Best practice for datasets

[JayNil]

With ACLs - much easier! And a reason more granular filesystem permissions were invented!
Share a folder one level up from where everyone's "home" directories will be.
Mount that share via root (or some other user that already has full control)
In Windows Explorer for each of your user's main directory:

Right click -> Properties -> Security -> Edit -> Add -> (enter your user here) -> check name -> click "ok"
*Make sure you're name is highlighted in the top box, then*
In the bottom box, check the "full control" box -> Apply

Woot! ACLs! Not only do you have full control over all the current files, all new files will inherit this permission set too.
With the POSIX method, you'd have to muck about with PAM (which I've only done on Linux boxes, not FreeNAS/ FreeBSD) so that each new file is written with the group ownership = Overlord.

Once you're done, I would recommend getting rid of the Share you created to do this, or at lease lock it down like a mo-fo.

Just to clarify and to understand what is happening here:

1. Create a dataset on the volume called "docs".
2. Create a folder on the dataset "docs" called "users" with root.
3. Mount "users" folder as a CIFS share with root.
4. In folder "users" create a new folder for each user on the network who wants a home directory.
5. Create a user with corresponding user name and select the folder created in step 4 as their home directory.
6. From Windows Explorer add that user and set "full control" on the folder representing their name.
7. When all users have been added in this fashion, remove the share created in step 3.

Is this pretty much it?

Thanks,
JayNil

 

[danb35]

another quick easy way to do it, is have the dataset be assigned as the home directory when creating the user. It will set the permissions for you

...except that FreeNAS does not use the entered directory as the user's home directory; it uses the entered directory as the directory in which to create the user's home directory. If you create a user called fred, and enter /mnt/tank/fred for his home directory, the actual directory will be /mnt/tank/fred/fred.

 

[willnx]

Just to clarify and to understand what is happening here:

1. Create a dataset on the volume called "docs".
2. Create a folder on the dataset "docs" called "users" with root.
3. Mount "users" folder as a CIFS share with root.
4. In folder "users" create a new folder for each user on the network who wants a home directory.
5. Create a user with corresponding user name and select the folder created in step 4 as their home directory.
6. From Windows Explorer add that user and set "full control" on the folder representing their name.
7. When all users have been added in this fashion, remove the share created in step 3.

Is this pretty much it?

Thanks,
JayNil

You're creating local users on the FreeNAS box, and you also wanted your specific user (lets call that user Jay) to have full access to all the other users files, right?
If so, then;

1. Create the CIFS dataset
2. Create a folder under that dataset called "users"
3. Mount "users" as a CIFS share with root.
4. From Windows Explorer select properties on the "users" share, add Jay and give them Full-Control.
5. In FreeNAS GUI, create the other users, and in the field for Home Directory put: /mnt/volume-name/CIFSdataset/users

If you keep the "users" share (which would make digging into the other user's directory easier), I'd suggest A) un-checking the "Browsable to Network Clients" box, and B) entering an IP in the "Hosts Allows" box.

It's the same general idea that you noted, but with less "rise and repeat"

 

[JayNil]

Sweet! The burn-in is finally done after ~60 hours of chewing. Will try this when I get home this afternoon.

Thanks,
JayNil

 

[JayNil]

You're creating local users on the FreeNAS box, and you also wanted your specific user (lets call that user Jay) to have full access to all the other users files, right?
If so, then;

1. Create the CIFS dataset
2. Create a folder under that dataset called "users"
3. Mount "users" as a CIFS share with root.
4. From Windows Explorer select properties on the "users" share, add Jay and give them Full-Control.
5. In FreeNAS GUI, create the other users, and in the field for Home Directory put: /mnt/volume-name/CIFSdataset/users

If you keep the "users" share (which would make digging into the other user's directory easier), I'd suggest A) un-checking the "Browsable to Network Clients" box, and B) entering an IP in the "Hosts Allows" box.

It's the same general idea that you noted, but with less "rise and repeat"

Hey willnx,

Getting stuck on #4 here. When I try to add the user "jay" (which is a user on both the server and local machine, with identical passwords) it's not recognized as an object on the server.

This is what I did:

Created a volume on the FreeNAS server named "storage01".
Created a ZFS Dataset in volume "storage01" named "archive".
From the Shell in the GUI, I created a folder named "users" (as root).
Created a CIFS Share called "users" and pointed it to /mnt/storage01/archive/users.
Created a user named "jay" with same password as the user "jay" on the Windows client.
Connected to the CIFS Share from Windows Explorer.

Did I miss something vital? Why can't I add users through the Windows ACL?

I can ping the Windows Client from the Freenas Shell and the Freenas Server from the Windows Client (both via IP and hostname), so there shouldn't be a network issue.

Thanks,
JayNil

 

[JayNil]

Solved it. Was a simple case of IBTW.
Browsed to the share "users" from my Windows Client rather than adding it with the user "jay" logged in. Did the trick.

 

[willnx]

Solved it. Was a simple case of IBTW.
Browsed to the share "users" from my Windows Client rather than adding it with the user "jay" logged in. Did the trick.

Woot! Glad to hear you figured it out!

 

[JayNil]

Another problem, though. User "jay" becomes "unknown account" and FreeNAS starts to throw a whole lot of these at me:

winbindd[6631]: sam_rids_to_names: possible deadlock - trying to lookup SID S-1-5-21-606815686-2047840600-1566570833

where "jay" is replaced with that SID-string in the Windows ACL permissions (in the client window).

