Windows ACLs Tutorial?

[Hexland]

Is there an ACL tutorial anywhere, with respect to Windows SMB/CIFS shares?

I thought I had FreeNAS all set up correctly, but when I tried to Robocopy from an existing Windows box over to the new FreeNAS share - it mostly worked, but certain files and folders failed with 'Access Denied'.

For the life of my, I just couldn't see why -- everything looked fine permissions wise...

I took another route - I created a huge ZVOL, shared it with iSCSI and mounted it on the Windows box and copied the files over - no problems... but that solution doesn't sit right with me.

So, a quick install of Napp-It All-In-One OmniOS, create a ZFS Dataset and SMB share -- works no problem... But I don't want to use OmniOS - I'm not familiar with it, and if there was a critical error, I wouldn't know how to recover.

So... back to FreeNAS. I'm convinced that the share permissions and stuff that I had set up were correct - the only other issue I can think of (and this seems to be confirmed with many of the other 'CIFS doesn't work for me' threads) is that I have a problem with ACL's.

I don't know sh*t about ACL's - and I'll be damned if I can find a good guide on what they are, how they affect file and folder permissions, what that string of letters means, etc...

Can anyone point me in the direction of a good ACL tutorial?

Thanks

 

[anodos]

Cyberjock is writing a tutorial (probably a book by now). The problem with permissions in samba is that when you start learning about them they look like a nice little cellar, but once you enter you realize you are wandering around a mammoth cave system inhabited by Orcs. A good starting point is to configure permissions at the share level from your windows workstation via the security tab (not from the command-line on your FreeNAS box). Microsoft has a basic overview here: http://windows.microsoft.com/en-us/windows/what-are-permissions#1TC=windows-7

Take notes as you experiment and learn, and pack a magic longsword.

 

[alfredzo]

anodos, Where is the tutorial by Cyberjock?

 

[gpsguy]

anodos, Where is the tutorial by Cyberjock?

It's just vaporware right now. ;-)


Sent from my phone

 

[anodos]

It's just vaporware right now. ;-)


Sent from my phone

We'll get it right after block pointer rewrite.

 

[cyberjock]

LOL. Actually I spent a good part of the day on it. ;) I'm almost done with the "writing" stage. Then do a proofread and post it for the world. There are going to be a few holes... notably:

1. No discussions of mixing jails with data outside the jails.
2. No AFP discussion (I don't own a Mac)

Those may come someday, but not right now.

9.3 also will change things, so /facepalm. In particular, 9.3 may make Mac permissions work better.

 

[Hexland]

Well, if you want to PM it to me, I can test it tonight to see if it helps me address my problems ;)

 

[cyberjock]

Sorry, not releasing it to the public because I've learned that lesson in the past. If I have a mistake on a "pre-release" I fix somehow the pre-release still gets out to the world... :(

 

[mjws00]

Someone buy him a mac. It will match the pretty avatar. Is it a kinder gentler cyberjock? ;)

p.s. Never really cared for macs (hated supporting them) until I grabbed a macbook air just as an aside for familiarity to help clients. They grow on ya, probably the nicest chunk of hardware I've used in a long long time. Killed off my tablets and far more powerful laptops. Plus you can grab a bash shell anytime.

Look forward to your guide cyberjock, should make a lot of people happy. Thanks for your hard work.

 

[cyberjock]

Princess Peach can still go postal. Under that dress is an ankle mounted 9mm and I'll still show everyone who's boss. ;)

I've considered going with a VM of OSX just for this but it involves hacks and tricks and I can't guarantee it won't cause problems for my other VMs. So I'm not going that route.

 

[mjws00]

It runs pretty darn good in a VM, no bloated hardware requirements. I had a board that boots hackintosh as well. It's a fun quick diversion. Truthfully, I use neither anymore as that little silver vixen air follows me everywhere. I honestly never thought I'd see the day. Been so windows/nix for decades. Cracks me up often. Some ultrabooks are pretty close clones now, but don't capture 'feel'. fskn apple.

I'd help ya with the permissions writeup , but only use afp for timemachine. The walkthrough in the manual worked fine. Happy to test settings or whatever if you decide to tackle the subject. Could be a good excuse for you to grab a new laptop, for science. ;)

 

[anodos]

It runs pretty darn good in a VM, no bloated hardware requirements. I had a board that boots hackintosh as well. It's a fun quick diversion. Truthfully, I use neither anymore as that little silver vixen air follows me everywhere. I honestly never thought I'd see the day. Been so windows/nix for decades. Cracks me up often. Some ultrabooks are pretty close clones now, but don't capture 'feel'. fskn apple.

I'd help ya with the permissions writeup , but only use afp for timemachine. The walkthrough in the manual worked fine. Happy to test settings or whatever if you decide to tackle the subject. Could be a good excuse for you to grab a new laptop, for science. ;)

My main problem with Apple is that they don't have anything that fits nicely into a rack, which means that they don't make real computers. Regarding this theoretical work on permissions tutorial - photos or it didn't happen. :)

 

[Hexland]

I use OSX under an unlocked VMWare Player hosted on my Windows box for iOS game development... I tried moving my primary environment over to OSX on my 27" iMac, but it just annoyed me and I ended up going back to Windows.
The Mac is to be sold this week... I can do everything I need to do in the VM.
As for Mac permissions, I just use CIFS for general network shares and only use AFP for TimeMachine (which works just fine).

You don't need a real mac to test OSX - it runs perfectly well under VMWare with no modifications to OSX itself (only to the VMWare player to remove the artificial restriction disallowing OSX because of Apple's licensing)

 

[Hexland]

LOL. Actually I spent a good part of the day on it. ;) I'm almost done with the "writing" stage. Then do a proofread and post it for the world. There are going to be a few holes... notably:

How's the guide coming along? :)

 

[anodos]

How's the guide coming along? :)

The more I learn about samba, the happier I am that i'm not writing the guide. Cyberjock is going to find himself in wonderland before he reaches the bottom of that hole. :)

 

[marian78]

Hi, i want ask, if anyone know, when will Cyberjock release his tutorilal for public? Im stuck with my settings CIFS permisions and i need some good readings.
Have many problem with settings permissions for user, group that it can only RWX and cannot do changes in windows permissions, also i dont need everyone, next problem is, that i dont know how to setup newly created files and folders to inheritate permissions from dataset (setfacl). Now i have problem with log message "possible deathlock - trying to lookup SID" - this applyes to group (i try recreated with same id and other id, nothing work). Next questions for me, why i dont see name of users and groups in windows clients and how to setup ACL from CLI (SSH)....

 

[anodos]

Hi, i want ask, if anyone know, when will Cyberjock release his tutorilal for public? Im stuck with my settings CIFS permisions and i need some good readings.
Have many problem with settings permissions for user, group that it can only RWX and cannot do changes in windows permissions, also i dont need everyone, next problem is, that i dont know how to setup newly created files and folders to inheritate permissions from dataset (setfacl). Now i have problem with log message "possible deathlock - trying to lookup SID" - this applyes to group (i try recreated with same id and other id, nothing work). Next questions for me, why i dont see name of users and groups in windows clients and how to setup ACL from CLI (SSH)....

That's a separate issue. See thread here: http://forums.freenas.org/index.php...possible-deadlock-trying-to-lookup-sid.21982/
That being said, I've experienced that bug before. "deathlock" is also a good description. :)

 

[marian78]

hi, i read this thread before, but there is no permanent solution for deathlock (cant find them, there is only one solution that works until reboot your server). But my bigest problem is, that i use Windows ACL and i cant properly, secure set permissions for sharing. By default all shares have "everyone" and users that have access to share can made changes to ACL in windows clients. And newly created files and folders in that "default" shares not inheritate permissions (i remove "everyone" from root share, but new folders and files have it again). Next another problem, how to setup from windows cleint permissions on CIFS shares setup as "not browsable" ???? And next question, how to setup permissions in windows client on 10TB share?