- Joined
- Mar 6, 2014
- Messages
- 9,554
Warning: this involves putting your FreeNAS server in an 'unsupported' configuration. If you break it, you get to keep the pieces.
Most people want to use unix permissions so that they can access the same dataset with multiple different filesharing protocols (webdav, CIFS, AFP, NFS, etc). Doing this safely is a contentious topic (see what I did there?) and I'd rather not cover it.
Step 1: Plan which users and groups will have access to the share.
Step 2: Configure your dataset with 'Unix permissions' type and set owner appropriately
Step 3: Overwrite the default vfs objects by adding a "vfs objects" auxiliary parameter
The smb.conf generation script in FreeNAS is hard-coded to add the "zfsacl" vfs module to each share. If you want to use unix permissions type on a CIFS share you should probably disable this. Fortunately, samba will only apply the last "vfs objects" entry in the share definition. An example auxiliary parameter would be
Step 4: Configure permissions
There are multiple ways to handle this:
Method 1: Typically people add "valid users" and "write list" entries as auxiliary parameters to their share config.
Method 2: Alternatively, if you want something that behaves a bit closer to a windows server, you can define NT share permissions in samba's share_info.tdb file. See directions here: https://forums.freenas.org/index.php?threads/cifs-tips-and-tricks.34995/#post-241346 This will also allow you to enable access-based enumeration for your shares.
share_info.tdb can also be modified through the CLI via the "sharesec" tool.
Note: the above methods only apply for the share in its entirety. Additionally, they will not affect permissions if the files are accessed outside of samba (for instance via NFS or the CLI).
Step 5: A few more tips
Most people want to use unix permissions so that they can access the same dataset with multiple different filesharing protocols (webdav, CIFS, AFP, NFS, etc). Doing this safely is a contentious topic (see what I did there?) and I'd rather not cover it.
Step 1: Plan which users and groups will have access to the share.
Step 2: Configure your dataset with 'Unix permissions' type and set owner appropriately
Step 3: Overwrite the default vfs objects by adding a "vfs objects" auxiliary parameter
The smb.conf generation script in FreeNAS is hard-coded to add the "zfsacl" vfs module to each share. If you want to use unix permissions type on a CIFS share you should probably disable this. Fortunately, samba will only apply the last "vfs objects" entry in the share definition. An example auxiliary parameter would be
Code:
vfs objects = streams_xattr shadow_copy2
Step 4: Configure permissions
There are multiple ways to handle this:
Method 1: Typically people add "valid users" and "write list" entries as auxiliary parameters to their share config.
Method 2: Alternatively, if you want something that behaves a bit closer to a windows server, you can define NT share permissions in samba's share_info.tdb file. See directions here: https://forums.freenas.org/index.php?threads/cifs-tips-and-tricks.34995/#post-241346 This will also allow you to enable access-based enumeration for your shares.
share_info.tdb can also be modified through the CLI via the "sharesec" tool.
Note: the above methods only apply for the share in its entirety. Additionally, they will not affect permissions if the files are accessed outside of samba (for instance via NFS or the CLI).
Step 5: A few more tips
- If you have problems with MS Office files having incorrect permissions after saving, try setting the setgid bit on your dataset. i.e. "chmod g+s /mnt/Tank/Samba".
- Don't complain to me if you break your permissions. :D
Last edited:
