I must say goodbye to FreeNAS as it's just not ready for me yet...

[Arvo Bowen]

Let me start out by saying I love everything about FreeNAS and wanted to try it out because of the ZFS volumes. I wanted to play around with RAIDZ pools and see how they performed. It took some getting used to but now I'm zooming around in FreeNAS...

The Problem:
I depend on Windows ACLs a lot. Below I have quickly drawn up a diagram of something I wish to achieve. It does not seem to be possible with FreeNas. With FreeNAS I have the ability to do simple UNIX like ACLs (ex: 774 or 770, etc) making a user the owner of a folder with full rw access (7) and a group have read only rights (4). The issue is I need to be able to create a share/folder that has different groups with different access (see below). I have tried every type of work around I could think of (even creating multi shares for one zfs dataset with different permissions, but you can't set permissions on a share so that was a bust) to make this work but it seems I will have to fall back, install windows server 2008 which I was hoping not to do. I really wanted to use FreeNAS but I don't see any other options... Am I missing something that would be a solution to my problem?

 

[bigphil]

You've given up to early. First thing I'd do, since your setup seems to be a POC, is make sure I'm using the latest 9.2.1.4 RELEASE for the install...it has a few important fixes you'll want. Second thing...are you using Active Directory? It's not clear, but you do mention domain_admins in your layout. I haven't tested this in a non AD domain environment, but it should work. You mentioned that your were unable to set share permissions. You absolutely CAN do this. From Windows, open up compmgmt.msc (computer management tool) and connect to your FreeNAS box, expand to System Tools/Shared Folders/Shares. From there you can set the share permissions and NTFS permissions. This should allow you to accomplish what you need. Make sure you thoroughly read the FreeNAS Windows CIFS share documentation too...in particular the options in bold that you do not want to enable. Also be sure your dataset ACL type is set to Windows/Mac.

 

[Arvo Bowen]

Could bigphil be my hero? Time will tell! ;)

First off, thanks... I can't say it enough. I really wanted to keep freenas! Second, I meant for this thread to come of as a question not a statement. I haven't given up yet, that's why I took the time to make my sweet photo...

;)

O yea before I get started... What's the best way to upgrade to the latest beta without losing my current settings?

Edit:
Wow! I just noticed you didn't say "beta"... I just downloaded FreeNAS not to long ago and it jumped from 9.2.1.2 to 9.2.1.4 already!! Way to go guys!!! Looking at the upgrade package now.
Thanks!

Edit2:
While I'm waiting for the upgrade to happen (figured it out, man is it simple), I wanted to answer a few questions you had bigphil...
1) Yes I do run a domain.
2) I have read all over that Windows CIFS shares document and I could not find the answer I was looking for. It brought a smile to my face when you said "From Windows, open up compmgmt.msc (computer management tool) and connect to your FreeNAS box, expand to System Tools/Shared Folders/Shares."... THAT I think is exactly what I'm looking for!

 

[bigphil]

Excellent! Well, let us know how it goes and if you have any other questions.

 

[Arvo Bowen]

OK bigphil here is the deal... I simply can't make it work. :/

Is there any way you could quickly write up a few steps on EVERYTHING I need to do to make this happen? Currently I have done the following...
1) Created a ZFS dataset called 'xbmc'...

2) Created a new share called 'xbmc'...

3) Setup the CIFS service settings...

4) Opened up computer management and managed my FreeNAS server...

5) Share permissions on 'xbmc'...

6) Security Permissions for 'xbmc'...

7) Advanced Security Permissions for 'xbmc'...

Any ideas what in the heck I'm doing wrong?? I feel like I'm so close yet so far away! Thanks!!!

 

[bigphil]

So what is the problem? What's not working with the settings you have posted?

 

[Fox]

This might be of some use..

View: https://www.youtube.com/watch?v=PhYkZlbBbwk


Video is a little long and has a lot of tangents, but I think it might be what you want.. I didn't watch the whole thing though.

I'm having trouble with viewing the freenas users on windows box so I can assign permissions. It's shown working at time 16:16 in the video. I can't "Check Names" on my equivalent of "JimTheUser". For some reason it doesn't find any users that are not the owner or the group as designated in freenas (those two items it pulls over fine).

I think (hope) that it is a problem with my configuration/setting on my box.

 

[cyberjock]

Yeah.. that setup isn't exactly the best guide in the world. It's sloppy, it works(for some definitions of works), but it's definitely not the most ideal.

 

[Arvo Bowen]

Thanks guys! I'll check out the video ASAP and see if it helps.

As for bigphil's question... Here is a pic to show you the issue... ;)

 

[bigphil]

What it looks like to me is that you're attempting to use the "media" user account from a local pc and not the media@galaxy.local domain account to connect to the FN1 box, but the FN1 box is set to use the domain account. The only way that would work is if both accounts have the exact same password. Its not guaranteed to work that way if there is some SID checking, but I've usually seen it work as long as the username and password are the same for both accounts. Can you logon to the workstation with the media@galaxy.local account and try to browse \\fn1\xbmc ? Also...for getting the user information, use the command "whoami /all" instead of rsop info for this scenario.

