FreeNAS Can't Handle Basic Use Case

[zol]

I've been trying in vain to get a basic use case working with FreeNAS. Perhaps I am trying something that is simpl beyond the capabilities of FreeNAS.

USE-CASE:

-I want to have a share that is SMB/CIFS.

-Share has to work with Windows, Linux, and MAC computers!

-DIR TREE OF SHARE:
w
|
`---Proj1
|
`---Proj2


-Users: Eva, Angela, Maria

-Groups: Team1 (Eva, Angela), Team2 (Eva,Maria)

-Permissions:
Eva (Full perms for everything, she is sys admin...only she can set perms or change perms on shares!!!!),
Proj1 (Team1 - r&w),
Proj2 (Team2 - r&w).

So, in example Maria can not look into (has no access to) Project1, and Angela can't look into Project2. Also, Angela and Maria can't mod perms for anything. Eva can do anything, including set or mod perms.



As far as I can see, this is absolutely impossible to do with FreeNAS 9.3. I have never seen an example on the web where FreeNAS was able to do something like this, even though it is a very simple use-case. I've only seen FreeNAS being able to handle much more trivial use-cases.


At any rate, I hope I'm proven wrong. At this point I'm looking for exact instructions on how to set this up. I've already tried everything, I've searched quite a bit, and was able to set this up with other NAS solutions, but not FreeNAS 9.3.

If someone has the skills, their input would serve as a great resource. And if I'm correct and FreeNAS can't handle something like this, it is also good that this is clear.

Thanks.

 

[anodos]

I've been trying in vain to get a basic use case working with FreeNAS. Perhaps I am trying something that is simpl beyond the capabilities of FreeNAS.

USE-CASE:

-I want to have a share that is SMB/CIFS.

-Share has to work with Windows, Linux, and MAC computers!

-DIR TREE OF SHARE:
w
|
`---Proj1
|
`---Proj2


-Users: Eva, Angela, Maria

-Groups: Team1 (Eva, Angela), Team2 (Eva,Maria)

-Permissions:
Eva (Full perms for everything, she is sys admin...only she can set perms or change perms on shares!!!!),
Proj1 (Team1 - r&w),
Proj2 (Team2 - r&w).

So, in example Maria can not look into (has no access to) Project1, and Angela can't look into Project2. Also, Angela and Maria can't mod perms for anything. Eva can do anything, including set or mod perms.



As far as I can see, this is absolutely impossible to do with FreeNAS 9.3. I have never seen an example on the web where FreeNAS was able to do something like this, even though it is a very simple use-case. I've only seen FreeNAS being able to handle much more trivial use-cases.


At any rate, I hope I'm proven wrong. At this point I'm looking for exact instructions on how to set this up. I've already tried everything, I've searched quite a bit, and was able to set this up with other NAS solutions, but not FreeNAS 9.3.

If someone has the skills, their input would serve as a great resource. And if I'm correct and FreeNAS can't handle something like this, it is also good that this is clear.

Thanks.

Of course this is possible in FreeNAS. You can pretty much do anything permissions-wise that you can on a Windows server, and do it exactly the same way (through windows explorer).

This will get you started: https://forums.freenas.org/index.ph...-of-how-to-configure-share-permissions.35276/

Use the security tab to fine-tune your permissions.

 

[zol]

I've done that, it doesn't work. Trust me. While that will get it to work in Windows clients, MAC clients won't be able to mod files.
Well to be exact, something so trivial works, but I doubt that the Use-Case I described can be made to work.

For one, if the example is to be followed... you'd be setting user and group for entire share..."w". The problem is, among other things, that what I'm really sharing is the subdirs... Proj1, Proj2, etc.

Should I make a seperate share for each Proj? That is so dirty... Can't I just share w... and set perms for subdirs... Ofcourse I hear yes that should work... but honestly... there is not 1 example on the net of getting the scenario I described working with FreeNAS. I think your perm model doesn't allow for it.

 

[anodos]

I've done that, it doesn't work. Trust me. While that will get it to work in Windows clients, MAC clients won't be able to mod files.

Your mac clients are probably failing to properly authenticate for some reason (possibly guest access, possibly falling under the "everyone" ACE). The command line utility "smbstatus" will give some indication of how they are authenticating. I have used Mac and Linux clients to access and write to samba shares. In fact, I even have a Centos 6 VM that accesses my samba shares and uploads them to a crashplan pro account.

 

[zol]

No, they are authenticating as the user that connects. Also they can write, delete, read... but they can't mod a file... they have to click "Save As..." and not "Save".

 

[anodos]

No, they are authenticating as the user that connects. Also they can write, delete, read... but they can't mod a file... they have to click "Save As..." and not "Save".

Post /etc/local/smb4.conf enclosed in [ code ] tags.

 

[zol]

I couldn't get it out...

Here are screenshots of it

 

[Mirfster]

"Putty" would be your friend to get this a lot easier...;)

 

[depasseg]

What protocol are your Mac clients using to connect? I think there is a difference between cifs and smb (IIRC - one works better)

 

[zol]

I tried cifs and smb... (cifs is just smb ver 1...as far as OSX goes). They both work the same for me. Mavericks broke smb because they rewrote smb from scratch... but I'm not using an affected OSX. Other NAS's I tried worked fine. Had no problems setting above use-case up. I'm trying to get it to work with FreeNAS because of ZFS.

