copying files to AD-connected CIFS share assigns allow ACL to group "domain users"

[Kant]

I'm trying to migrate from a windows fileserver to FreeNAS. I'm using the latest version (build FreeNAS-9.2.1.2-RELEASE-x64 (002022c) ), it's connected to the Active Directory server, any permissions I set to a given file seem to work okay. I've followed FreeNAS's documentation and it looks like I didn't miss the usual things.

Here's the problem: Even using robocopy, when I copy from the windows fileserver to the FreeNAS fileserver the new copy of the files gets an allow entry for the "domain users" group (from the AD) in the ACLs. How can I prevent this?

 

[dlavigne]

Were you able to figure this out?

 

[Kant]

No, I still haven't found a solution to this problem.

 

[bigphil]

It depends on how you've setup the FreeNAS system. It should go something like this. You create a dataset in FreeNAS and set the ACL type to Windows/Mac and change the Owner User and Owner Group permission on the dataset to be accounts from Active Directory (i.e. Administrator and Domain Admins)...doc for setting permissions here. You then create a CIFS share, following the documentation of course...its important to NOT set the option to Inherit Permissions for Windows shares.

Once you have all of that done, you need to configure the SHARE and NTFS permissions. Open compmgmt.msc from a Windows box and connect to the FreeNAS system. Go to System Tools/Shared Folders/Shares and right click on the share you want to modify. You need to set the Share Permissions and Security Permissions.

Another thing is that its possible to modify the behavior of how files are copied from one volume to the other in Windows. See the article here.

 

[andi]

I have the same issue. Setting the ACL for the share- & file permission under compmgmt.msc doesn't work. I reseted all file permissions down to any folder under the parent folder with my Windowssystem both, under the compmgmt.msc and with Windows-Explorer. But it didn't work. The CIFS-share is configured to inherit owner and ACL's. Inherit Permissions is not set. The ZFS-Dataset is set to Windows. I tried various options with and without inherit owner & ACL's.
My share permissions and file permissions are set to DOMAIN/Admin and Domain/Admin-group, but if i create a new folder (after reconnecting the share to Windows) i loose the Domain/Admin-group in the filepermissions. I also loose the owner and it get's set to the user that created the new folder or file.
If i create a new folder as User1 the owner is set to User1, also the group Domain/all-users and everyone gets set, but without any right selected in the file-permission-tab. If I now create any file (tried with a simple text-file) the only file-permission left is the Domain/administrator. Any other permission is gone. The owner of the text-file is User1 but has no rights at all to that file but can change the permissons. User1 can give himself all rights an than can delete or edit it. But if i create a folder under the new-folder it hasn't even the security tab and i have to delete it under the NAS shell.

FN version 9.2.1.3

 

[andi]

Here's the bugreport to this error:
https://bugs.freenas.org/issues/4606