Henning Kessler
Contributor
- Joined
- Feb 10, 2015
- Messages
- 143
Hello,
being quite new to FreeNAS I have a question about Windows ACLs. I have an AD bounded FreeNAS installation and created a dataset with Windows permission. User permissions are granted to DOMAIN\admin and group permissions to DOMAIN\somegroup. All other parameters are left default. I then created a Windows share from this dataset again with leaving all parameters default.
This is how the permissions are set watching them from the CLI
When I know connect to this share from a Windows PC and remove the access for everyone the result looks like this:
Is it intended behavior that POSIX right for the owner are deleted by this and that ACL owner entry is changed to a "group:DOMAIN\admin:"entry?
Have I done something wrong or did I miss to configure some more parameters like some VFS modules?
Maybe someone could give me a hint for something to read to improve my knowledge on this?
Regards
Henning
being quite new to FreeNAS I have a question about Windows ACLs. I have an AD bounded FreeNAS installation and created a dataset with Windows permission. User permissions are granted to DOMAIN\admin and group permissions to DOMAIN\somegroup. All other parameters are left default. I then created a Windows share from this dataset again with leaving all parameters default.
This is how the permissions are set watching them from the CLI
Code:
root@host[12:38][/mnt/ext01rz1]: ls -al total XXX drwxr-xr-x 5 root wheel 5 Jan 12 11:00 . drwxr-xr-x 6 root wheel 200 Dec 30 13:23 .. drwxrwxr-x+ 4 DOMAIN\admin DOMAIN\somegroup 6 Jan 12 11:14 acltest root@host[12:38][/mnt/ext01rz1]: getfacl acltest # file: acltest # owner: DOMAIN\admin # group: DOMAIN\somegroup owner@:rwxpDdaARWcCos:fd----:allow group@:rwxpDdaARWcCos:fd----:allow everyone@:r-x---a-R-c---:fd----:allow
When I know connect to this share from a Windows PC and remove the access for everyone the result looks like this:
Code:
root@host[12:41][/mnt/ext01rz1]: ls -al total XXX drwxr-xr-x 5 root wheel 5 Jan 12 11:00 . drwxr-xr-x 6 root wheel 200 Dec 30 13:23 .. d---rwx---+ 4 DOMAIN\admin DOMAIN\somegroup 6 Jan 12 11:14 acltest root@host[12:47][/mnt/ext01rz1]: getfacl acltest # file: acltest # owner: DOMAIN\admin # group: DOMAIN\somegroup group:DOMAIN\admin:rwxpDdaARWcCo-:fd----:allow group@:rwxpDdaARWcCo-:fd----:allow
Is it intended behavior that POSIX right for the owner are deleted by this and that ACL owner entry is changed to a "group:DOMAIN\admin:"entry?
Have I done something wrong or did I miss to configure some more parameters like some VFS modules?
Maybe someone could give me a hint for something to read to improve my knowledge on this?
Regards
Henning
Code:
smb4.conf [global] server max protocol = SMB3 encrypt passwords = yes dns proxy = no strict locking = no oplocks = yes deadtime = 15 max log size = 51200 max open files = 942923 load printers = no printing = bsd printcap name = /dev/null disable spoolss = yes getwd cache = yes guest account = nobody map to guest = Bad User obey pam restrictions = yes directory name cache size = 0 kernel change notify = no panic action = /usr/local/libexec/samba/samba-backtrace nsupdate command = /usr/local/bin/samba-nsupdate -g server string = FreeNAS Server ea support = yes store dos attributes = yes lm announce = yes acl allow execute always = true acl check permissions = true dos filemode = yes multicast dns register = yes domain logons = no idmap config *: backend = tdb idmap config *: range = 90000001-100000000 server role = member server netbios name = HOST workgroup = DOMAIN realm = DOMAIN.COM security = ADS client use spnego = yes cache directory = /var/tmp/.cache/.samba local master = no domain master = no preferred master = no ads dns update = yes winbind cache time = 7200 winbind offline logon = yes winbind enum users = yes winbind enum groups = yes winbind nested groups = yes winbind use default domain = no winbind refresh tickets = yes idmap config DOMAIN: backend = rid idmap config DOMAIN: range = 20000-90000000 allow trusted domains = no client ldap sasl wrapping = plain template shell = /bin/sh template homedir = /home/%D/%U pid directory = /var/run/samba create mask = 0666 directory mask = 0777 client ntlmv2 auth = yes dos charset = CP437 unix charset = UTF-8 log level = 1 [acltest] path = /mnt/ext02rz1/acltest printable = no veto files = /.snapshot/.windows/.mac/.zfs/ writeable = yes browseable = yes vfs objects = zfs_space zfsacl aio_pthread streams_xattr hide dot files = yes guest ok = no nfs4:mode = special nfs4:acedup = merge nfs4:chown = true zfsacl:acesort = dontcare