Getting a bunch of these as well:

matchname: host name/name mismatch: 192.168.1.101 != (NULL)

192.168.1.101 is my workstation.

Any ideas?

 

[anodos]

Another problem, though. User "jay" becomes "unknown account" and FreeNAS starts to throw a whole lot of these at me:

winbindd[6631]: sam_rids_to_names: possible deadlock - trying to lookup SID S-1-5-21-606815686-2047840600-1566570833

where "jay" is replaced with that SID-string in the Windows ACL permissions (in the client window).

Getting a bunch of these as well:

matchname: host name/name mismatch: 192.168.1.101 != (NULL)

192.168.1.101 is my workstation.

Any ideas?

The hostname mismatch is because you have "hostname lookups" enabled in your CIFS config, but don't have a DNS reverse-lookup zone configured (probably). Just disable hostname lookups. The winbind puke is annoying, but there is a thread somewhere here in the forums on how to resolve the problem. Just google the "sam_rids_to_names" error message.

 

[JayNil]

https://bugs.freenas.org/issues/5054

According to this bug-thread there's no real solution until the 9.2.1.9 release.
Best option now seems to be reverting back to 9.2.1.5?

 

[anodos]

https://bugs.freenas.org/issues/5054

According to this bug-thread there's no real solution until the 9.2.1.9 release.
Best option now seems to be reverting back to 9.2.1.5?

Yeah, that bug is annoying. I'm pretty sure that a standalone server doesn't need winbind running and shouldn't be trying to do any of that idmap nonsense. :)

Try using a group that is not related to a user's name. I.e. create group "CoolPeople" and grant them permissions. Then make "Jay" a member of "CoolPeople". I'm pretty sure at one point in time I saw a github commit related to not mapping groups that have the same names as users. It could be that winbind doesn't like "Jay" because there is a group "Jay" on the server as well.

 

[JayNil]

I got most of the stuff sorted and the server is running along quite nicely. Everyone in the LAN is happy with how it's working out with permissions and accessibility.

I do have one strange behaviour, though:

All three Windows 7 machines here are accessing the same dataset (media). In the dataset there is a folder called "media" which is what the share is pointing at. One of the Windows 7 x64 computers is getting random empty folder/missing files when accessing the share. This issue doesn't show for the other two computers also running Windows 7.

I did some googling, but most of the similar problems are Linux/Samba related and most of the threads are dated. I'm not really sure how to begin attack this problem. I've disconnected the network share from within Windows Explorer and tried adding it again, but to no effect.

The machine is currently running some other tests, so I can't reboot it, but I guess that's my next step.

Anyone heard of this issue before?

Thanks,
JayNil

PS: Sorry for using the same thread over and over. Should I create a different thread for each issue?

 

[anodos]

I got most of the stuff sorted and the server is running along quite nicely. Everyone in the LAN is happy with how it's working out with permissions and accessibility.

I do have one strange behaviour, though:

All three Windows 7 machines here are accessing the same dataset (media). In the dataset there is a folder called "media" which is what the share is pointing at. One of the Windows 7 x64 computers is getting random empty folder/missing files when accessing the share. This issue doesn't show for the other two computers also running Windows 7.

I did some googling, but most of the similar problems are Linux/Samba related and most of the threads are dated. I'm not really sure how to begin attack this problem. I've disconnected the network share from within Windows Explorer and tried adding it again, but to no effect.

The machine is currently running some other tests, so I can't reboot it, but I guess that's my next step.

Anyone heard of this issue before?

Thanks,
JayNil

PS: Sorry for using the same thread over and over. Should I create a different thread for each issue?

Folders and files will disappear if a user lacks privileges. This is an unfortunate difference between the behavior of a samba server with ZFS ACLs and a true windows server. Somehow folders / files are getting created with the wrong privileges or your user with problems isn't in the same group as your other users. You can probably resolve the problem with lack of visibility by adding an "everyone" ACE with the following atomic permissions: "read attributes, read extended attributes, read permissions".

 

[JayNil]

Just checked it and you are (of course) right.

I made user "thor" have "full control" over the share "/media" via Windows ACL and figured it would apply to all files and folders. I guess I have to change every single folder/file to reflect this change? Is it easily done without screwing up other permissions in the "/media" share?

Thanks,
JayNil

 

[anodos]

Just checked it and you are (of course) right.

I made user "thor" have "full control" over the share "/media" via Windows ACL and figured it would apply to all files and folders. I guess I have to change every single folder/file to reflect this change? Is it easily done without screwing up other permissions in the "/media" share?

Thanks,
JayNil

No. The folders within the share should inherit permissions from the share itself.

 

[JayNil]

Even though the user was added after the files?

 

[diedrichg]

If only we had @cyberjock's permissions tutorial to reference...

 

[JayNil]

I hear you loud and clear and I am reading up on permissions as we type. :)

 

[Ericloewe]

If only we had @cyberjock's permissions tutorial to reference...

What we really need is someone who knows everything about Samba. Unfortunately, that's a full-time job...

I hear you loud and clear and I am reading up on permissions as we type. :)

He wasn't telling you to go read, the permissions guide is still WIP with no ETA.

 

[JayNil]

I didn't even realize it was a permissions issue to start with. That alone says I need to read. :)
Thanks for clearing it up, though. I'm usually good with sarcasms. Or is that org... nevermind. Back to reading.