Safe to change Dataset permissions type from Unix to Windows?

[BlueMagician]

Dear all,

I apologise in advance for asking (what I hope is) a simple question.

I have an existing Dataset containing Media files, currently shared through CIFS for management, and also mounted/linked/presented to Plex Media Server in its own jail.

I was looking to tighten up file permissions, and also to learn how to do things in a potentailly better way for future datasets.

Originally, I thought to do away with sharing completely, and move to a model where I managed my media entirely through SFTP.

I may still pursue that option, but if I choose to stick with sharing - I'd like to readdress permissions etc.

If i want to use Windows to set ACL's, I assume I need to change my current Dataset properties from UNIX permissions type, to Windows type?

I've read enough to know that this is the right thing to do if I want it to work correctly using Windows...

...What I can't find an answer to is whether it's SAFE to make this change on a mature dataset?

Will it compromise my data in any way, or just update it's attributes?

After making that change at Dataset level, is there any kind of recursive action or propagation command I should run afterwards, to reset (or correctly set) ACL's on existing files/folders? Or do I just flip the switch and then manage all the permissions through Windows from then on?


Apologies for the wall of text, but any input or advice appreciated,

Simon.

 

[m0nkey_]

Yes you can change it, but it will only apply to actions taken from that moment forward. The best way to do it is create a new Windows dataset and migrate the data across.

 

[BlueMagician]

...The best way to do it is create a new Windows dataset and migrate the data across.

Damn, really?

If that's the case, I have a new problem...

My current Dataset is named exactly as I want it. If I create a new 'Windows' flagged one, it'll be end up being called something I don't want.

Can I rename the new destination once I've transferred the contents from (and deleted) the original source Dataset?

What's worse? Changing the current Dataset properties to be Windows friendly, or jumping through the hoops of creating a new set, MV-ing 13TB of data to it, and then risking a CLI rename...

Continued thoughts appreciated!
Simon.

 

[m0nkey_]

Yes, you can rename. You'll need to use the shell to do this: zfs rename tank/olddataset tank/newdataset. Replace tank and *dataset with your pool/dataset names.

 

[BlueMagician]

Yes, you can rename. You'll need to use the shell to do this: zfs rename tank/olddataset tank/newdataset. Replace tank and *dataset with your pool/dataset names.

Thank you for this. Are you sure there's no evil downsides to renaming a mountpoint under the nose of the FreeNAS GUI?

I've created a new Dataset with the correct root ACL's, and tested propagation of newly copied files.

It seems to be working fine but MV-ing a few big test files is taking an eternity. I can't imagine doing this for TB's of data!

I went with the CLI MV command, as I figured it was safer to move data within FreeNAS itself, rather than copy access shares/network in a Windows session.. but heck is it a painful data rate!


Just to be sure - correcting the existing Dataset to be Windows friendly, then running some sort of recursive command on the existing file structure to blanket-fix permissions is definitely a no-no, right?

If it's not, then that option has to be less painful than what I'm currently testing...


All input gratefully received,
S.

 

[m0nkey_]

Thank you for this. Are you sure there's no evil downsides to renaming a mountpoint under the nose of the FreeNAS GUI?

Yes, in 9.10 this should do no harm.

It seems to be working fine but MV-ing a few big test files is taking an eternity. I can't imagine doing this for TB's of data!

Consider using rsync to move the files, it's typically faster.

 

[m0nkey_]

Just to be sure - correcting the existing Dataset to be Windows friendly, then running some sort of recursive command on the existing file structure to blanket-fix permissions is definitely a no-no, right?

From the FN GUI, you can set the base permissions and make it recursive. Once you have your Windows dataset configured, take a look at the FreeNAS/Samba video I created for this topic: https://forums.freenas.org/index.php?resources/freenas-and-samba-smb-permissions-video.8/

 

[BlueMagician]

From the FN GUI, you can set the base permissions and make it recursive. Once you have your Windows dataset configured, take a look at the FreeNAS/Samba video I created for this topic: https://forums.freenas.org/index.php?resources/freenas-and-samba-smb-permissions-video.8/

I already watched your video earlier this evening.. thank you, it was good to see.

But wait.. from what you said in your penultimate post, implies that I _can_ modify my existing Dataset to Windows mode - and as long as I mash the Recursive tickbox, it will 'repair / propagate' the Windows friendly ACL's to my existing files?

If it's OK to do this, and perhaps then tidy up ACL's further in Windows, why am I recreating my Dataset at all?

Sorry, I'm confused... but I do appreciate the help!

S

 

[BlueMagician]

So, sorry to keep on - did we decide it was safe to change my current dataset permissions over to Windows then recursively set ACL's through the CIFS share in Windows?

Or will the world end, and it's really necessary for me to create a new Dataset and move and my stuff from old to new etc?

