Difference between CIFS permission set in Windows and how FreeNAS recognize them

[BAlfredo]

Hi to everyone,
this is my first time in the forum, because i use without problem FreeNas from version 8 (and before version 7) as NAS for exporting CIFS Shared Folder in a Windows Environment binded sometimes with a Samba Active Directory (Resara) or Windows Server DC.
After i've upgraded one of the box to FreeNAS 9.3, i've noticed that if I set the permission of a folder from Windows, giving ad example the Full Control permission to the DOMAIN\Administrator user, when i use the getfacl command on the freenas box i retrieve that DOMAIN\Administrator is viewed as group.

I've made a test lab for simulating the problem; here's an example :

[root@freenas] /mnt/volume# getfacl pollaio/
# file: pollaio/
# owner: NEWCONTOSO\administrator
# group: NEWCONTOSO\domain users
group:NEWCONTOSO\fattoria_mckenzie:rwxp-daARWc---:fd----:allow
group:NEWCONTOSO\administrator:rwxpDdaARWcCo-:fd----:allow

Thank's in advice for the help and please excuse any mistakes as English is my second language.
Regards
Alfredo

 

[anodos]

Hi to everyone,
this is my first time in the forum, because i use without problem FreeNas from version 8 (and before version 7) as NAS for exporting CIFS Shared Folder in a Windows Environment binded sometimes with a Samba Active Directory (Resara) or Windows Server DC.
After i've upgraded one of the box to FreeNAS 9.3, i've noticed that if I set the permission of a folder from Windows, giving ad example the Full Control permission to the DOMAIN\Administrator user, when i use the getfacl command on the freenas box i retrieve that DOMAIN\Administrator is viewed as group.

I've made a test lab for simulating the problem; here's an example :

View attachment 7627


[root@freenas] /mnt/volume# getfacl pollaio/
# file: pollaio/
# owner: NEWCONTOSO\administrator
# group: NEWCONTOSO\domain users
group:NEWCONTOSO\fattoria_mckenzie:rwxp-daARWc---:fd----:allow
group:NEWCONTOSO\administrator:rwxpDdaARWcCo-:fd----:allow

Thank's in advice for the help and please excuse any mistakes as English is my second language.
Regards
Alfredo

I've noticed that winbind/ zfsacl can get confused if you have users and groups with identical names. I think a part of the problem may be with using the parameter "nfs4:mode = special". I believe "administrator" is both a user and a Builtin Container (see output of getent group). The behavior you described also annoyed me a bit and so I changed ownership of my datasets to "root:domain admins". In general I try to avoid making or using groups that share a name with a user, and vice-versa. I try also to avoid limiting rights of the owner and group (in some hard-to-pin-down situations this can lead to samba on FreeNAS arbitrarily writing "deny" ACEs).

Anyway, you if you make the changes I mention above, your getfacl output should be:
root@freenas] /mnt/volume# getfacl pollaio/
# file: pollaio/
# owner: depasseg's mom\root
# group: NEWCONTOSO\domain admins
group:NEWCONTOSO\fattoria_mckenzie:rwxp-daARWc---:fd----:allow
group@:rwxpDdaARWcCo-:fd----:allow
owner@:rwxpDdaARWcCo-:fd----:allow

So, in short, I don't have a good explanation for the behavior you describe above, it is not clear whether it adversely affects FreeNAS performance, and I'm not sure what the remedy would be. I just superstitiously follow my above practice, and that is my personal contribution to the vast amounts of samba voodoo that floats around the internet.

 

[depasseg]

Anados - Why is the owner in the getfacl output not listed as "root"?

 

[anodos]

Anados - Why is the owner in the getfacl output not listed as "root"?

I don't know what you're talking about. :D That post was pre-coffee.

 

[depasseg]

anodos, why is root an account in the NEWCONTOSO domain?

 

[Chris Moore]

depasseg,
You are using the root account to access the FreeNAS system but I don't see anywhere that you gave root permissions in the share and you specified that the permissions were not inherited.

 

[depasseg]

I was joking around with anodos. I actually did set root:domain admins on my share as a test, and it looks like this:

Code:

[root@freenas1] /mnt/tank# getfacl media/
# file: media/
# owner: root
# group: DEPASSE\domain admins
            owner@:rwxpDdaARWcCos:fd----:allow
            group@:rwxpDdaARWcCos:fd----:allow
         everyone@:r-x---a-R-c---:fd----:allow
[root@freenas1] /mnt/tank#

 

[BAlfredo]

I've noticed that winbind/ zfsacl can get confused if you have users and groups with identical names. I think a part of the problem may be with using the parameter "nfs4:mode = special". I believe "administrator" is both a user and a Builtin Container (see output of getent group). The behavior you described also annoyed me a bit and so I changed ownership of my datasets to "root:domain admins". In general I try to avoid making or using groups that share a name with a user, and vice-versa. I try also to avoid limiting rights of the owner and group (in some hard-to-pin-down situations this can lead to samba on FreeNAS arbitrarily writing "deny" ACEs).

Anyway, you if you make the changes I mention above, your getfacl output should be:
root@freenas] /mnt/volume# getfacl pollaio/
# file: pollaio/
# owner: depasseg's mom\root
# group: NEWCONTOSO\domain admins
group:NEWCONTOSO\fattoria_mckenzie:rwxp-daARWc---:fd----:allow
group@:rwxpDdaARWcCo-:fd----:allow
owner@:rwxpDdaARWcCo-:fd----:allow

So, in short, I don't have a good explanation for the behavior you describe above, it is not clear whether it adversely affects FreeNAS performance, and I'm not sure what the remedy would be. I just superstitiously follow my above practice, and that is my personal contribution to the vast amounts of samba voodoo that floats around the internet.

Hi anodos,
thanks for your reply; i've tried what you suggest and now it function correctly.
I've also discovered, which freenas doesn't recognize group set as Domain Local Security Group, but only set as Global Security Group.

Best regards
Alfredo