CIFS home folders / Restore ACLs?

[BlazeStar]

Hi guys,

I'm having problems with permissions for CIFS home folders.

I've tried going in the FreeNAS GUI, in the user config, and I see this :

http://cl.ly/image/2U0l2q3p442i

I tryed to set it to this :

http://cl.ly/image/0A2N2n1y163h

But it keeps reverting to all empty boxes.

getfacl gives me this :

Code:

getfacl user1/
# file: user1/
# owner: nobody
# group: GeneralGroup
    user:user1:rwxpDdaARWcCo-:fd----:allow

I'm not sure what's up with that and how to fix it?

Of course from the Windows "security" interface there's nothing to be done as it tells me there's no owner.

Is there a way to restore ACLs for all home folders?

 

[BlazeStar]

Oh yeah : I'm using FreeNAS-9.2.1.9-RELEASE-x64 (2bbba09)

 

[anodos]

I've noticed that zfsacl interacts oddly with the [homes] share in samba. It's better to either (1) not use homes - I've detailed an alternative fairly recently or (2) switch to using unix-style permissions.

 

[BlazeStar]

But I'm mainly using CIFS shares... and I would love to use UNIX-style permissions, as I'm much more confortable with them, but reading around it seems to be generally agreed that it is MUCH recommended to use WINDOWS-style permissions when using CIFS shares

Would you agree?

 

[anodos]

But I'm mainly using CIFS shares... and I would love to use UNIX-style permissions, as I'm much more confortable with them, but reading around it seems to be generally agreed that it is MUCH recommended to use WINDOWS-style permissions when using CIFS shares

Would you agree?

The thread regarding home directories is here: https://forums.freenas.org/index.ph...ectories-in-ad-environment.27132/#post-186746

Another thread is here: https://forums.freenas.org/index.php?threads/windows-permissions-acl.28480/#post-186321. See post #9.

Using windows permissions is generally better. There is no such thing as 'simple' when it comes to samba. Samba in essence turns a Unix server into a windows server.

Windows permissions are much more fine-grained than traditional Unix permissions. It's like trying to fit a square peg in a round hole. This means that samba adds things under 'Unix permissions' to make things fit better. When using Unix permissions you have to account for the interaction between 4 distinct access control methods:

• Unix permissions
• Share definition access controls (valid users, etc)
• NT-style permissions as set in share_info.tdb
• POSIX acls (if any are set)

Since Unix permissions are not sufficient by themselves for a functioning environment, you need to be able to understand the interaction between the other items listed above. It works and has been used for years by people without zfs and continues to be used on servers without zfs... but... zfs supports nfsv4 acls. We have access to a mostly roundish peg.

The samba project has been around for a long time. There are some features that are somewhat less than useful. The special [homes] share is such a feature.

 

[anodos]

I guess some better questions to ask are:

How many users do you have?
Is FreeNAS an AD member server?
Do you have any special requirement to export users' Unix home directories via CIFS?

 

[BlazeStar]

I guess some better questions to ask are:

How many users do you have?

About 25 users.

Is FreeNAS an AD member server?

No, I've initially tried to set up a central LDAP server and emulating AD, but I failed.

I ended up deciding giving up on any directory service and using the built-in users and groups manager of FreeNAS.

Do you have any special requirement to export users' Unix home directories via CIFS?

I just wanted every user to have a personal folder on the network, to store files which don't belong to collective shares.

 

[anodos]

About 25 users.



No, I've initially tried to set up a central LDAP server and emulating AD, but I failed.

I ended up deciding giving up on any directory service and using the built-in users and groups manager of FreeNAS.



I just wanted every user to have a personal folder on the network, to store files which don't belong to collective shares.

Honestly, with 25 users it might be a good idea to try out MS active directory. It costs some money up front, but group policies, WSUS, WDS, etc have a good return on investment in terms of man-hours saved and improved security.

Otherwise, you could run a Samba4 domain controller on another server (you can't run the same Samba4 instance as a DC and as a file server, but it is well-suited for virtualization). I think this requires the professional / business version of windows for your clients.