Happy to do the right thing, but don't want to turn a 15 minute job into a 5 hour job if it's un-necessary...


Thanks again in advance,
S.

 

[Christopher Ward]

Just seen this thread after googling this same problem and it's exactly what i would also like to do. I currently have it setup with plex, sabnzbd, sickbeard but any one can go to my windows share on \\freenas and edit the files and i don't want that, i want a guest account where anyone can see but not edit and then have the ability for users to login to be able to modify files but my dataset is set to UNIX.

I was watching this video and he sets the dataset to Windows but my dataset is already set to UNIX https://www.youtube.com/watch?v=RxggaE935PM&t=3s

Can i just change it to windows and tick the little Set permission recursively box and continue on with the video?

 

[m0nkey_]

I was watching this video and he sets the dataset to Windows but my dataset is already set to UNIX https://www.youtube.com/watch?v=RxggaE935PM&t=3s

Can i just change it to windows and tick the little Set permission recursively box and continue on with the video?

Changing from UNIX to Windows doesn't do much but change the ZFS property aclmode, however that property will only be applied from that moment forward. I don't recommend doing this whatsoever, from past experience this has caused some weirdness with permissions. You're better off creating a new dataset and migrating your data.

 

[BlueMagician]

Changing from UNIX to Windows... ...I don't recommend doing this whatsoever, from past experience this has caused some weirdness with permissions.

OK. Thank you. I'll re-create a new Dataset.

I hope I'll be able to rename it OK afterwards on 9.3


One final question if I may?

Once I've created my new Dataset and a sharepoint, is it safe to apply recursive ACL's from the root of that share in Windows - Whilst authenticated as Freenas Root User?

To that end, assuming that it's best to keep Root user as owner, is it necessary to also keep Wheel as a Full Control group implicitly defined?

IE: my top level permissions would be:

FREENAS\Root Full Control
UNIX\Wheel Full Control
FREENAS\MediaAuthors Modify
FREENAS\MediaReaders Read Only


Does that sound like a plan?

Your advice is very much appreciated,
S.

 

[m0nkey_]

https://forums.freenas.org/index.php?resources/freenas-and-samba-smb-permissions-video.8/

 

[echelon5]

I've recently changed dataset permissions from unix to windows on 2 machines. Just to be sure there wasn't anything murky, I've set permissions recursively and then removed custom attributes with a recursive setfacl twice.

It's been 2 weeks since the switch and things seem to be working just fine.

 

[SweetAndLow]

Yes, in 9.10 this should do no harm.

Consider using rsync to move the files, it's typically faster.

No way! CP and MV are the fastest. Followed by replication and rsync is the slowest.

Sent from my Nexus 5X using Tapatalk

 

[m0nkey_]

Followed by replication and rsync is the slowest.

Only if you're going over SSH, locally it's pretty darn quick.

 

[SweetAndLow]

This is all assuming local. Ssh will all be about the same because your network will bottleneck.

Sent from my Nexus 5X using Tapatalk

 

[Christopher Ward]

Do i need to make a windows share if i want to do this or is there any other way:

I want anyone to see the files but not edit and then have the ability for users to login to be able to modify files but my dataset is set to UNIX.

I have like 18tb of data to move and the only way i know how to do that would be over explorer, not sure what rsync, cp, mv are.

 

[BlueMagician]

I've still not made my mind up with how to proceed on my existing Dataset, but I did take the time to dabble and create a new one for testing.

I've hit a new problem:

I've followed @m0nkey_ 's videos, set up new Windows mode Datasets, shared, and set various ACL's from the top down recursively, but I'm getting a wierd thing where every file and folder I create is getting 'Everyone Read' applied to it.

Any nested files and folders I create DO inherit the parent ACE's, but they also get the UNIX Mode group and Everyone ACE's added as well - for no reason.

These errant ACE's are NOT inherited, they just appear. Windows shows the entries as 'inherited from: Nowhere'

For what it's worth, I found an old BSD bug report from a couple years ago pertaining to v9.2 which describes this exact issue.

https://bugs.pcbsd.org/issues/4076

It describes the symptom whereby Windows Share permissions are unintentionally bleeding/propagating to the ACL's of the files and folders themselves.

Incidentally, the issue was marked as resolved in v9.3 - so I'm not sure why I'm seeing it today..?


Any thoughts very much appreciated,
S.

 

[Christopher Ward]

Yes, you can rename. You'll need to use the shell to do this: zfs rename tank/olddataset tank/newdataset. Replace tank and *dataset with your pool/dataset names.

sorry for the late reply i have only just got round to doing this. When i do the command:

zfs rename RaidZ2/Media RaidZ2/MediaOld

I get :

cannot unmount '/mnt/RaidZ2/Media': Device busy

Also do i need to change the permissions type of "RaidZ2" zpool to windows as well as the media dataset?

Edit: deleted the old SMB share and that worked :)