How to access a public CIFS share and one that nees a login at the same time on Windows 7?

[senior_hombre]

Hi,
i am currently trying to achieve the following:
- have two CIFS shares: one that belongs to a user called "user1" and needs a login and another one that needs no login and is accessable by everyone in the network

At first i created two datasets: one called user1 (located at 192.168.0.17:/mnt/volume1/user1) and another called public (located at 192.168.0.17:/mnt/volume1/public)
The first one is owned by a user called "user1" it has the default restrictions (not directly related but noteworthy: i am using the UNIX share type [thats the default when creating a new dataset])
the other one is owned by a user called "public". I needed to create the user "public" (and later choosing this user as the guest user in the CIFS service settings, because you cannot give a user a home directory [in my case the dataset] when it has a different name than the user, if you try you get a new subdirectory created with the name of the user, but thats definetly not what i want!).

Then i created a normal share for the user1-dataset and a special one (with guest login allowed and restricted to, as described here: http://doc.freenas.org/index.php/CIFS_Shares#Configuring_Anonymous_Access)

The results are the following:
- both shares are listed on all Windows 7 clients in the network - thats good
- the user1-share wants a login when trying to access it, and it only allows access when the correct username and password is given, when using "user1" and his password full access is granted (including creation of files): thats good too
- when trying to access the public directory access is granted too: looks good at first sight
- but when trying to created or change a file on the public directory i get "access denied": thats not what i want

What is happening here? I though using the tutorial posted above would results in everyone accessing as the owner of the directory (which of couse has full rights), because it is set as the CIFS guest account.
It not it true?

 

[cyberjock]

So there's a Windows limitation at work here. You can only authenticate with a server via a single username and password. So once you authenticate with //freenas (or whatever its called) you can't authenticate to it again. Don't like this limitation start using linux. ;)

There's 2 ways to deal with this "limitation".

1. Use one share for //freenas and one share for //ip.address.blah.blah. Windows will see these as 2 separate servers and you'll get two chances. Note that since you should never put more than one NIC from a server on the same subnet at the same time you can't buy a 4 port NIC and give yourself a bunch more IPs. People have tried this and it ends badly.
2. Create a group on the public directory and put everyone in the domain in that group with the appropriate permissions. Now they can authenticate with their username and that authentication will properly work with both shares.

 

[senior_hombre]

Option 2 sound good for me, this is what i did:
i changed to group permissions for public directory/dataset to rwx (the group is called "public" like the public user), then i added the user "user1" to the "public" group by adding the group "public" to its auxiliary groups.
Now i can create files and read existing files (which is a great step further, so thanks for that) but i cannot edit existing files!
Is there something iam missing?

And then there is still the problem with people that have not account on the NAS (real guests) how can i have them accessing the public directory? They never had on option to login to the NAS and therefore the problem with double connections should not apply here.

edit:
i think the reason that iam allowed to: read, create and even delete files but not edit them is because it is not using the group permissions here. The owner and the group permissions are rwx but the "others" permissions deny writing, that is strage because i added the user1 to the public group.
I hope it has nothing to do with the fact that i added the group as auxiliary?

 

[cyberjock]

Yes, you shouldn't be using unix permissions for CIFS shares... you should be doing windows ACLs (aka setting permissions from within Windows itself). Read up on the commands getfacl and setfacl too if interested in editing file/folder permissions from the FreeNAS CLI.

 

[senior_hombre]

What does it mean: "i should not"? But i can right? if i want too? The problem is the lack of documentation, i do not want shitty windows 7 permissions, iam aiming for a linux environment with the option to allow windows (only windows 7) clients to access.
Thats why iam using CIFS i definitely can not switch to windows datasets.

 

[cyberjock]

If you are a samba/zfs/nfsv4 permissions expert and understand how FreeNAS makes permissions work, sure.

However, by the simple virtue that you are having problems I know for 10000% certainty you are NOT in that group.

 

[cyberjock]

If you are a samba/zfs/nfsv4 permissions expert and understand how FreeNAS makes permissions work, sure.

However, by the simple virtue that you are having problems I know for 10000% certainty you are NOT in that group.

 

[senior_hombre]

Yes thats why iam hoping to get some help from an expert in this forum. I mean where to ask for FreeNAS related problems if not in a freenas forum?

 

[cyberjock]

That's why I told you to look at setfacl and getfacl

 

[senior_hombre]

I did but it did not helped. Btw: even changing the permissions for the public dataset to 777 did not allow editing. And your statement about double authentification did not seems to be relevant for my problem, even clients that never logged on the server can access the public directory like everyone but they cannot edit files. So this nas to be a problem with the FreeNAS configuration, the tutorial seems to be wronge because i has an example configuration for a anonymous share which i followed exaclty (and it did not include setfacl and getfacl)

But whats with the "Directory Service" setting, found at: system -> settings, it allows 5 settings:
- Active Directory
- Domain Controller
- LDAP
- NT4
- NIS
or nothing, the default seems to be the blank setting. Do i maybe need one of those, it seems to be related to user management?