Permisisons for Multi-OS environment

Thund3rDuck

Explorer
Joined
Aug 24, 2013
Messages
64
Good evening,

I have a mix of OS types (Windows, Apple, Linux) and I'm trying to understand how I should structure the permissions correctly for devices to use the SMB shares. I setup my users on my NAS and gave them the appropriate rights and setup SMB shares using Unix permissions. I am running into some bugs with users not being able to have access they should but I do not want to use Windows ACL's and then ruin access for my Apple and Linux machines. Can someone help with with how to approach this?

Thank you.
 

joltman

Dabbler
Joined
Jul 25, 2012
Messages
21
Good evening,

I have a mix of OS types (Windows, Apple, Linux) and I'm trying to understand how I should structure the permissions correctly for devices to use the SMB shares. I setup my users on my NAS and gave them the appropriate rights and setup SMB shares using Unix permissions. I am running into some bugs with users not being able to have access they should but I do not want to use Windows ACL's and then ruin access for my Apple and Linux machines. Can someone help with with how to approach this?

Thank you.

Watching this thread as this is going to be my exact situation in a couple of weeks. I normally use NFS to mount to Linux, and SMB/CIFS for Windows/Mac. I need one share to work in all three systems.
 

diedrichg

Wizard
Joined
Dec 4, 2012
Messages
1,319
This is what I have in my home network. Windows, Mac and Linux. I have SMB shares and datasets with Unix permissions. Just make sure that your users are in a group and that the group is set in the dataset and the dataset as 770. I don't have any permissions issues.
 
Joined
Jul 3, 2015
Messages
926
SMB shares using Windows permissions, simples :)
 

Thund3rDuck

Explorer
Joined
Aug 24, 2013
Messages
64
This is what I have in my home network. Windows, Mac and Linux. I have SMB shares and datasets with Unix permissions. Just make sure that your users are in a group and that the group is set in the dataset and the dataset as 770. I don't have any permissions issues.

This is what I do. The owner is root but the group owner is the group I created (i.e. Installs_Share_Group, Entertainment_Share_Group, etc etc.) .
 

Thund3rDuck

Explorer
Joined
Aug 24, 2013
Messages
64
SMB shares using Windows permissions, simples :)

Doesn't windows permissions not translate well to Linux/BSD/Apple type devices? I'd like to be able to control permissions from the NAS without having to get onto a windows computer and modify everything.
 

joltman

Dabbler
Joined
Jul 25, 2012
Messages
21
Doesn't windows permissions not translate well to Linux/BSD/Apple type devices? I'd like to be able to control permissions from the NAS without having to get onto a windows computer and modify everything.
The way I understand it, a forthcoming version of FreeNAS will have an ACL editor built in. I'm not sure which version. I think I've seen 11.4, but maybe it was 11.2U4? I don't know.

I'm just trying to figure out the best way to create perms for all my folders. I've got users, but I also have services that need to access folders. How does one permission those folders? Is there a best practice?
 

anodos

Sambassador
iXsystems
Joined
Mar 6, 2014
Messages
9,545
The way I understand it, a forthcoming version of FreeNAS will have an ACL editor built in. I'm not sure which version. I think I've seen 11.4, but maybe it was 11.2U4? I don't know.

I'm just trying to figure out the best way to create perms for all my folders. I've got users, but I also have services that need to access folders. How does one permission those folders? Is there a best practice?

11.3 will have an ACL editor. setfacl syntax locally is fairly simple.

setfacl -x everyone@::allow /mnt/dozer/share #removes everyone entry
setfacl -a 0 g:smbadmins:full_set:fd:allow /mnt/dozer/share #grants the "smbadmins" group full control. "fd" means it will inherit on files and directories.
setfacl -m g:smbusers:modify_set:fd:allow /mnt/dozer/share #grants "smbusers" group read, write, and modify (-m modifies the smbusers entry if it exists or adds it in position 0)

These changes are non-recursive. Once you have them the way you want them, run the following command

winacl -a clone -rv -p /mnt/dozer/share #this will blast the ACL on all subdirectories and files
 
Last edited:

Thund3rDuck

Explorer
Joined
Aug 24, 2013
Messages
64
11.3 will have an ACL editor. setfacl syntax locally is fairly simple.

setfacl -x everyone@::allow /mnt/dozer/share #removes everyone entry
setfacl -a 0 g:smbadmins:full_set:fd:allow /mnt/dozer/share #grants the "smbadmins" group full control. "fd" means it will inherit on files and directories.
setfacl -m g:smbusers:modify_set:fd:allow /mnt/dozer/share #grants "smbusers" group read, write, and modify (-m modifies the smbusers entry if it exists or adds it in position 0)

These changes are non-recursive. Once you have them the way you want them, run the following command

winacl -a clone -rv -p /mnt/dozer/share #this will blast the ACL on all subdirectories and files

That's great in and of itself but, what would be the best way to set it up in the GUI? I am forcing myself to use the GUI only if possible to test if FreeNAS is a viable ZFS solution in the long run. If I am having to go to the shell and make changes, modify python scripts, use granular editors for smb etc., I might as well go full blown ZOL. I don't want to do this, I want to use FreeNAS as the purpose built appliance it is designed to be. This is why I want to figure out how to use it using GUI with best practices and intentions in mind.
 
Top