SOLVED pool permissions (Mistake)

ghost reaper

Dabbler
Joined
May 21, 2014
Messages
45
hi everyone
FreeNAS-11.2-U7

I get straight to problem (I made) and trying find solution but dont want make it any worse and dont know much with ALCs

On my 2nd pool named POOL02 i change permissions recursively UNIX to windows and i was ment to change dataset inside POOL02
now windows shares wont open and plex can't files

I have tryed resetting POOL02 back to UNIX and change dataset inside it back to windows (originally)
but no luck not sure what to do, what i seen change from unix to windows may cuase big problems

Hope someone can help me.

Thanks. Luke

edit: forgot to add current permissions are showing
drwxrwxrwx+ pool02 folder
drwxrwx---+ Data02 folder
i only know chmod 755 stuff not this stuff but i guess R for read and W write and X execute .
 

Attachments

  • freenas pool.png
    freenas pool.png
    52.9 KB · Views: 1,039
Last edited:

Samuel Tai

Never underestimate your own stupidity
Moderator
Joined
Apr 24, 2020
Messages
5,398
OK, first try stripping out ACLs from your pool. Select the 3 dots by the parent pool, and select Edit ACL. Then, in the dialog that follows, check the 3 boxes at the bottom.

1591190126395.png


Now, on the parent, you can edit the permissions, but don't do it recursively. Set it back to match the permissions of your other pool. (For reference, you can see the chmod(1) man page. 755 maps to u+rwx,g+rx,o+rx.)

You can then set permissions and ACLs on the Data02 folder. Note, you may still need to correct user:group ownership via chown in the shell after this to restore things to working condition.
 

ghost reaper

Dabbler
Joined
May 21, 2014
Messages
45
Thanks for quick reply, can't find strip ACL's any where in (edit permissions or edit options ) from 3 dot drop down list and in edit permissions, only has apply permissions recursively check box.
i did some looking and 11.2 dosent have this feature i think, say 11.3 dose.
should i upgrade or do you know cli command
 

Attachments

  • freenas pool1.png
    freenas pool1.png
    27.1 KB · Views: 1,102

Samuel Tai

Never underestimate your own stupidity
Moderator
Joined
Apr 24, 2020
Messages
5,398
OK, you'll have to strip the ACLs via shell. Try find /mnt/POOL02 -exec setfacl -b {} \;. This will get rid of the + in the permissions, which are the Windows ACLs that were set up.
 

ghost reaper

Dabbler
Joined
May 21, 2014
Messages
45
Thanks that has removed the + and i edit permissions via gui and set user and group on data02 same as Data01.
But smb share data02 still cant get access and plex still can't read from it,
im not sure how to use chown, never used it before, not sure what im missing but some reason i compare it to Data01 to Data02
Data01: drwxrwxrwx (dose that mean has not security)
Data02: drwxrwx---

sorry for troubling you over this, but i havent done any permission in freenas before, i was trying get sonarr read from Data02
 

Samuel Tai

Never underestimate your own stupidity
Moderator
Joined
Apr 24, 2020
Messages
5,398
OK, now you can set the Windows ACLs on data02, like you originally intended. And yes, make data02 look like data01. Data01's permissions allow everyone to read/write/execute. For data02, you'll need at least the read and execute permissions for process to navigate into subdirectories.

As for ownership, you can set that in the GUI, or via chown -R owner:group <directory path>, which will set everything within that directory path to be owned by the specified owner:group.
 
