I must say goodbye to FreeNAS as it's just not ready for me yet...

[Arvo Bowen]

It seems I have stumped everyone... :/
I wish it was something I was doing wrong and could correct. I just don't get why it's acting the way it is... I really hate to have to ditch FreeNAS but I have to have my security permissions.... Otherwise I would just leave it open for everyone.

 

[cyberjock]

Yeah.. we("we" being the more experienced users) deliberately avoid questions around permissions. It's complex, not something I can just impart in 30 minutes, nor is it something I could easily explain in a whole evening of typing on the forums.

"We've" all learned not to answer these questions because it's just too time consuming.

 

[bigphil]

I have a feeling your FreeNAS box is not properly connected to your domain. In my experience, it should list the domain admins group as "<NetBIOS name of domain>\Domain Admins".

What type of domain do you have? You've never actually specified. If its Active Directory, you've got some issues and should visit my discussion thread on how to properly configure FreeNAS for AD. If its any other platform, I cant offer much more assistance here.

 

[Arvo Bowen]

I have a feeling your FreeNAS box is not properly connected to your domain. In my experience, it should list the domain admins group as "<NetBIOS name of domain>\Domain Admins".

What type of domain do you have? You've never actually specified. If its Active Directory, you've got some issues and should visit my discussion thread on how to properly configure FreeNAS for AD. If its any other platform, I cant offer much more assistance here.

Humm... Yes I do use AD. It seems after each reboot of FreeNAS I have to type my admin password again for it to recognize domain accounts... I'll take a look at the thread. Have a thread link by chance? ;)

Arvo
Device: HTC One X
ROM: CyanogenMod 10.2 (Android 4.3)

 

[bigphil]

http://forums.freenas.org/index.php?threads/using-active-directory-with-freenas.18068/

 

[Arvo Bowen]

Ok, now that we are all set there, now its time to create an AD computer account for your FreeNAS box in AD. For this article, we'll call it NAS1. After this, create an A record for the NAS1 computer account in your DNS server. Now create a new user account that is configured with a Non-Expiring password. We'll call it, NAS1USER. Now go back to the computer account, NAS1, and open the properties of the account. On the security tab, add the NAS1USER account with Full Control permissions. What this does is get around the issue of having to use an Administrator or Domain Admin account to join AD and set the secure channel for the account. The new feature in 9.2.1 for using a Keytab file seems like a nice idea, but the documentation is not quite ready from what I see. What's currently on the wiki for this seems wrong to me. It says, and I quote, "hostname is the fully qualified hostname of the domain controller." I think it should be hostname = NAS1, i.e. the hostname of your FreeNAS system. I'm speculating here, but I wouldn't trust it yet without some definitive documentation and tests. Regardless...the documentation also states to fill in the Directory Services settings "Domain Account Name" and "Domain Account Password" with a less privileged account for running lookups. Ummm...ok, so that will still be in the database in clear text? Oh well, if it needs it...it needs it. The good thing is, that for this config, you insert the NAS1USER account here. So it is a less privileged account BUT it has Full Control of the NAS1 computer account. Boom...it all works! Users and Groups get populated when setting permissions on a Dataset and CIFS shares work as expected. For the CIFS permissions, you'll need to edit your Dataset permissions and change it to Windows / Mac ACL style and change Owner (user) to be an AD account and Owner (group) to be an AD group of your choice. These two accounts will have inherited permissions to the share. One note here is that there is currently an issue with "Share Permissions" being set to Everyone. You can change it using compmgmt.msc to connect to the FreeNAS system, but it will revert back when you reboot the NAS. Info here: https://bugs.freenas.org/issues/3644

OK going through it step by step... Got stuck on this part...

Now go back to the computer account, NAS1, and open the properties of the account. On the security tab, add the NAS1USER account with Full Control permissions.

When you right click on a computer object in the "Computers" OU (in my case 'fn1') then go to properties, there are 7 tabs. General, Operating System, Member Of, Delegation, Location, Managed By, and Dial-in. There is no "security tab"...

Suggestions?

 

[bigphil]

See post #2 in my discussion thread.

 

[Arvo Bowen]

See post #2 in my discussion thread.

Dang... I can't believe I forgot that! I was trying to concentrate on making sure I did each and every step that I totally spaced on that one... I must have used that 5 or so times before... Thanks for that!

Arvo
Device: HTC One X
ROM: CyanogenMod 10.2 (Android 4.3)

 

[Arvo Bowen]

OK had the time to finish up finally... I have my new dedicated user "freenas" in place in AD that is only used for the purpose of FreeNAS. I did everything you instructed in your article... I went ahead and tried to query the users on the domain with freenas by typing "wbinfo -u" in the shell and the attached image is what it spit out... Does yours look similar? At one point you told me yours would show up as "user.domain.tld" and mine show up as just "user"...

