Help understanding pool storage vs boot/config storage

[zeebee]

I'm almost at the point of putting 'production' data onto my first FreeNAS system, but there's still something I'd like to understand better before going ahead.

If my boot drive is lost (or I do a clean install), FreeNAS lets me import my pool from my pool drives. I know I'm also able to import my FreeNAS config, assuming I had a backup. However, what I don't understand is exactly which data is coming from the pool, and which from the config - especially when it comes to permissions and users.

For example, I have a dataset for storing security camera footage. I've created a 'security' user (and group) and configured the dataset to use it. This all works great. However, if I nuked my boot drive, did a clean install, and imported my pool... what happens? Assuming I didn't import a backed up FreeNAS config, does the pool know about this 'security' user and the associated permissions? If not, what happens to the ownership on the files?

Any insights you can give me here would be much appreciated :)

 

[sretalla]

Config contains the user database... this maps names (like security) to the userID (like 1001 or whatever number you assigned... or was automatically assigned on user creation) which is stored in the individual access entries for files and directories. Same for groups and groupID.

Without that user database, the permissions of the files and directories in the data pool(s) will just be numbered users/groups that don't necessarily exist on your system.

Either restore config (if you set one of your data pools as the system dataset location, it will automatically have a recent config there to restore from), or recreate users/groups with the same IDs and names and everything will be back to normal.

Worst case, start again by using root to chown the files (changing ownership to whatever users/groups you want).

This is all standard unix permissions.

If you're going to do fancy stuff like windows permissions, you'll need to understand that (but usually this means the permissions refer out to a windows user database, so not part of this discussion and the ACLs are retained in the data pool anyway in that case)

 

[zeebee]

Ah I see. So when I do an "ls -l /mnt/tank", it's pulling the ids from the pool file system, but resolving the names using the user database (stored elsewhere). That seems like it would be fine from a recovery sense, and I'm not doing anything that would make rebuilding the permissions using chown a problem anyway.

I am using windows shares, but they seem to be working ok with just setting up the users/groups/permissions in FreeNAS, rather than using any ACL or domain controller stuff (I don't really understand all that, hoping it's something I don't need).

You said my config should be available in my pool if it's set as my system dataset location. In the GUI, under "System/System Dataset", my pool is listed as the system dataset (I think I set this after install). However, I don't see any system dataset listed under "Storage/Pools", nor under "/mnt/tank" via shell. This seems odd, or is it hidden somehow?

 

[zeebee]

@sretalla - I've been setting up shares in different ways to experiment with permissions, and I think I'd like to use something beyond just the basic "same permissions for all users". This has led me to the ACLs that you mentioned above. I'm only just starting to play around with them, but I thought you might be able to confirm something for me. From what I can tell, I can use ACLs without using a Domain or any kind of windows user database. Is this correct? This is just for our small family, but I'd like to be able to have different permissions for parents vs kids (for example, so the kids can view our photo library, but not delete photos they don't like!). It looks like the ACLs are attached to the pool storage (like you said above) and I imagine use the same user ids that regular permissions use?

 

[sretalla]

An ACL is just a hidden file stored in a directory with information about which ID should be able to access what.

The IDs that are stored in the ACL can be Domain IDs, or probably also Homegroup IDs (not sure if the Windows version you're using supports that).

Getting User IDs to match between different windows PCs isn't simple, so that's probably not going to work out too well.
You should use the Windows interface to create the ACL by assigning permission to the files/ directories.

@anodos has some excellent resources and guides available for that if you search for his posts in the forum.

 

[zeebee]

The IDs that are stored in the ACL can be Domain IDs, or probably also Homegroup IDs (not sure if the Windows version you're using supports that).

Hmm, I thought in my case they'd just be the ids of the users on the FreeNAS system.

Getting User IDs to match between different windows PCs isn't simple, so that's probably not going to work out too well.

So what I'm doing is creating users on the FreeNAS system (using the Accounts UI), and setting the same username and password as used for the windows local user login (non-domain users). When I try and access the share, windows just logs in automatically using the local credentials. I can also do a 'Map Network Drive' using different credentials.

So if I'm understanding all this correctly, I'm not really keeping any user ids in sync, I'm just allowing a windows user to login into FreeNAS using a FreeNAS user account. I then set the ACL permissions using the windows 'Security' dialog etc.

My tests seemed to work nicely, except I ran into one problem I haven't been able to solve yet. I may just need to do more reading/experimenting, but I couldn't get inheritance of permissions to work correctly for new files that are in folders that do not have inheritance enabled.

Here's the kind of thing I'd love to be able to do:

//FreeNAS/Shared (Share accessible to everyone in the 'Shared' group - parents and kids)
//FreeNAS/Shared/Data/Parent1 (Share accessible to Parent1 and Parent2)
//FreeNAS/Shared/Data/Parent2 (Share accessible to Parent1 and Parent2)
//FreeNAS/Shared/Data/Kid1 (Share accessible to Parent1, Parent2 and Kid1)
//FreeNAS/Shared/Data/Kid2 (Share accessible to Parent1, Parent2 and Kid2)
etc.

This almost seems to work, but the problem I run into is that when Parent1 creates a file in /Shared/Data/Parent1, it does not inherit the full permissions of the /Shared/Data/Parent1 folder - instead, only Parent1 has access, not Parent2.

If anyone has any insights into this it would be most appreciated. I will continue to try and work it out - my next step is going to be reading more about the output of getfacl so I can try and understand better what's going on. I'm just hoping this isn't a bug in FreeNAS, and rather just something I'm doing wrong.