Post 9 here might be useful for a more manageable version of home directories (it will allow you as an admin to access all home directories through Windows). https://forums.freenas.org/index.php?threads/windows-permissions-acl.28480/#post-186321

 

[Ericloewe]

Honestly, with 25 users it might be a good idea to try out MS active directory. It costs some money up front, but group policies, WSUS, WDS, etc have a good return on investment in terms of man-hours saved and improved security.

Otherwise, you could run a Samba4 domain controller on another server (you can't run the same Samba4 instance as a DC and as a file server, but it is well-suited for virtualization). I think this requires the professional / business version of windows for your clients.

Yeah, Windows 7 Professional/Enterprise or Ultimate or Windows 8 Pro.

 

[anodos]

Yeah, Windows 7 Professional/Enterprise or Ultimate or Windows 8 Pro.

Or Windows Vista Business (if you want to edge into the territory of 'tree falling in the forest') :D

 

[BlazeStar]

I like to stay in the linux world as much as possible, at least on the server side...

At the very least, I try to stay as much away as possible from Microsoft.

Yeah you need windows for workstations given required softwares and compatibility issues... so I like to limit it to that.

Is there so much of a drawback to use a samba4 domain controller ? (vs a real MS server)

I have a nice proxmox setup with several nodes, it's a piece of cake to fire up a server and test.

Also, I was going to try a samba4 controller but after spending many hours on my LDAP server, I just gave up altogether and for now the FreeNAS users manager was doing the trick for me.

But recently, I've heard about Zentyal... http://www.zentyal.org/
Anyone has experience with that distro?
Seems pretty sweet.

 

[Ericloewe]

Is there so much of a drawback to use a samba4 domain controller ? (vs a real MS server)

Samba.

 

[anodos]

I like to stay in the linux world as much as possible, at least on the server side...
At the very least, I try to stay as much away as possible from Microsoft.

You're already out of the Linux world - FreeNAS is FreeBSD not Linux. In the professional context I'd personally shy away from the "eww... microsoft" mentality. Having a windows server on your network has several distinct advantages:

• Ability to standardize and centrally manage security settings and other configuration options on all computers through Group Policies
• Ability to centrally monitor and apply windows updates through WSUS
• Ability to create custom install images and deploy them as malware incidence response through WDS

The above items mean that deploying AD in a small business environment will probably end up costing less than trying to set up and configure a Samba4 DC.

That being said, testing and deploying a Samba4 DC is better than trying to administer a workgroup with 25 computers. Single-sign-on and being able to centrally manage user accounts will save your company money in the long run.

 

[BlazeStar]

I should have said UNIX and not LINUX... sorry for n00bing

Okay I think this is very clear!
Thanks for your input!

For the record I don't consider myself a professional per say, more like a technology enthusiast who happens to take care of the tech stuff at work because I know a thing or two.

I'll start looking at MS servers, but I gotta tell you, this Zentyal thing... it looks pretty cool.
I might try to mess around with it in a VM just for fun.

But I'll definitely be trying to unlock a budget for a MS server.

 

[anodos]

I should have said UNIX and not LINUX... sorry for n00bing

Okay I think this is very clear!
Thanks for your input!

For the record I don't consider myself a professional per say, more like a technology enthusiast who happens to take care of the tech stuff at work because I know a thing or two.

I'll start looking at MS servers, but I gotta tell you, this Zentyal thing... it looks pretty cool.
I might try to mess around with it in a VM just for fun.

But I'll definitely be trying to unlock a budget for a MS server.

I believe you can download trials of Server 2012 here: http://www.microsoft.com/en-us/evalcenter/evaluate-windows-server-2012-r2
If you go the route of setting up an AD domain, remember that you have to purchase a Client Access License (CAL) for each workstation.

 

[BlazeStar]

Also, if you use go on the domain controller route (AD, etc.), I'm assuming you'd set FreeNAS to connect to AD but still serve files with FreeNAS, right?

Or would you use the MS Server to have access to everything on FreeNAS and the MS Server would serve the files?

 

[Ericloewe]

Also, if you use go on the domain controller route (AD, etc.), I'm assuming you'd set FreeNAS to connect to AD but still serve files with FreeNAS, right?

Right.