 

[jgreco]

No, they are authenticating as the user that connects. Also they can write, delete, read... but they can't mod a file... they have to click "Save As..." and not "Save".

That is a permissions issue of some sort. This use model works fine for lots of people, including here.

 

[zol]

Maybe I don't understand FreNAS's limits. Perhaps my approach to have 1 share is wrong in the FreeNAS model? Perhaps I should have 3 shares? share "w" for Eve (she is sys admin and needs axs to entire tree), share Proj1, and share Proj2? That way I can make Team1 be the primary group for Proj1.....and Team2 be the primary group for Proj2. But that is dirty and I would have to have 100's of shares. Also, I don't want to allow non-admins that may be part of a team to be able to change perms... which they would be if they own the share... they could mod the perms.... I don't want Angela and Maria to be able to change perms.

 

[zol]

Oh...sh**, I just realized... you guys are setting owners at dataset level... which means I may have been right that you can't implement the use-case above with FreeNAS. No wonder I've never seen an example with FreeNAS that is anything but the most trivial use-case. So maybe if a person makes a seperate dataset for each proj and a sperate share on top of that for each proj... it may work but that is insane. 100's of datasets to manage... when it should be just 1.

I mean that's you scheme right? You create a dataset, make a group for it, make that group own it, then you dump users into that group. I just don't see how that could work for anything remotely real world. You would not be able to the above Use-Case working with that scheme.

 

[depasseg]

While that will get it to work in Windows clients, MAC clients won't be able to mod files.

So does it work properly in Windows, or not? It sounds like it does.

You need to set an owner and group at the dataset level, but then use windows to set the individual subfolder and file permissions to be whatever you want.

 

[zol]

At one time I got it work in Windows but I went through so many permutations I no longer remember how & what I did... regardless, it did not work on non-windows computer with those settings.

What do you suggest for a user and group at the dataset level? Also what do you suggest for perms for w, Proj1 and Proj2 at the Windows perm level? Also what do you suggest for owner inheritance?
Nothing I tried really worked.

Thanks for your help & interest.

 

[Mirfster]

What do you suggest for a user and group at the dataset level?

Have you tried:
"Owner (User)" = nobody
"Owner (Group)" = %WhateverGroupYouDecide%

 

[anodos]

Oh...sh**, I just realized... you guys are setting owners at dataset level... which means I may have been right that you can't implement the use-case above with FreeNAS. No wonder I've never seen an example with FreeNAS that is anything but the most trivial use-case. So maybe if a person makes a seperate dataset for each proj and a sperate share on top of that for each proj... it may work but that is insane. 100's of datasets to manage... when it should be just 1.

I mean that's you scheme right? You create a dataset, make a group for it, make that group own it, then you dump users into that group. I just don't see how that could work for anything remotely real world. You would not be able to the above Use-Case working with that scheme.

The reason you don't see complicated permissions howtos is because:

1) the guides are geared to home users
2) the guides provide a foundation that more advanced users can tailor to their needs
3) it's expected that users in complex environments have enough experience that they won't be going to internet howtos tailor-made for their specific use-case to figure out stuff for their production network.

 

[anodos]

That is a permissions issue of some sort. This use model works fine for lots of people, including here.

It's possibly a file-locking issue for mac clients. Hard to say as it appears permissions are no longer in a working state. I suppose he OP can try setting the auxiliary parameter "oplocks = no" once he gets permissions back into a working state.

 

[jgreco]

I mean that's you scheme right? You create a dataset, make a group for it, make that group own it, then you dump users into that group.

I don't even understand what that'd be useful for. The average home user might not be doing anything super complicated with permissions, but a lot of the sites building FreeNAS or buying TrueNAS have permissions requirements that are quite complex, some of which are very difficult to comprehend even,

 

[zol]

Have you tried:
"Owner (User)" = nobody
"Owner (Group)" = %WhateverGroupYouDecide%

Yes. It doesn't work. It doesn't even make sense.

If someone makes a file, user "nobody" will own it. I know, cuz I tried it. Unfortunately this ressults in locking people out of modding or saving to it...even if they belong to the same group as the Owner(Group). Even if they are given express rights on top of that.

I can see now why every permission post/tutorial I found about FreeNAS is basically granting every user they make full rights to a given dataset. And then perhaps another group of users full rights to another dataset. This way you can isolate users from each other but if you have to this for 100's of projects.... what a joke.

It seems FreeNAS is unable to handle a simple Use-Case like above.

Look, thanks for the help, but I've been at this for 4 days, and I've tried enough things to have run out of ideas. I posted to seek help/clarification because I'm at the end of my line and can't afford to di** around anymore.

I posted a short but exact use-case... specific enough that you can provide very short but specific instructions. If this is possible in FreeNAS, share the wisdom with key instructions... there shouldn't be many steps to set this up.... but the permutations are huge. So if anyone is willing to provide an exact suggestion with regards to Owner,Group,WinPerms, SMB custom flags, etc.... I'm wiling to try it...I'll keep the VM around for a day or two. It can serve as an example to others. Else, I'm giving up on FreeNAS and going with another NAS solution that I know works (unfortunately I'll have to custom settup zfs, encryption, etc.... but it is actually looking like a lot less hassle than FreeNAS in the end at this point).