SMB / Active directory

[tom__w]

So I wanted to start a new thread so as not to mix my questions. I've started playing with SMB. I think I have it working except for one thing. Here is what I did:

* Enabled Active directory in FreeNAS and authenticated to my domain using only those settings in basic mode
* Created a dataset
** set the owner (user) as a \\domain\admin
** The owner (group) is wheel.
** Permission type is Windows
** Under edit the share type is Windows
* Created a SMB share and enabled browsing

In Windows, I am able to see the share. I can map a drive. I can add / remove files.

Here is the issue. If I set additional windows permissions on a folder by adding another user, I can not remove permissions (i.e. any user) on any files or folders inside of that folder. I can add further additional permissions no problem.

When I try to remove the inherit flag, select add (instead of remove) and hit apply, the flag immediately gets set again. Trying to remove the permissions altogether just gives me errors.

I'd love to share my data via SMB (transfer speeds are much faster) and forget about the whole iscsi thing .. but not being able to have granular permission capabilities is problematic for me.

Tom

 

[anodos]

The first problem you have is due to the way that trivial (special) ACEs work in Unix. These are the owner@, group@, etc aces that are visible at the CLI when you use getfacl. Solution -> add a second non-trivial ACE for 'domain admins' at the root of the share. There are some plans in the works to make ACLs behave a bit more like windows ones, but at this point there's no ETA. Sorry can't be more specific, but I'm typing while holding sleeping baby. See permissions overview in my sig.

The second problem (removing inheritance) is probably due to a limitation in how samba translates NFSv4 ACLs into NTFS ACLs. See bug ticket here: https://bugs.freenas.org/issues/26039. Once again no definite ETA, but it's definitely on our radar. The fix might be soon, but John is also a very busy man. We need to find a way to clone him. :)

TL;DR, I feel your pain. The issues will eventually be fixed.

 

[tom__w]

So you are saying that:

* The remove permissions / add inheritance is fixed by your first suggestion?
and
* the remove permissions / remove inheritance fix is on your radar?

I need to make a decision on the best route for my SmallMediumBusiness (so as to not confuse the two).

My initial support / installation came from a professional who said permissions would eventually bite me in the rear end if I did SMB shares. His ardent recommendation was to ISCSI a dataset to VMware and then add that as a resource to a VM. Then from within the VM, share that drive.

I have been using it that way for some time but my transfer rates are abysmal (15 - 35 meg transfer rates) .. and sometimes even my VMs have poor performance.

When I tested SMB, I was getting 118 to 130.

Suggestions?

As with everyone here, my data is my lifeblood and losing it would be business-ending.

T

 

[anodos]

So you are saying that:
* The remove permissions / add inheritance is fixed by your first suggestion?
and
* the remove permissions / remove inheritance fix is on your radar?

ISSUE 1: Permissions Inheritance
Windows uses NTFS ACLs. FreeNAS (the OS) has NFSv4.1 ACL support (RFC 7530). The samba nfsv4 ACL support code was written to match an earlier standard (RFC 3530), which among other things lacked "ACE4_INHERITED". Due to this difference, the Samba NFSv4 ACL code compares the ACL of the parent and child dirs. If they are the same, the child is flagged as "inherited" from the parent. This means that the nfsv4 code in samba used by vfs_zfsacl needs to be modified to support the "inherited" flag.

In addition to this, the underlying OS ACLs (FreeNAS / FreeBSD) are presented to Samba through a compatibility shim known as "libsunacl". This shim may also need to be upgraded to properly support ACE4_INHERITED. I don't believe it's a trivially simple fix, but it is on our developer radar. I can't really say anything more about it unfortunately. In the words of Bullwinkle the Moose "I can't say because I don't know".

TL;DR. It's currently not possible to remove the inheritance flag unless you make the child ACL slightly different from the parent (for instance by adding the "synchronize" ACE from the CLI).

ISSUE 2: Weird permissions on subfolders
In the FreeNAS UI you set the "Owner" and "Group" for your dataset. If you use the getfacl command from the CLI in FreeNAS (for instance in an ssh session), you will see something like this:

Code:

root@freenas:/mnt/dozer/SAMBA_SHARE # getfacl /mnt/dozer/SAMBA_SHARE/
# file: /mnt/dozer/SAMBA_SHARE/
# owner: THEGIBSON\administrator
# group: THEGIBSON\domain admins
			owner@:rwxpDdaARWcCo-:-------:allow
group:THEGIBSON\domain admins:rwxpDdaARWcCo-:fd-----:allow
			group@:rwxpDdaARWcCo-:fdi----:allow
		 everyone@:r-x---a-R-c---:fd-----:allow
			owner@:rwxpDdaARWcCo-:fdi----:allow
   group:smb_group:rwxpDdaARWcCo-:fd-----:allow

The part that says # owner: THEGIBSON\administrator and owner@:rwxpDdaARWcCo-:-------:allow correspond to the values that you set in the UI for the dataset owner. The same for group / group@.

These are special ACEs. If you look, you'll also see a different sort group:THEGIBSON\domain admins:rwxpDdaARWcCo-:fd-----:allow. That is a separate non-trivial ACE granting domain admins "full control". The problem with Special ACEs is that (like granting permissions to creator-owner), the underlying owner / group of a file / dir can change. This can end up locking you out of places. That's why I always set a non-trivial, inheriting, full control ACE for domain admins.

Suggestions?

As with everyone here, my data is my lifeblood and losing it would be business-ending.

T

I have used samba in FreeNAS in production in an AD environment for a number of years. It works, and for the most part there is a 1-1 correspondence between FreeNAS ACLs and Windows ACLs. You have stumbled on one of the major differences. There is no easy GUI way to remove inherited ACEs and replace with identical non-inherited ACEs).

Experiment with them on a test system, get comfortable with them, learn them, then use them in production. There is nothing here that will cause you to lose data. Worst-case scenario you end up having to fix permissions.

 

[berrick]

Hi tom_w,

Your setup pretty much mirrors one on my setups and configs and I to have noticed this behavior setting permissions on an smb folder.

However the way round this issue, if I understand you correctly, is to do the following.
Understand that this will remove all currently set permissions, so will have to add them back as desired.

• right click folder and select properties
• click security tab, then advanced
• Now click change permissions
• Untick include inheritable permission and click remove
• Now click add and add back your dom admin account with full permissions
• Click OK all the way out

You should now be able to modify permissions as Dom admin will be the only account currently assigned permissions to this folder required :)

 

[tom__w]

Hi tom_w,

Your setup pretty much mirrors one on my setups and configs and I to have noticed this behavior setting permissions on an smb folder.

However the way round this issue, if I understand you correctly, is to do the following.
Understand that this will remove all currently set permissions, so will have to add them back as desired.

• right click folder and select properties
• click security tab, then advanced
• Now click change permissions
• Untick include inheritable permission and click remove
• Now click add and add back your dom admin account with full permissions
• Click OK all the way out

You should now be able to modify permissions as Dom admin will be the only account currently assigned permissions to this folder required :)

I could have sworn that I had an error message when I did that last time. Seemed to work OK this time.

Should there be any kind of concern that I am removing the owner group (wheel) from the permissions? Does FreeNAS care?

T

 

[anodos]

I could have sworn that I had an error message when I did that last time. Seemed to work OK this time.

Should there be any kind of concern that I am removing the owner group (wheel) from the permissions? Does FreeNAS care?

T

No. The only one that needs to stay is 'owner@'