mnt/tank/main]# ls -l
drwxrwx---+ 26 aaron wheel 28 Jun 21 18:18 Gaming
[root@freenas /mnt/tank/main]# getfacl Gaming
#file:Gaming
#owner:aaron
#group: wheel
everyone@:------a-R-c---:------:allow
user:kevin:r-x---a-R-c---:fd----:allow
group@:rwxpD-a-R-c---:------:allow
owner@:rwxpD-aARWcCo-:------:allow
Creating a File/Folder:
Here is a folder I created from Windows with context menu-> New folder, and then typing a name. What I believe is happening is a create folder+rename is being sent to the server, the first succeeds but because of the permissions it has then the rename fails.
[aaron@freenas] /mnt/tank/main/Gaming% ls -l
----------+ 1 aaron wheel 0 Jun 21 18:55 New Text Document.txt
d---------+ 2 aaron wheel 2 Jun 21 18:36 New folder/
[aaron@freenas] /mnt/tank/main/Gaming% getfacl "New Text Document.txt"
# file: New Text Document.txt
# owner: aaron
# group: wheel
user:kevin:r-x---a-R-c---:------:allow
[aaron@freenas] /mnt/tank/main/Gaming% getfacl "New folder"
# file: New folder
# owner: aaron
# group: wheel
user:kevin:r-x---a-R-c---:fd----:allow
Only the Kevin ACLs was inherited(I assume because it has the ":fd----:" inherit flags). Additionally, you can see the default chmod permissions were not set as per the Create File/Dir Mask I have set for CIFS service(0660/0770). I have these masks to prevent other/Everyone from getting access to things by default. At a minimum, if those file/dir creation masks had worked, then I'd have access since I am owner.
My configuration:
CIFS share
Name: main
Path: /mnt/tank/main
-Browsable
-Inherit Owner
(Inh. Permiss: FALSE)
-Inherit ACL's
(All other fields:false)
CIFs service
-Local Master
-Time Server
-Guest Account: nobody
-File mask: 0660
-Dir mask: 0770
-Support DOS File Attributes
-Unix Extensions
-Zeroconf share disc
-Hostnames lookup
-Server min protocol: -------
-Server max protocol: SMB3
-Allow execute always
(All other fields:false)
/mnt/tank
Permissions
Owner user: aaron
Owner group: wheel
Mode: read for all, execute for all, write for Owner
Type of ACL: Unix
Set recursively: false
/mnt/tank/main
Permissions
Owner user: aaron
Owner group: wheel
Mode: read for all, execute for all, write for Owner
Type of ACL: Windows
Set recursively: false
