SOLVED Again a permissions thread

[thijsjek]

Hello,
Using freenas 11, (my first experience with freenas/freebsd).

I got running:
Sickbeard, plex, sabnzbd, transmission and couchpotato in jails. a ubuntu vm with pi-hole.
Made a storage structure of:
Data - downloads, incomplete, movies, series. -> permissions media:media in freenas gui with the 8675309
(i want those also to be a smb mount without all permissions to everyone)
Jails are running and the mount points are all correct.

Problem:
When downloading in sabnzbd i get already a: Cannot change permissions of /var/db/sabnzbd/Downloads/incomplete (incomplete is mounted to /data/incomplete)

Code:

ls -l /var/db/sabnzbd/Downloads/

gives

Code:

 drwxrwxr-x+  media:media 

Things i tried:
I changed in the jails to: dude:dude with uid 1001 where i had in the freenas also a dude:dude 1001 with the permissions on the storage as dude:dude (because i guessed this was the smartest option to use as smb share)
(https://forums.freenas.org/index.ph...plugins-write-permissions-to-your-data.27273/)
i looked and tried now everything on the forums but after 1,5 week of being aggitated, i posted here.

Solution?
I would like have now a user like 'media' who can do whatever transmission, sabnzbd, cp, sb and plex want (w r e) on those smb shares and another user 'dude' that can access those files via smb. and how i set those (diffucult) permissions (no clear guide how to handle permissions anywhere, saying its all custom. Then give a good practice guide)

 

[anodos]

Hello,
Using freenas 11, (my first experience with freenas/freebsd).

I got running:
Sickbeard, plex, sabnzbd, transmission and couchpotato in jails. a ubuntu vm with pi-hole.
Made a storage structure of:
Data - downloads, incomplete, movies, series. -> permissions media:media in freenas gui with the 8675309
(i want those also to be a smb mount without all permissions to everyone)
Jails are running and the mount points are all correct.

Problem:
When downloading in sabnzbd i get already a: Cannot change permissions of /var/db/sabnzbd/Downloads/incomplete (incomplete is mounted to /data/incomplete)

Code:

ls -l /var/db/sabnzbd/Downloads/

gives

Code:

 drwxrwxr-x+  media:media 

The problem is that sabnzbd is trying chmod inside a dataset that has its aclmode set to "restricted". You'll need to change the aclmode to "passthrough" by changing the "permissions type" to "unix". Once you do this, then the error will go away.

Unfortunately, now you're using "Unix permissions type" on a Samba share and using nfsv4 ACLs. Why is this a problem? chmod in FreeBSD isn't aware of ACLs. When you chmod a file, per the NFS4 ACL spec, FreeBSD will modify the ZFS ACL to reflect the permissions specified in the chmod command. This has the effect of (1) killing inheritance bits for the special ACEs owner@ group@ everyone@ and (2) modifying explicit ACEs in the case where they will conflict with the mode set on the file. Additionally, once inheritance bits are disabled, new files and folders will potentially be created per umask, and smb.conf parameters, and so the create mask will have to be tweaked. If you're going the route of changing the aclmod and want to keep your ZFS acls, you will need to do the following:

• Change permissions type on the dataset to "Unix"
• Reset permissions on the share to default
• Add the following auxiliary parameters under Services->SMB [caveat - I have not experimented much with this]

Code:

nfs4:mode = simple	  #makes it clearer which ACEs are associated with owner@, group@, etc
inherit owner = yes	 #owner will be inherited from root of share rather than the authenticated user. May help avoid problems with chmod modifying explicit ACEs

• Set appropriate create / directory masks in Samba.
• Fine-Tune permissions via Windows File Explorer.

To reiterate, I haven't experimented extensively with this, but I think this will put you on the road to using ZFS ACLs and Unix permissions without conflict. I will do more testing at a future time.

 

[thijsjek]

One of the problems was that i used to have the permissions to windows and then back to unix caused some strange behaviour. so i deleted the dataset and made a new one with just unix permissions. Deleted the smb share. Problems solved.
So i have indeed 'jails:wheel' in all jails, and he is the owner of all the datasets (jails:wheel) related to those jails. works perfectly. so next time one thing at a time and not everything and then figure out the permissions. Then i made the smb share like how you explained and it worked. i added user 'dude' to group wheel and in windows i gave him permissions to read/write in the datasets (if i want tot copy a movie to a local machine).

One more question. if i give the user 'jails' a password nothing goes haywire in the jails?
Thanks for the help

 

[anodos]

One of the problems was that i used to have the permissions to windows and then back to unix caused some strange behaviour. so i deleted the dataset and made a new one with just unix permissions. Deleted the smb share. Problems solved.
So i have indeed 'jails:wheel' in all jails, and he is the owner of all the datasets (jails:wheel) related to those jails. works perfectly. so next time one thing at a time and not everything and then figure out the permissions. Then i made the smb share like how you explained and it worked. i added user 'dude' to group wheel and in windows i gave him permissions to read/write in the datasets (if i want tot copy a movie to a local machine).

One more question. if i give the user 'jails' a password nothing goes haywire in the jails?
Thanks for the help

No problem. I can't think of a reason why it would break things to set a password for that user.

 

[thijsjek]

No problem. I can't think of a reason why it would break things to set a password for that user.

I already put one and everything seems stable and secure, just going to test from a other machine if the windows security settings are correct. Thanks for the fast and correct help.