Last edited:

ghost reaper

Dabbler
Joined
May 21, 2014
Messages
45
i have done ownership, how do set ACLs on data02, im running 11.2 i dont have gui for ACLs, what im aware of.
trying download 11.3 but only doing 30kbps
 

Samuel Tai

Never underestimate your own stupidity
Moderator
Joined
Apr 24, 2020
Messages
5,398
i have done ownership, how do set ACLs on data02, im running 11.2 i don't have gui for ACLs, what im aware of.
trying download 11.3 but only doing 30kbps

No need to upgrade to 11.3 yet. Please describe your Samba shares by providing the output of testparm -s -v.
 

ghost reaper

Dabbler
Joined
May 21, 2014
Messages
45
Ok, here's output from that code

Code:
root@NAS2017:~ # testparm -s -v

WARNING: The "null passwords" option is deprecated
Registered MSG_REQ_POOL_USAGE
Registered MSG_REQ_DMALLOC_MARK and LOG_CHANGED
Load smb config files from /usr/local/etc/smb4.conf
WARNING: The "null passwords" option is deprecated
Processing section "[Data01]"
Processing section "[Data02]"
Loaded services file OK.
Server role: ROLE_STANDALONE

# Global parameters
[global]
        abort shutdown script =
        add group script =
        add machine script =
        addport command =
        addprinter command =
        add share command =
        add user script =
        add user to group script =
        ads dns update = Yes
        afs token lifetime = 604800
        afs username map =
        aio max threads = 2
        algorithmic rid base = 1000
        allow dcerpc auth level connect = No
        allow dns updates = secure only
        allow insecure wide links = No
        allow nt4 crypto = No
        allow trusted domains = Yes
        allow unsafe cluster upgrade = No
        apply group policies = No
        async smb echo handler = No
        auth event notification = No
        auto services =
        binddns dir = /var/run/samba4/bind-dns
        bind interfaces only = Yes
        browse list = Yes
        cache directory = /var/run/samba4
        change notify = Yes
        change share command =
        check password script =
        cldap port = 389
        client ipc max protocol = default
        client ipc min protocol = default
        client ipc signing = default
        client lanman auth = No
        client ldap sasl wrapping = sign
        client max protocol = default
        client min protocol = CORE
        client NTLMv2 auth = Yes
        client plaintext auth = No
        client schannel = Yes
        client signing = default
        client use spnego principal = No
        client use spnego = Yes
        cluster addresses =
        clustering = No
        config backend = file
        config file =
        create krb5 conf = Yes
        ctdbd socket =
        ctdb locktime warn threshold = 0
        ctdb timeout = 0
        cups connection timeout = 30
        cups encrypt = No
        cups server =
        dcerpc endpoint servers = epmapper, wkssvc, rpcecho, samr, netlogon, lsa                                                              rpc, drsuapi, dssetup, unixinfo, browser, eventlog6, backupkey, dnsserver
        deadtime = 15
        debug class = No
        debug hires timestamp = Yes
        debug pid = No
        debug prefix timestamp = No
        debug uid = No
        dedicated keytab file =
        default service =
        defer sharing violations = Yes
        delete group script =
        deleteprinter command =
        delete share command =
        delete user from group script =
        delete user script =
        dgram port = 138
        disable netbios = No
        disable spoolss = Yes
        dns forwarder =
        dns proxy = No
        dns update command = /usr/local/sbin/samba_dnsupdate
        dns zone scavenging = No
        domain logons = No
        domain master = Auto
        dos charset = CP437
        dsdb event notification = No
        dsdb group change notification = No
        dsdb password event notification = No
        enable asu support = No
        enable core files = Yes
        enable privileges = Yes
        enable web service discovery = No
        encrypt passwords = Yes
        enhanced browsing = Yes
        enumports command =
        eventlog list =
        get quota command =
        getwd cache = Yes
        gpo update command = /usr/local/sbin/samba-gpupdate
        guest account = nobody
        homedir map = auto.home
        host msdfs = Yes
        hostname lookups = Yes
        idmap backend = tdb
        idmap cache time = 604800
        idmap gid =
        idmap negative cache time = 120
        idmap uid =
        include system krb5 conf = Yes
        init logon delay = 100
        init logon delayed hosts =
        interfaces = 127.0.0.1 192.168.1.3
        iprint server =
        keepalive = 300
        kerberos encryption types = all
        kerberos method = default
        kernel change notify = No
        kpasswd port = 464
        krb5 port = 88
        lanman auth = No
        large readwrite = Yes
        ldap admin dn =
        ldap connection timeout = 2
        ldap debug level = 0
        ldap debug threshold = 10