 

[Arvo Bowen]

OK bigphil a few things...
1) I have always been using the domain account, yes I did have a local media account up until mer minutes ago. I just deleted the local media account thinking maybe it was getting confused in some way with the domain account. I simply wanted to remove a variable from the scenario. I logged back into the domain account and this is what I have. ;)

2) I was thinking of something else that might be the problem... I started this whole FreeNAS venture out without a domain. Then thinking that I had to have a domain to make the CIFS work I ended up creating a domain. So originally I did have a local 'media' user within FreeNAS's database. Since then I have removed all local users from FreeNAS (except root) and created the domain with a user named 'media'. Maybe 'media' itself is having the problem? Maybe I need to use a different username so that old info is not effecting the shares somehow?

 

[bigphil]

It'd definitely be worth a shot to create a new domain account and then set that account with permissions to the share and ntfs security to see if that is the issue. When you set the ntfs permissions, click the advanced button and then use the option "replace all child object permissions..." so it recursively sets the permissions.

 

[Arvo Bowen]

Roger that. Will check back in later. :)

Thanks!

 

[Arvo Bowen]

OK, well I gave that a shot and still a no go... :/ I can not believe this is not working. It seems that everything is just like it needs to be! Any other ideas? I feel like I'm so close!!! :)

Thanks!

 

[Arvo Bowen]

Interesting enough... I just tried to create a completely new dataset called 'test' leaving EVERYTHING as the defaults and just changing the owner to 'nobody' and the ACL type to windows, that's it!... Created a share called 'test' leaving all the defaults...

After restarting the CIFS service on FreeNAS I was able to see the new 'test' share and all my domain admins could browse the folder just fine. However my new 'xbmc' user could not access the share.

The interesting part is on the share properties Share Permissions is set to Full Control for 'Everyone' and the security settings show three users... 1) Everyone (read access)... This should let EVERY user get into the share, 2) wheel (Full Control), and 3) An unknown GUID user with read only access and some special permissions.

But seeing that everyone is listed under the share permissions and the security permissions I don't see why it will not let my user in!... :/ Ideas?

 

[bigphil]

I'm thinking you just don't have the correct permissions applied. Are you sure that "domain admins" group you set on the dataset permissions is the real GALAXY\Domain Admins group? I'm thinking its a local group you created on the FreeNAS box and not the AD group. I would set the permissions like this to test: Dataset > Owner (user) = GALAXY\Administrator, Owner (group) = GALAXY\Domain Admins. After this, logon to a Windows box with the GALAXY\Administrator account and see if you can access the share.

EDIT: I just saw your newest post. So seeing that your have no trouble with the other accounts, just the GALAXY\xmbc account, I would also add it to the share and ntfs permissions and see if you can get in with that account. Remove the Everyone permissions for now.

 

[scotch_tape]

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Ut at rutrum mauris, a bibendum nisl. Cum sociis natoque penatibus et magnis dis parturient montes, nascetur ridiculus mus. Duis gravida odio in eros porta porttitor. Proin ornare tincidunt mattis. Vestibulum vel nisl dignissim, consectetur felis sed, tristique augue. Nulla semper elit nec sem pulvinar, non convallis velit tincidunt. Nam egestas accumsan quam. Mauris efficitur nisi eget tellus suscipit, vitae posuere lacus suscipit.

 

[bigphil]

It shouldn't be necessary to reboot the FreeNAS box, just restart the CIFS service. You may also try unchecking the "inherit ACL's" check box on the CIFS share and try to control the that property from Windows instead. Like @scotch_tape said...when testing this out, its probably a good idea to start with a fresh CIFS share. There is a recent bug post about some inheriting issues. Bug #4606 might be worth a peek.

 

[Arvo Bowen]

Great guys! Thanks a bunch for the suggestions. I'm giving the following a shot based on both of your suggestions...

1) Backup all data from the current xbmc share to another folder with the following command from a shell...
-> # mv /mnt/root_data/xbmc/* /mnt/root_data/old_xbmc/
2) Destroy the xbmc share.
3) Destroy the xbmc dataset.
4) Create the new xbmc dataset.
5) Create the new xbmc share (with no extra settings checked, ex: the inherit ACL's).
6) Rebooted the FreeNAS server.

... I'll let you guys know the results soon!

 

[Arvo Bowen]

OK so... :/ Still did not work...

1) Destroy the xbmc share.
2) Destroy the xbmc dataset.
3) Create the new xbmc dataset with all defaults and changed share type to WINDOWS.
4) Changed permissions on the xbmc dataset to owner:user 'nobody' and owner:group 'domain admins'.
*** Just checking, but using the group 'domain admins' is the same as 'GALAXY\domain admins' right? Because that was the option it gave me ('domain admins') not 'GALAXY\domain admins'.
5) Create xbmc share with all defaults and unchecked 'Inherit ACL's'.
6) Rebooted the FreeNAS server.
7) Logged off client windows machine then back on (due to old cached credentials i think) because I could not access the freenas server

Edit:
8) Open up computer manager in windows, managed another pc (in my case I managed 'fn1').
9) Expanded System Tools, then Shared Folders, then Shares.
10) Right clicked on the 'xbmc' share and clicked on properties.
11) Clicked the 'Share Permissions' tab and set the following (arvo.bowen is MY domain user account)...
- arvo.bowen@galaxy.local (Full Control)
- xbmc@galaxy.local (Full Control)
- Administrator (Full Control) -- note it would not let me set Administrator@galaxy.local as a user.
12) Clicked the "Security" tab.
13) Added all the same users that I added in Share Permissions and gave them Full Control.

Still No luck... I expected (before setting any share/security rights) the user xbmc@galaxy.local to be able to view the share because "Everyone" was a user in both the share and security permissions... It seems that it's ONLY letting my domain admins in the domain access the share... and nothing else by default... So weird...