 

[Arvo Bowen]

Well, I guess after two weeks of trying to plug FreeNAS into my environment and it not working for me I will have to move on from this issue... I'll end up installing Windows Server 2008 R2 in it's place and just hope that maybe sometime in the future it will suit my needs. I'm sure it works for others but in my case I need the availability to use it just as I would my Windows server. With no viable answers to my issue here I simply can't continue to mess with the issue with all I have going on. I think 2 weeks is more then enough time to try and set up FreeNAS. To everyone who did lend advice and or possible solutions THANKS SO MUCH! Without people like you people like me would be lost...

I have started from scratch 3 times with my FreeNAS server following every tutorial and/or examples that I could but nothing seems to work. I wish I knew what the issue is though... I really like FreeNAS and what it offers. It is unfortunate that my time is limited right now and I can't spend more of an effort on it, but alas I must be moving on.

Thanks again for everyone who had something to say on this thread!

 

[Fox]

I think we both started at the same time. I figured out what I needed to do, and it sounds like it is similar to what you want, except I did not use a windows domain. Is that strictly required? If you haven't flattened and reloaded your FREENAS box, I can help this weekend via responses to this thread, I will check it frequently.

In short, I found out that using Windows to set the initial permissions (ACL) was a huge problem. Also, Windows 7 tends to hold on to (cache) certain permissions/connections, so I had to learn how to "reset" the Windows connection in order to see the things I was setting.

I used setfacl and getfacl extensively. I don't suggest setting permissions using Windows, at least not initially. And when I did use these, I saw the results instantly on a connection.

I was able to create a share within a subdir of a share, I was able to give only certain permissions to my xbmc box (certain folders), I was able to assign groups, users, to certain files, folders, and have it inherit as I wanted when new files were created. About the only thing I couldn't do was hide the share (but it listed as empty, and this appears to be the same behavior of a true windows share)

I can type out some instructions on how to do all this. Once you understand it is simple.. But again, I did not use the Window domain. If you need that, my instructions probably won't be as useful.

 

[Arvo Bowen]

I'm still in the game. :)

First things first... about the "only thing you couldn't get it to do"... hiding shares... Did you try to make your share with an appended $? Ex: \\mybox\c$\ By default that should hide it... At least in a windows environment... :)

So tell me what you want me to do to test out any theories and/or solutions. I have my box sitting and waiting to be tested on. I can start back at creating a new dataset if needed. Just tell me what to do first.

Thanks btw!

 

[Fox]

So, the first thing is to reboot everything just to make sure you have a fresh start. I am not using a domain controller, and I would suggest you switch to the WORKGROUP model as well. Perhaps you can add the DOMAIN model later once you get this part working, but you may not even need it. Well, I know I don't need it. :)

I assume you have read through the wiki docs, but for a quick run through make sure the CIFS is on with the following (this is what I have):

NetBios Name: FreeNAS
Workgroup:WORKGROUP
Description: FREENAS SERVER
DOS Character Set CP437
UNIX Char Set: UTF-8
Local Master: Checked
Time Server for Domain: checked
Guest account: guest (you may need a gurst account, though I don't use it)
File mask: 0666
Directory mask: 0777
Support DOS File Attributes: Checked
Server maximum protocol: SMB3
---Rest is blank or not set

Now create a share. there should be a share already for the volume, this will be another one..
I have the following settings:
Name: something descriptive
Browsable to Network Clients: checked
Inherit ACLs: checked
Path: some directory your volume
--rest is not set or unchecked

Next create a group, lets call it "my-group"..
Next create two user accounts, one will be the owner of the NAS (all the files), and the second will be an under privileged account. Lets call them "myadmin" and "myuser" for the sake of this document. Make sure the myadmin account is a member of the "wheel" group and make sure myuser is a member of my-group. Use the FreeNAS web GUI to do all of this. Also, I would recommend that you don't have these same named accounts on the Windows box, since it makes it harder to see what account you are actually accessing the share as. Later, once it is working you can make changes to match the accounts to windows to make things easier.

Next go to Storage->Volumes->mnt->VolumeXXX->Change Permission
The VolumeXXX is whatever you called the volume
Make sure this dialog box has the following settings:
Owner (user): myadmin
Owner (group): wheel
Mode, check Read Write Execute for Owner and Group, leave the "Other" check boxes blank.
In order to select the check boxes be sure the Unix check box below is checked. Don't check (leave blank) the set permissions recursively.
Click the "Change" Button.
Repeat the above for the same share, but check the Windows /MAC Check box and click Change.
(Note, i only do this to make sure the GUI is/will be the same as what I set using the cmd line tools.)