        ldap delete dn = No
        ldap deref = auto
        ldap follow referral = Auto
        ldap group suffix =
        ldap idmap suffix =
        ldap machine suffix =
        ldap page size = 1000
        ldap passwd sync = no
        ldap replication sleep = 1000
        ldap server require strong auth = Yes
        ldap ssl = start tls
        ldap ssl ads = No
        ldap suffix =
        ldap timeout = 15
        ldap user suffix =
        lm announce = Yes
        lm interval = 60
        load printers = No
        local master = Yes
        lock directory = /var/run/samba4
        lock spin time = 200
        log file =
        logging = file
        log level = 2
        log nt token command =
        logon drive =
        logon home = \\%N\%U
        logon path = \\%N\%U\profile
        logon script =
        log writeable files on exit = No
        lpq cache time = 30
        lsa over netlogon = No
        machine password timeout = 604800
        mangle prefix = 1
        mangling method = hash2
        map to guest = Bad User
        max disk size = 0
        max log size = 51200
        max mux = 50
        max open files = 465545
        max smbd processes = 0
        max stat cache size = 512
        max ttl = 259200
        max wins ttl = 518400
        max xmit = 16644
        mdns name = netbios
        message command =
        min receivefile size = 0
        min wins ttl = 21600
        mit kdc command =
        multicast dns register = Yes
        name cache timeout = 660
        name resolve order = lmhosts wins host bcast
        nbt client socket address = 0.0.0.0
        nbt port = 137
        ncalrpc dir = /var/run/samba4/ncalrpc
        netbios aliases =
        netbios name = NAS2017
        netbios scope =
        neutralize nt4 emulation = No
        NIS homedir = No
        nmbd bind explicit broadcast = Yes
        nsupdate command = /usr/local/bin/samba-nsupdate -g
        ntlm auth = ntlmv2-only
        nt pipe support = Yes
        ntp signd socket directory = /var/run/samba4/ntp_signd
        nt status support = Yes
        null passwords = Yes
        obey pam restrictions = Yes
        old password allowed period = 60
        oplock break wait time = 0
        os2 driver map =
        os level = 20
        pam password change = No
        panic action =
        passdb backend = tdbsam
        passdb expand explicit = No
        passwd chat = *new*password* %n\n *new*password* %n\n *changed*
        passwd chat debug = No
        passwd chat timeout = 2
        passwd program =
        password hash gpg key ids =
        password hash userPassword schemes =
        password server = *
        perfcount module =
        pid directory = /var/run/samba4
        preferred master = Auto
        prefork children = 1
        preload modules =
        printcap cache time = 750
        printcap name = /dev/null
        private dir = /var/db/samba4/private
        raw NTLMv2 auth = No
        read raw = Yes
        realm =
        registry shares = No
        reject md5 clients = No
        reject md5 servers = No
        remote announce =
        remote browse sync =
        rename user script =
        require strong key = Yes
        reset on zero vc = No
        restrict anonymous = 0
        rndc command = /usr/sbin/rndc
        root directory =
        rpc big endian = No
        rpc server dynamic port range = 49152-65535
        rpc server port = 0
        samba kcc command = /usr/local/sbin/samba_kcc
        security = USER
        server max protocol = SMB3
        server min protocol = NT1
        server multi channel support = No
        server role = standalone server
        server schannel = Yes
        server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbin                                                              dd, ntp_signd, kcc, dnsupdate, dns
        server signing = default
        server string = FreeNAS Server
        set primary group script =
        set quota command =
        share backend = classic
        show add printer wizard = Yes
        shutdown script =
        smb2 leases = Yes
        smb2 max credits = 8192
        smb2 max read = 8388608
        smb2 max trans = 8388608
        smb2 max write = 8388608
        smbd profiling level = off
        smb passwd file = /var/db/samba4/private/smbpasswd
        smb ports = 445 139
        socket options = TCP_NODELAY
        spn update command = /usr/local/sbin/samba_spnupdate
        stat cache = Yes
        state directory = /var/db/samba4
        svcctl list =
        syslog = 1
        syslog only = No
        template homedir = /home/%D/%U
        template shell = /bin/false
        time server = Yes
        timestamp logs = Yes
        tls cafile = tls/ca.pem
        tls certfile = tls/cert.pem
        tls crlfile =
        tls dh params file =
        tls enabled = Yes
        tls keyfile = tls/key.pem
        tls priority = NORMAL:-VERS-SSL3.0
        tls verify peer = as_strict_as_possible
        truenas passive controller = No
        unicode = Yes
        unix charset = UTF-8
