Christian Lahti
Cadet
- Joined
- Mar 6, 2014
- Messages
- 2
Hey guys:
I have been bitten by the bug #4151 "CIFS all files appear as readonly for non-owners". Here is my update to the bug:
Hey guys:
I am having this exact same issue after upgrading to FreeNas 9.2.1. We have a 34TB file store with hundreds of thousands of files, hooked up to Active Directory. After the upgrade all files are opened read-only if the owner of the file is someone else. Here is an example recipe of a share that used to work in 8.x:
ZFS Volume Settings:
- volume name: CS_Share
- owner: nobody
- group: cs (AD group)
- mode: 770
- Type of ACL: Windows/Mac
- Set permissions recursively: unchecked
Samba Share Settings:
- Share Name: CS_Share
- Comment: Customer Service Share
- Path: /mnt/vol0/CS_Share
- Export Read Only: unchecked
- Browsable to Network Clients: checked
- Inherit Owner:
- Inherit Permissions:
- Inherit ACL's:
- Export Recycle Bin:
- Show Hidden Files:
- Allow Guest Access:
- Only Allow Guest Access:
- (Advanced) Auxiliary Parameters:
valid users = @cs @"domain admins"
force group = @cs
create mask = 02770
directory mask = 02770
force create mask = 02770
We would then go to the unix file system and recursively set /mnt/vol0/CS_Share:
chgrp -R cs /mnt/vol0/CS_Share
chmod -R 02770 /mnt/vol0/CS_Share
The effect of all of this is that members of group cs have read-write, members of "Domain Admins" have read-write, all others are denied. The permissions on directories get 02770 and the permissions on files get 0770. Now only owners of files have read-write, others in cs and Domain Admins can open the files but it is read-only. Can someone please give me the recipe and the exact steps necessary to change and fix this in the new version of FreeNas 9.2.1? This is killing us at the moment.
Thanks!
Addendum:
I tried this from another comment in the bug:
find /mnt/vol0/CS_Share -type d -exec setfacl -m owner@:full_set:fd:allow,group@:modify_set:fd:allow {} \;
find /mnt/vol0/CS_Share -type f -exec setfacl -m owner@:full_set::allow,group@:modify_set::allow {} \;
The result is that now non-owners can now open files read-write, but new files created get the permission:
ls -al Test.txt
---xr-x---+
getfacl Test.txt
# file: Test.txt
# owner: clahti
# group: cs
owner@:r-------------:------:deny
group:nobody:rwxpDdaARWcCo-:------:allow
owner@:--x---aARWcCos:------:allow
group@:r-x---a-R-c--s:------:allow
everyone@:------a-R-c--s:------:allow
Resulting in *nobody* being able to open that file subsequently.
I have been bitten by the bug #4151 "CIFS all files appear as readonly for non-owners". Here is my update to the bug:
Hey guys:
I am having this exact same issue after upgrading to FreeNas 9.2.1. We have a 34TB file store with hundreds of thousands of files, hooked up to Active Directory. After the upgrade all files are opened read-only if the owner of the file is someone else. Here is an example recipe of a share that used to work in 8.x:
ZFS Volume Settings:
- volume name: CS_Share
- owner: nobody
- group: cs (AD group)
- mode: 770
- Type of ACL: Windows/Mac
- Set permissions recursively: unchecked
Samba Share Settings:
- Share Name: CS_Share
- Comment: Customer Service Share
- Path: /mnt/vol0/CS_Share
- Export Read Only: unchecked
- Browsable to Network Clients: checked
- Inherit Owner:
- Inherit Permissions:
- Inherit ACL's:
- Export Recycle Bin:
- Show Hidden Files:
- Allow Guest Access:
- Only Allow Guest Access:
- (Advanced) Auxiliary Parameters:
valid users = @cs @"domain admins"
force group = @cs
create mask = 02770
directory mask = 02770
force create mask = 02770
We would then go to the unix file system and recursively set /mnt/vol0/CS_Share:
chgrp -R cs /mnt/vol0/CS_Share
chmod -R 02770 /mnt/vol0/CS_Share
The effect of all of this is that members of group cs have read-write, members of "Domain Admins" have read-write, all others are denied. The permissions on directories get 02770 and the permissions on files get 0770. Now only owners of files have read-write, others in cs and Domain Admins can open the files but it is read-only. Can someone please give me the recipe and the exact steps necessary to change and fix this in the new version of FreeNas 9.2.1? This is killing us at the moment.
Thanks!
Addendum:
I tried this from another comment in the bug:
find /mnt/vol0/CS_Share -type d -exec setfacl -m owner@:full_set:fd:allow,group@:modify_set:fd:allow {} \;
find /mnt/vol0/CS_Share -type f -exec setfacl -m owner@:full_set::allow,group@:modify_set::allow {} \;
The result is that now non-owners can now open files read-write, but new files created get the permission:
ls -al Test.txt
---xr-x---+
getfacl Test.txt
# file: Test.txt
# owner: clahti
# group: cs
owner@:r-------------:------:deny
group:nobody:rwxpDdaARWcCo-:------:allow
owner@:--x---aARWcCos:------:allow
group@:r-x---a-R-c--s:------:allow
everyone@:------a-R-c--s:------:allow
Resulting in *nobody* being able to open that file subsequently.