See if you can access the share as the myadmin user (map the drive in windows explorer and click connect using different credentials, and use the myadmin login and password from freenas).. You should be able to see the share and perhaps see the files inside it.

Report back that this works.. I will start typing up the next part..

 

[Arvo Bowen]

Please make sure you tell me if I'm wrong in any way in my "*** WORTH NOTING ***" sections below...

1) First Step: Remove my FreeNAS box from my existing domain:
*** WORTH NOTING ***
- I can take FreeNAS out of the domain but destroying my entire domain is not an option.
- I'm hoping that this solution will work along side a domain environment.
- Expected results; Have a client PC (MARS) log on to the FreeNAS box (fn1) using user 'arvo' (local FreeNAS user) while logged on to the domain as 'arvo.bowen@galaxy.local'.
- MARS is on a domain (galaxy.local), fn1 is NOT on a domain.

Now in saying all that, what are the best steps in removing my FreeNAS box from the domain? I turned off the Directory Services service, I went into settings and changed the Directory Service setting from "Active Directory" to "---------".

Would that be sufficient?

2) Second Step: Setting FreeNAS up to work in a WORKGROUP inside of a DOMAIN environment:
*** WORTH NOTING ***
- I plan on using the workgroup name "GALAXY" and this will work around the domain name "galaxy.local"
- FreeNAS will ONLY be using an internal user database. All other PCs and servers will be using the domain's (AD) user database.

You say in CIFS settings 'Local Master: Checked' and 'Time Server for Domain: checked'. My "local master" would be the domain server. If I have FreeNAS as my local master would that not cause conflicts on my domain? Also my NTP server is my DC also... Can I just leave those two unchecked for now? Or do you know for a fact that those are needed to make it work?

One last question (right now) to ask on this big change... When this is all said and done, can the following be accomplished?...

FreeNAS Server (fn1):
- Workgroup "GALAXY"
- Users "Administrator", "xbmc", "arvo"
-> Administrator = xbmc_rw member
-> xbmc = xbmc_r member
-> arvo = xbmc_rw member
- Groups "xbmc_r", "xbmc_rw"
- Share "xbmc"
-> xbmc_r = read only access
-> xbmc_rw - read/write access (Full)

Client PC (MARS):
- Domain "galaxy.local"
- Logged on user "arvo.bowen@galaxy.local"
- Browse to fn1 and use user name "arvo"
- Access "xbmc" share and have full control

Client PC (LRHTPC):
- Domain "galaxy.local"
- Logged on user "xbmc@galaxy.local"
- Browse to fn1 and use user name "xbmc"
- Access "xbmc" share and have read only
Client PC (BRHTPC):
- Workgroup "GALAXY"
- Logged on user "xbmc"
- Browse to fn1 and use user name "xbmc"
- Access "xbmc" share and have read only


EDIT - Question

Next create a group, lets call it "my-group"..
Next create two user accounts, one will be the owner of the NAS (all the files), and the second will be an under privileged account. Lets call them "myadmin" and "myuser" for the sake of this document. Make sure the myadmin account is a member of the "wheel" group and make sure myuser is a member of my-group. Use the FreeNAS web GUI to do all of this. Also, I would recommend that you don't have these same named accounts on the Windows box, since it makes it harder to see what account you are actually accessing the share as. Later, once it is working you can make changes to match the accounts to windows to make things easier.

This concerns me... I need to make sure I'm clear on this... I do not want to involve the "wheel" group. For example, above... The local user 'arvo' needs Full control over the 'xbmc' share but NOT over everything in the volume I created. So using the "wheel" group would be counter productive. Wheel is the equivalent to the domain admin group... It would let that user do ANYTHING anywhere if I'm not mistaken.

 

[Fox]

Well, first off, the more you vary from what I did, the harder it will be to troubleshoot. I think using a DOMAIN as your first attempt might be trying to run before you walk. It's a big step. There are a lot of settings and it would be harder to troubleshoot. I don't know your technical background, so I can't advise you on what you should do.

As for your list of what you want, I didn't go thru it in great detail, but it looks like it should be possible as others have stated. I really can't tell you how easy it will be to setup with a domain, but I can help with permissions on a workgroup. If you are about to flatten and reload it, why not just do that and try getting it to work as a WORKGROUP?