        unix extensions = No
        unix password sync = No
        use mmap = Yes
        username level = 0
        username map = /usr/local/etc/smbusers
        username map cache time = 0
        username map script =
        usershare allow guests = No
        usershare max shares = 0
        usershare owner only = Yes
        usershare path = /var/db/samba4/usershares
        usershare prefix allow list =
        usershare prefix deny list =
        usershare template share =
        utmp = No
        utmp directory =
        web port = 901
        winbind cache time = 300
        winbindd socket directory = /var/run/samba4/winbindd
        winbind enum groups = No
        winbind enum users = No
        winbind expand groups = 0
        winbind max clients = 200
        winbind max domain connections = 1
        winbind nested groups = Yes
        winbind netbios alias spn = Yes
        winbind normalize names = No
        winbind nss info = template
        winbind offline logon = No
        winbind reconnect delay = 30
        winbind refresh tickets = No
        winbind request timeout = 60
        winbind rpc only = No
        winbind scan trusted domains = Yes
        winbind sealed pipes = Yes
        winbind separator = \
        winbind use default domain = No
        wins hook =
        wins proxy = No
        wins server =
        wins support = No
        workgroup = WORKGROUP
        write raw = Yes
        wtmp directory =
        zeroconf name =
        idmap config *: range = 90000001-100000000
        idmap config * : backend = tdb
        access based share enum = No
        acl allow execute always = Yes
        acl check permissions = Yes
        acl group control = No
        acl map full control = Yes
        administrative share = No
        admin users =
        afs share = No
        aio read size = 1
        aio write behind =
        aio write size = 1
        allocation roundup size = 1048576
        available = Yes
        blocking locks = Yes
        block size = 1024
        browseable = Yes
        case sensitive = Auto
        check parent directory delete on close = No
        comment =
        copy =
        create mask = 0666
        csc policy = manual
        cups options =
        default case = lower
        default devmode = Yes
        delete readonly = No
        delete veto files = No
        dfree cache time = 0
        dfree command =
        directory mask = 0777
        directory name cache size = 0
        dmapi support = No
        dont descend =
        dos filemode = Yes
        dos filetime resolution = No
        dos filetimes = Yes
        durable handles = Yes
        ea support = Yes
        fake directory create times = No
        fake oplocks = No
        follow symlinks = Yes
        force create mode = 0000
        force directory mode = 0000
        force group =
        force printername = No
        force unknown acl user = No
        force user =
        fstype = NTFS
        guest ok = No
        guest only = No
        hide dot files = Yes
        hide files =
        hide special files = No
        hide unreadable = No
        hide unwriteable files = No
        hosts allow =
        hosts deny =
        include =
        inherit acls = No
        inherit owner = no
        inherit permissions = No
        invalid users =
        kernel oplocks = No
        kernel share modes = Yes
        level2 oplocks = Yes
        locking = Yes
        lppause command =
        lpq command = lpq -P'%p'
        lpresume command =
        lprm command = lprm -P'%p' %j
        magic output =
        magic script =
        mangled names = yes
        mangling char = ~
        map acl inherit = No
        map archive = Yes
        map hidden = No
        map readonly = no
        map system = No
        max connections = 0
        max print jobs = 1000
        max reported print jobs = 0
        min print space = 0
        msdfs proxy =
        msdfs root = No
        msdfs shuffle referrals = No
        nt acl support = Yes
        ntvfs handler = unixuid, default
        oplocks = Yes
        path =
        posix locking = Yes
        postexec =
        preexec =
        preexec close = No
        preserve case = Yes
        printable = No
        print command = lpr -r -P'%p' %s
        printer name =
        printing = bsd
        printjob username = %U
        print notify backchannel = No
        queuepause command =
        queueresume command =
        read list =
        read only = Yes
        root postexec =
        root preexec =
        root preexec close = No
        short preserve case = Yes
        smb encrypt = default
        spotlight = No
        store dos attributes = Yes
        strict allocate = No
        strict locking = No
        strict rename = No
        strict sync = Yes
        sync always = No
        use client driver = No
        use sendfile = No
        valid users =
        veto files =
        veto oplock files =
        vfs objects =
        volume =
        wide links = No
        write cache size = 0
        write list =


