Methods For Fine-Tuning Samba Permissions

DCswitch

Explorer
Joined
Dec 20, 2013
Messages
58
@anodos The test I was doing that was causing the crashes was taking 200 GB + transfers of lots of movies (about 10 movies and lots of Movie Extras files). Many of the movies were 15 GB or more in size. This problem was occurring on multiple Mac computers (all running Mojave 10.14.4). Since I changed out every piece of hardware of the FreeNAS and it's happening on multiple Apple machines- it leaves me to believe it's FreeNAS software related. Now that I'm 11.1-U5, I am no longer getting any dropouts as well as no random reboots. I just ordered all new hardware to build a second FreeNAS, so I'll be able to do further testing in a few weeks with a completely new build from scratch.
 

anodos

Sambassador
iXsystems
Joined
Mar 6, 2014
Messages
9,543
@anodos The test I was doing that was causing the crashes was taking 200 GB + transfers of lots of movies (about 10 movies and lots of Movie Extras files). Many of the movies were 15 GB or more in size. This problem was occurring on multiple Mac computers (all running Mojave 10.14.4). Since I changed out every piece of hardware of the FreeNAS and it's happening on multiple Apple machines- it leaves me to believe it's FreeNAS software related. Now that I'm 11.1-U5, I am no longer getting any dropouts as well as no random reboots. I just ordered all new hardware to build a second FreeNAS, so I'll be able to do further testing in a few weeks with a completely new build from scratch.
Try setting the following auxiliary parameters on the shares
Code:
aio write size = 0
aio read size = 0
 

DCswitch

Explorer
Joined
Dec 20, 2013
Messages
58
@anodos I'll try those settings on the new build. As far as the old build- the end user shouldn't have to put in any additional parameters to keep their system from crashing. After three weeks of hell- now that it's running stable, I'm going to leave it that way.
 

anodos

Sambassador
iXsystems
Joined
Mar 6, 2014
Messages
9,543
@anodos I'll try those settings on the new build. As far as the old build- the end user shouldn't have to put in any additional parameters to keep their system from crashing. After three weeks of hell- now that it's running stable, I'm going to leave it that way.
As soon as we confirmed that some users were experiencing issues with the upstream Samba default for AIO writes in Samba 4.9, we changed the parameter to turn them off. The updated defaults are appearing in U4. We brought in Samba 4.9 because samba 4.7 is now EOL.
 

nojohnny101

Wizard
Joined
Dec 3, 2015
Messages
1,478
@anodos can you comment then what the recommendations for:
- share type for macOS
- permission type for datasets shared with above type
 
Last edited:

anodos

Sambassador
iXsystems
Joined
Mar 6, 2014
Messages
9,543
@andos can you comment then what the recommendations for:
- share type for macOS
- permission type for datasets shared with above type

Use "windows". It's counter-intuitive and I need to fix that. 11.3 should have a graphical ACL editor, which will make things easier. In 11.2-U5 I will add a vfs module for those who _absolutely_ do not want to use ACLs at all (maybe good for some home users, but please consider carefully before deploying at a business).
 

nojohnny101

Wizard
Joined
Dec 3, 2015
Messages
1,478
@anodos so windows permissions with a smb share works best with macOS?

I guess I've been trying to avoid that as I'm very familiar with UNIX type permissions (from the CLI).
 

HofkoSK

Cadet
Joined
May 24, 2019
Messages
4
Hello anodos,

I'm newcome to FreeNAS and sorry for my english, I'm not native speaker.

After time while I worked with samba to set permissions I came across a mild nonsense, when I can set every permissions from windows client for shared folder. This is not correct administration of share permissions for me, because client system can change permissions and delete data for example, when been infected. Will the setting be fixed in 11.3 version? I have 2 users for test, one have permited sudo, second no. But booth can change permisions on windows shares.
 

anodos

Sambassador
iXsystems
Joined
Mar 6, 2014
Messages
9,543
Hello anodos,

I'm newcome to FreeNAS and sorry for my english, I'm not native speaker.

After time while I worked with samba to set permissions I came across a mild nonsense, when I can set every permissions from windows client for shared folder. This is not correct administration of share permissions for me, because client system can change permissions and delete data for example, when been infected. Will the setting be fixed in 11.3 version? I have 2 users for test, one have permited sudo, second no. But booth can change permisions on windows shares.

The default permissions on new datasets are:
owner@:full_control
group@:full_control
everyone@:read_only

In 11.3, the defaults will change as follows:
smb_admin_group:full_control
owner@:full_control
group@:full_control

The default ACL will be easier to manage since there will be a graphical ACL editor.

In order to prevent members of group@ from being able to edit the ACL, run the following command on the path to the share: setfacl -m group@modify_set:fd:allow /mnt/tank/dataset. The write-ACL bit is represented by the "C" in the getfacl output.
 

anodos

Sambassador
iXsystems
Joined
Mar 6, 2014
Messages
9,543
I'm out of time on this. In fact, I'm OVER the time I had to work on this. Is there any hope in an answer which includes steps of what I can do to ameliorate the issue?

I really think OVER 50% of people would never think about it ever again -- if you gave them a fraction of the control over permissions.

It's both onerous and superfluous. No one [wants] to study permissions. In fact -- seems like most people (if anything) are willing to pay to get out of having to manage permissions. Right ? I wouldn't be surprised if the average first-year user spent over 20 hours dealing with permissions.

On QNAP / Synology (not that I like those) ... I can't imagine how one could spent wasted a half hour -- if they were literally the prototypical lay person.

If FreeNAS included 'data-centric user accounts' -- they could test in advance knowing exactly what FreeNAS's settings were...
Users can try to use custom (as now) -- with a fall back where things 'just WORK.
Who's neighbors are both nosy-enough and technically savvy enough to break through your firewall AND password ... such that you hanker to waste ... 40+ hours in a year.

I'm betting the addition of some account data-centric accounts would cut down on 40% of forum topics... there'd always be a fall back if ever an OS didn't hit the mark with permissions.
11.3 adds an ACL manager with defaults. ACLs are important in enterprise environments where TrueNAS (the commercial product) is deployed.
 

TrumanHW

Contributor
Joined
Apr 17, 2018
Messages
197
11.3 adds an ACL manager with defaults. ACLs are important in enterprise environments where TrueNAS (the commercial product) is deployed.

Any ideas whether u7 (to fix SMB / NFS) come out first...?
Or is 11.3 close enough to ready that they'll throw the SMB / NFS fixes there..?

Since the only thing that works right now is my Mac - if it's not somewhat soon ...
I need to install an older experiment [a true! PaiNASS for me :smile: ]...
unless [something] addressing SMB will be out within a week or so.
 

anodos

Sambassador
iXsystems
Joined
Mar 6, 2014
Messages
9,543
Any ideas whether u7 (to fix SMB / NFS) come out first...?
Or is 11.3 close enough to ready that they'll throw the SMB / NFS fixes there..?

Since the only thing that works right now is my Mac - if it's not somewhat soon ...
I need to install an older experiment [a true! PaiNASS for me :) ]...
unless [something] addressing SMB will be out within a week or so.

I haven't been able to reproduce your issue. SMB works for me and we have successfully deployed in 11.2-U6 in a large number of environments. You can PM me a debug and I'll take a look at it when I have some free time.
 

CPP-IT

Dabbler
Joined
Aug 14, 2017
Messages
43
When setting up the Windows ACLs - do I use the user/group name(s) from FreeNAS when assigning permissions?
 

seb101

Contributor
Joined
Jun 29, 2019
Messages
142
Is there any way, through the FreeNAS gui, to set FreeNAS SMB shares up so that only the Owner/Owner Group have read rights? (i.e. the 'Read' permission is not applied to all registered users as is the default).
 
Top