New files created via SMB not inheriting @everyone permissions

Rwynne

Cadet
Joined
Jun 28, 2020
Messages
8
I recently imported an old 9.2.1 Freenas ZFS vcolume to a new 11.3 install, in order to integrate it with our domain controller. The domain is properly joined, Freenas is allowing users in based on their domain credentials, and everything generally seems to work as I would expect.

This was originally set up as an unauthenticated open share, where everyone had full control of the files and folders. We want to continue to give all the domain users full control, and as a result, I set the ACL so that @Everyone had Full Access. I applied that recursively, and everything is fine for the files that were there, but any new files are not inheriting the correct permissions, and I'm not sure why.

I feel like I'm probably overlooking something very basic and obvious, and will kick myself when I know. But I'm hoping someone can help me figure out what that simple thing is. Meanwhile, I'm reapplying the ACL from the GUI every day to catch the new files that are being dropped into the share.

Thanks in advance.
 

anodos

Sambassador
iXsystems
Joined
Mar 6, 2014
Messages
9,546
I recently imported an old 9.2.1 FreeNAS ZFS vcolume to a new 11.3 install, in order to integrate it with our domain controller. The domain is properly joined, FreeNAS is allowing users in based on their domain credentials, and everything generally seems to work as I would expect.

This was originally set up as an unauthenticated open share, where everyone had full control of the files and folders. We want to continue to give all the domain users full control, and as a result, I set the ACL so that @Everyone had Full Access. I applied that recursively, and everything is fine for the files that were there, but any new files are not inheriting the correct permissions, and I'm not sure why.

I feel like I'm probably overlooking something very basic and obvious, and will kick myself when I know. But I'm hoping someone can help me figure out what that simple thing is. Meanwhile, I'm reapplying the ACL from the GUI every day to catch the new files that are being dropped into the share.

Thanks in advance.
Did you select "INHERIT" under "FLAGS" in the ACL manager?
 

Rwynne

Cadet
Joined
Jun 28, 2020
Messages
8
I did, but it doesn't seem to be applying an ACL to new files at all. new files are created with -rw-rw-rw- permissions, but no + on the end.
 

Rwynne

Cadet
Joined
Jun 28, 2020
Messages
8
My preference is obviously for a configuration tweak that will get the system to properly apply the ACL as defined to new files.

Alternatively, if there was a command line to recursively apply the ACLs to the new files (or just reapply the proper ones to everything) that could be scripted and run in cron, that might be a bandaid.
 

Rwynne

Cadet
Joined
Jun 28, 2020
Messages
8
If anyone has any pointers, I'd love to get this nailed down. Thanks in advance!
 

Rwynne

Cadet
Joined
Jun 28, 2020
Messages
8
Interesting. If I create a file from inside the filesystem (I just used vi to create a one line text file), THAT file correctly inherits the ACL.
So there's something in the SMB process that isn't applying the permissions correctly.
 

anodos

Sambassador
iXsystems
Joined
Mar 6, 2014
Messages
9,546
Interesting. If I create a file from inside the filesystem (I just used vi to create a one line text file), THAT file correctly inherits the ACL.
So there's something in the SMB process that isn't applying the permissions correctly.
Two possible avenues for this happening:
1) The SMB client is sending SETINFO request to change the permissions.
2) Dataset is not set to have "restricted" aclmode (not a Windows dataset).
 

Rwynne

Cadet
Joined
Jun 28, 2020
Messages
8
Ah, ok. I set the aclmode from Passthrough to Restricted in the options Advanced menu, and it now appears to be applying the permissions correctly to @Everyone!

Thanks!
 

JoeAtWork

Contributor
Joined
Aug 20, 2018
Messages
165
Client behavior is something you typically would change client-side.
You can check aclmode property for the dataset you're sharing via the WebUI form for the dataset in question.
maybe in FreeNAS we need a button to make a smb.conf dump so we can paste the relevant files for discussion? Also the top level share permissions on the filesystem. It might make your life easier. :smile:
 

anodos

Sambassador
iXsystems
Joined
Mar 6, 2014
Messages
9,546
maybe in FreeNAS we need a button to make a smb.conf dump so we can paste the relevant files for discussion? Also the top level share permissions on the filesystem. It might make your life easier. :smile:
There is one included in a system debug, but it also contains sensitive information from the server and so I'd rather just ask for the specific information needed.

That said, I've merged in a possible fix for the issue requiring "restricted" aclmode for correct behavior in TN 12 core for beta2.
 
Top