UNIX permissions for Windows clients

[chris.shelton]

I am designing a system for someone who wants to use UNIX permissions rather than Windows ACLs.

I created a dataset with UNIX permissions and set them accordingly. But Windows also seems to be trying to manage permissions because when I check the permissions of a file through Windows Explorer, the group does not have write permissions. However, the group does have write permissions through UNIX.

So nobody at the moment can write to a file owned by someone else, which is not ideal.

I've seen posts about using Windows permissions on the dataset, but what is the argument for doing so? I need to justify my reasoning. 99% of clients are Windows, the rest Linux. What's recommended here?

Thanks

 

[anodos]

Post /etc/local/smb4.conf.

"windows" vs "unix" permissions affects how things operate behind the scenes server-side. It has nothing to do with the clients that will be connecting to the server. The argument for windows permissions type is that it allows the samba server to more accurately mimic the behavior of a windows server (which is the big-picture goal of the samba project).

 

[SweetAndLow]

If you are using UNIX permissions you need to ignore everything the windows security box shows you. It is incorrect and should have the 'special' box checked. Group permissions work just like they should in posix land. I use posix groups with smb on my system everyday and don't need to do anything special.

 

[chris.shelton]

If you are using UNIX permissions you need to ignore everything the windows security box shows you. It is incorrect and should have the 'special' box checked. Group permissions work just like they should in posix land. I use posix groups with smb on my system everyday and don't need to do anything special.

Thanks, I would ignore the Windows permissions, but the only reason I looked at them is because the only person who can edit files is the one who owns it.

I created a simple text file, which was rw to the owner (me) and the group staff. However, nobody in the 'staff' group can edit my file, even though they seem to have the correct permissions when I SSH into FreeNAS.
When I look at the Windows permissions of the file, it says that the owner has full control and the group only have read, not write, which I'm assuming is the problem here. How can I make it forget the Windows permissions?

 

[SweetAndLow]

Can you give the output of the directory listing with the permissions included?

 

[chris.shelton]

Can you give the output of the directory listing with the permissions included?

Sure:

[root@freenas] /mnt/pool/dataset# ls -l
total 2
drwxrwxrwx 2 super staff 3 Sep 7 15:59 ./
drwxrwxrwx 4 super staff 4 Sep 7 15:32 ../
-rw-rw-rw- 1 test staff 21 Sep 7 15:59 chris.txt

 

[SweetAndLow]

Looks like anyone can read and write to that file. you telling me that you can't edit that file? How re you editing it? Try logging in over ssh as the user that you want to edit the file. See if you can write to it like that? Then try over a protocol like cifs, what protocol are you tryning to use?

 

[chris.shelton]

Looks like anyone can read and write to that file. you telling me that you can't edit that file? How re you editing it? Try logging in over ssh as the user that you want to edit the file. See if you can write to it like that? Then try over a protocol like cifs, what protocol are you tryning to use?

Exactly, I can open it, but cannot save any changes.

At the moment, the only way for me to edit this file is to chown to myself and make the changes. I just tried editing the file over SSH logged in as myself and that worked OK. So it must be a samba issue? I'm using CIFS.

 

[SweetAndLow]

Try logging in over ssh as a user in the staff group, can they edit?

Next over cifs create a folder and check the owner and group, are they what you expect?

 

[chris.shelton]

Try logging in over ssh as a user in the staff group, can they edit?

Next over cifs create a folder and check the owner and group, are they what you expect?

Yes they can, editing can be performed by anyone in the group over SSH.
When I create a folder over CIFS they are what I expect, myself as the owner and 'staff' as group. Anyone in the staff group can write to that folder just fine. However they cannot edit a file that somebody else has created, even though their group has write permissions.

I have now been advised that this is a bug unfortunately and that using Windows permissions is the only way forward, which is a shame.

See bug report here: https://bugs.freenas.org/issues/11390

Thanks for your help anyway.