downgrade from 9.2.1.7 to 9.2.0 because CIFS permissions

[marian78]

Hi, I'm thinking about downgrade, because of problems with setting policy access to CIFS shares. On version 9.2.0 i had no problems set these accesses (UNIX). After upgrade to 9.2.1.7 have problem with inheritance rights of the newly created directories and files as well as pre-defined access rights for "everyone" (i dont want default eccess for everyone on network).

Also, I can not find good tutorial or documentation for these changes on new freenas.

Worth the wait to a newer version or downgrade and wait for well documented tutorials?

 

[dlavigne]

How are you trying to set the permissions? In 9.2.1.7 it is important to use Windows ACLs (not Unix) and to not clobber things with chmod. If things end up getting clobbered, use winacl to set them back to the defaults, then make sure to do any subsequent permission changes from the Windows client. Most of the issues users are experiencing and how to fix them are listed at
http://olddoc.freenas.org/index.php/9.2.1.7_ERRATA#Section_8.3.1_Troubleshooting_Tips.

 

[marian78]

i setup dataset in freenas version 9.2.0 useing UNIX acl (all working well - permissons). Next i upgrade to 9.2.1.7 and switch to Windows ACL and click "Set permission recursively:". Next restart samba service. After that my dataset have these permissions:

Code:

# file: dataset                                                               
# owner: aaa                                                            
# group: bbb                                                               
            owner@:rwxpDdaARWcCos:fd----:allow                             
            group@:rwxpDdaARWcCos:fd----:allow                             
         everyone@:r-x---a-R-c---:fd----:allow

But i dont want access for "everyone" and i dont want that windows users can change permissions.

I want something like that?:

Code:

# file: dataset
# owner: aaa
# group: bbb
owner@:rwxpDda-R-c---:fd----:allow
group@:rwxpDda-R-c---:fd----:allow
everyone@:--------------:------:allow

And for new files and folders want to inheritate this settings. This all i cant set (for someone because maybe im so stupid, but i want to learn and for now i dont find solution)

Next problem is settings permissions from windows on hidden cifs shares or on shares that have lot of data more than 10TB - this want some commands in CLI.

 

[dlavigne]

OK, so the settings are at their defaults, which is good. You should now be able to fine-tune them to what you want from a Windows client.

 

[marian78]

i try that, but settings is not inheritate to new folders and files and users can change permissions if i set only read only permissions... and how to setup 10TB from windows ? :( And how to setup from windows hidden shares?

 

[anodos]

i try that, but settings is not inheritate to new folders and files and users can change permissions if i set only read only permissions... and how to setup 10TB from windows ? :( And how to setup from windows hidden shares?

I don't have time to extensively troubleshoot right now, but it appears that new files and folders are created with extraneous permissions entries including "everyone", the current user, and the current user's primary group (read and write permissions). The extraneous permissions I tested with a user with "full control" in the following situation:

Shared folder configured with following NTFS permissions:
Admin Group: full control
Staff Group: Read, Write, Modify

Folders created within share inherit permissions properly, but add the aforementioned entries.

A stopgap solution may be to configure share definition access controls via the "auxiliary parameters" field in your share config. These have the following syntax:

valid users = @group1 @group2 user3
write list = @group1

Share definition access controls will take priority over the windows ACLs and will be applied across the entire share.
Note that versions of FreeNAS prior to 9.2.1.7 are vulnerable to a critical remote code execution vulnerability in nmbd (the netbios name server part of Samba/CIFS).

 

[titan_rw]

I must have missed something, but I'm on 9.2.1.7, and am still using unix file permissons. Everything is working great here.

I've got both windows and linux clients. Usernames and passwords on the clients match the usernames and passwords on freenas. Everything 'just works'.

 

[cyberjock]

I must have missed something, but I'm on 9.2.1.7, and am still using unix file permissons. Everything is working great here.

I've got both windows and linux clients. Usernames and passwords on the clients match the usernames and passwords on freenas. Everything 'just works'.

There are ways to bend FreeNAS to make it do that. They will work, but they will work pretty much by chance and not because it's designed that way. There's a chance you might find that someday some upgrade will suddenly make your stuff not work. :/

 

[anodos]

I must have missed something, but I'm on 9.2.1.7, and am still using unix file permissons. Everything is working great here.

I've got both windows and linux clients. Usernames and passwords on the clients match the usernames and passwords on freenas. Everything 'just works'.

Okay, it doesn't affect all users. What I did to produce the problem was as follows:
(1) Create volumes with ownership user = administrator, group = admin
(2) Set ACLs to allow a few different user groups as well as "admin".
(3) Work 10+ hours in a row and decide it is a good idea to remove the group "admin" from the permissions.

I think there is also some residual fun from me nuking permissions with a chmod -R command from a while ago.
If your "ls -l" output looks like this, you're holding it wrong. :)

Code:

d---------+   9 user        users        9 Aug  8 15:25 Weeks/ 

I'll reset default permissions and see if I can reproduce the OP's problem.