[Data01]
        aio write size = 0
        guest ok = Yes
        path = "/mnt/POOL01/Data01"
        read only = No
        veto files = /.snapshot/.windows/.mac/.zfs/
        vfs objects = zfs_space zfsacl streams_xattr recycle crossrename
        zfsacl:acesort = dontcare
        nfs4:chown = true
        nfs4:acedup = merge
        nfs4:mode = special
        recycle:subdir_mode = 0700
        recycle:directory_mode = 0777
        recycle:touch = yes
        recycle:versions = yes
        recycle:keeptree = yes
        recycle:repository = .recycle/%U


[Data02]
        aio write size = 0
        guest ok = Yes
        path = "/mnt/POOL02/Data02"
        read only = No
        veto files = /.snapshot/.windows/.mac/.zfs/
        vfs objects = zfs_space zfsacl streams_xattr recycle crossrename
        zfsacl:acesort = dontcare
        nfs4:chown = true
        nfs4:acedup = merge
        nfs4:mode = special
        recycle:subdir_mode = 0700
        recycle:directory_mode = 0777
        recycle:touch = yes
        recycle:versions = yes
        recycle:keeptree = yes
        recycle:repository = .recycle/%U
root@NAS2017:~ #
 

Samuel Tai

Never underestimate your own stupidity
Moderator
Joined
Apr 24, 2020
Messages
5,398
OK, as both Data01 and 02 are guest shares, Data02 has to have recursive permissions drwxrwxrwx.
 

ghost reaper

Dabbler
Joined
May 21, 2014
Messages
45
ok, how set drwxrwxrwx to data02 , what im aware of you can't use chmod with windows dataset?
 

Samuel Tai

Never underestimate your own stupidity
Moderator
Joined
Apr 24, 2020
Messages
5,398
Try this:
  1. Stop SMB services.
  2. In the Storage GUI, change the type to Unix, then set the permissions recursively.
  3. Change the type back to Windows.
  4. Restart SMB services.
 

ghost reaper

Dabbler
Joined
May 21, 2014
Messages
45
did not work changing to Unix (Operation not permitted)
then tried second time no errors and change back to windows and start smb but still no access with share and plex jail
 

ghost reaper

Dabbler
Joined
May 21, 2014
Messages
45
i did getfacl got this in return, everyone wont change, if this helps
Data02

# file: Data02
# owner: root
# group: wheel
owner@:rwxpDdaARWcCos:fd-----:allow
group@:rwxpDdaARWcCos:fd-----:allow
everyone@:--------------:fd-----:allow
 

Samuel Tai

Never underestimate your own stupidity
Moderator
Joined
Apr 24, 2020
Messages
5,398
Did you change the permissions while in Unix mode?
 

ghost reaper

Dabbler
Joined
May 21, 2014
Messages
45
yes i tried setting all too full permisions
 

ghost reaper

Dabbler
Joined
May 21, 2014
Messages
45
it all working now, i logout and login on legacy interface, did same step's and it all working now.
would this be bug, i did try 2 times in normal interface.

thanks alot, i learnt new things be noting down.
 

Samuel Tai

Never underestimate your own stupidity
Moderator
Joined
Apr 24, 2020
Messages
5,398
Glad things are back.
 
Top