I can tell you that I have mine working just as I need it with multi-user access with read only access for certain shares/groups/users.. I think the only thing the domain would buy me is the ability to centrally manage it, especially in the form of adding a user and changing a user password and having it apply to the entire domain. Right now, I have users on FREENAS with a password, and users on Windows with a password. Most people sync them up (same user/pass on both systems), but after that, changing a password on one requires changing a password on the other. If you don't sync them, you could ask windows to hold on to the password for the share, and it will auto mount the share and use the saved password every time you reboot, thus allowing you to change your Windows password without having to worry about the freenas password.

In any case, if you want to continue, the next step is just going into the shell and using "getfacl" and "setfacl" to set the permissions of how you want groups and users to access it. It's really simple, provided you can already access it with the owner credentials.

The only other issue I found on the Windows side, was that I needed to run "net use", "net use /delete \\freenas\share", and "net use /delete \\freenas\IPC$" whenever I switched between users for testing on Windows (without logging out). It seems Windows likes to hang on to a connection. Even using NET USE, sometimes Windows will still hold on to the share connection because I may have a file open on the share, or I have Windows Explorer Open in a share directory.

Let me know what you want to do.

 

[Arvo Bowen]

I think I might have said something to lead you down a path of thinking I'm doing something that I'm not doing... I might have confused you with all my jabbering. :)

1) I AM using FreeNAS 100% as a WORKGROUP. FreeNAS will not have ANYTHING to do with a domain.
2) I DO currently have a domain on my local network and that will stay in place. I should be able to do everything you need me to do and mimic your setup EXACTLY (From a FreeNAS stand point). But all my Client PCs will be on my domain. I have a bunch of PCs and other servers on my network that use the domain so I don't want to destroy the domain.
3) What makes me concerned is the fact that I read somewhere that in the FreeNAS settings I need to make the WORKGROUP setting look exactly like my client PC's WORKGROUP setting for it to work. And in my case that would not be possible. As my client PC that I'm testing with use DOMAIN galaxy.local and the FreeNAS server fn1 has no idea about the domain at all... It just has a WORKGROUP of GALAXY.

Does that make sense?

 

[Fox]

yes.. can you connect to it as the owner?

 

[Arvo Bowen]

I think I might have found the root issue...

After putting all my drives in my box and creating my single raidz pool I created a volume called "root_data". I then under that created various datasets... One being "xbmc".

The root_data volume I created had permissions set to nobody:wheel and was pretty much locked down. I was concentrating on the permissions of the datasets more then the volume... After changing some permissions on the volume I started noticing things... I'll report back soon!

Arvo
Device: HTC One X
ROM: CyanogenMod 10.2 (Android 4.3)

 

[Arvo Bowen]

I think we both started at the same time. I figured out what I needed to do, and it sounds like it is similar to what you want, except I did not use a windows domain. Is that strictly required? If you haven't flattened and reloaded your FREENAS box, I can help this weekend via responses to this thread, I will check it frequently.

In short, I found out that using Windows to set the initial permissions (ACL) was a huge problem. Also, Windows 7 tends to hold on to (cache) certain permissions/connections, so I had to learn how to "reset" the Windows connection in order to see the things I was setting.

I used setfacl and getfacl extensively. I don't suggest setting permissions using Windows, at least not initially. And when I did use these, I saw the results instantly on a connection.

I was able to create a share within a subdir of a share, I was able to give only certain permissions to my xbmc box (certain folders), I was able to assign groups, users, to certain files, folders, and have it inherit as I wanted when new files were created. About the only thing I couldn't do was hide the share (but it listed as empty, and this appears to be the same behavior of a true windows share)

I can type out some instructions on how to do all this. Once you understand it is simple.. But again, I did not use the Window domain. If you need that, my instructions probably won't be as useful.

So how did you "reset the Windows connection" in order to clear the cached credentials used to access the freenas share on the freenas server?

 

[Fox]

Issue the "net use" command, it will list the open shares, and when you want to disconnect (delete) from them, use the "net use /delete \\freenas\sharename" command to disconnect from the share. Note that if you have other windows and/or files open from the share, windows may still hold on to the connection. If this doesn't work, then you can try killing the explorer.exe process and then restarting it. If that doesn't work, you can try logging out and logging back in or rebooting. Most of the time the "net use" command with the delete argument worked. Also, be sure you are using a different password than your windows account, and perhaps set a few files in the root, with different permission so only those user accounts can see them (and only those user account). For example, have a mary.txt file that ONLY mary can see, so that way when you reconnect, you will immediately know under what account you are connected. When I use the same username/password as my windows account, sometime windows would just connect using that without giving me a choice. When it can't then it prompts for a username and password, which is what you want for testing. Later, once you get everything hooked up correctly, you can switch back to using the same username and password as your windows account.