9.2.1.3-RELEASE-x64 -- CIFS/Permissions problem

[Hexland]

This is probably the same permissions problem that is being reported elsewhere, but it seems a little different, so I thought I'd see if anyone else is experiencing problems.

I just set up a 9.2.1.3 server as a completely new and clean install (and new zpool). I created a dataset called "minime" (the name of my existing Windows server) and shared it via CIFS.

On the Windows server, I connect to \\freenas\minime and perform

robocopy C:\ServerFolders M:\ServerFolders /MIR /mt /r:1 /w:1 /dcopy:T /v

This worked pretty well for much as I expected -- migrating around 6Tb of data to the new FreeNAS server... but on closer inspection - I noticed a number of "Access Denied" failures randomly spread throughout the logs.

Taking a closer look at one of the failures - I noticed that the destination folder on the FreeNAS side is marked as READONLY (windows -> properties) - and I can't seem to change it.

I followed the instructions (not really knowing what I'm doing) in the thread here -- http://forums.freenas.org/index.php?threads/howto-allow-extended-attributes-on-cifs-samba.805/

But it seemed to have no discernable effect.

Is there some esoteric series of flags I need to set somewhere?

 

[toadman]

How did you set up the share? I'm wondering about owner:group. From a freenas session, who is listed as the owner:group of the directory you are having an issue with?

I had a weird case previously where I too set the permissions similar to what you list. But somehow I had inherit owner checked on the share within FreeNAS. That was screwing up the ownership (setting to "nobody") on all new directories/files. Which should have been ok actually (the group still had access). Except it was oddly putting a "000" (Unix) owner permissions on new directories. So I had no way to change the permissions from Windows and had to reset things within freenas. I ended up changing the owner to myself for the share (I'm the only one that uses it) and then changed permissions from within windows to what I wanted.

Also, there was a mismatch in whether "Everyone" had a permissions entry in Windows. I set this recursively so every directory/file has Everyone able to read attributes, read extended attributes and read permissions.

 

[Hexland]

I quickly checked the share flags -- looks like I had all the Inherit flags ON (In my defense, it was 4am when I set all this sh*t up)

I think I need to go back to the guides to find out how ACL's and permissions really work... I really wish there was a simple wizard in FreeNAS for "Set up Windows Share" - like the Dashboard in Windows Home Server or something like that...

 

[toadman]

I quickly checked the share flags -- looks like I had all the Inherit flags ON (In my defense, it was 4am when I set all this sh*t up)

I think I need to go back to the guides to find out how ACL's and permissions really work... I really wish there was a simple wizard in FreeNAS for "Set up Windows Share" - like the Dashboard in Windows Home Server or something like that...

Yes, always a good idea to refresh yourself on how it works. I have to do so often. Ugh.

I think you want "inherit owner" off (unchecked, else that single owner will be able to change permissions on everything), and since this is a Windows share you want "Inherit permissions" off (because those are for unix, see the FreeNAS documentation on CIFS shares). You do want "Inherit ACLs" on (checked) so new files/directories in an existing directory get created with that directories ACLs.

Then you'll have to make sure the ACLs are all set right, which might mean you need to do a recursive setting again. First within Freenas to make sure the ownership:group is right, then as root to set the baseline with setfacl. Then you might want to double check on the Windows side after mounting the share.

It's all working well for me now, so it can be cleaned up successfully. :)

 

[Hexland]

OK, so I set up a new dataset on the server via the web gui
Name: ServerBackup
user: nobody
group: users
Type of ACL: Windows / Mac

I then used the shell to ensure the owner flags were set
chown nobody:users ZPOOL/ServerBackup

CIFS service configuration is set as default, with only
Local Master, Time Server for Domain, EA Support, Support DOS File Attributes, Unix Extensions, Zerconf discovery : ON
Aux Params: socket options = TCP_NODELAY IPTOS_LOWDELAY SO_KEEPALIVE SO_RCVBUF=131072 SO_SNDBUF=131072 IPTOS_THROUGHPUT

I set up a CIFS share with the following flags
Name: ServerBackup
Browsable, Inherit ACL's : ON

On the Windows server, executing
robocopy C:\ServerFolders\Pictures M:\ServerFolders\Pictures /mir /mt

Still results in errors about "Access Denied"
2014/03/26 14:48:08 ERROR 5 (0x00000005) Copying File C:\ServerFolders\Pictures\BUNNIES\Oliver\Oliver soap.jpg
Access is denied.


I have no idea what I'm doing wrong... I'll keep playing until I get a combo that works (hopefully)

 

[toadman]

What do you get when you issue a "getfacl" on the top directory of your share? I get this...

Code:

# file: userdata      <== This is the directory /mnt/pool/userdata
# owner: *myusername*  <== I set this so I can change all the permissions from Windows (can't do that if set to nobody)
# group: userdatashare  <== contains only specific users.  I see you just set yours to all users.  No problem
            owner@:rwxpDdaARWcCo-:fd----:allow
            group@:rwxpDdaARWc---:fd----:allow
        everyone@:------a-R-c---:fd----:allow

(The *myusername* is set to my actual username.)

Next, I assume you are just mounting the share with a username/password that matches a username/password on the FreeNAS system?

Can you create a new directory or file in the share from within Explorer in Windows?

 

[Hexland]

Code:

 file: ServerBackup
# owner: nobody
# group: users
            owner@:rwxpDdaARWcCos:fd----:allow
            group@:rwxpDdaARWcCos:fd----:allow
        everyone@:r-x-D-a-R-c---:fd----:allow

I connect the Windows share with the same username/password as the account on the NAS
net use M: \\freenas\ServerBackup /user:freenas\dave

I can successfully create a new directory and/or file on the Windows machine.

If I create a folder called 'test' and look at it's properties -

Code:

  Properties > General  --- Read Only is ON
  Properties > Security --- Everyone = Read & Execute, List folder contents, Read, Special
                            dave (Unix Group \dave) = Full control, Modify, Read & execute, List folder contents, Read, Write
                            dave (freenas\dave) = Full control, Modify, Read & execute, List folder contents, Read, Write
  Properties > Security > Advanced > Owner = freenas\dave

 

[toadman]

Ugh, looks like it should work to me. I'm not sure. The only difference I can see from what I do is the owner would be "dave" vs "nobody". But that shouldn't matter.

The only other thing I could suggest is looking at the unix permissions. I don't know why, but when I had the owner set to nobody and a system process accessed the share to create a directory, I would get "d---rwx---+" vs the expected "drxwrwx---+" on the freenas system. That shouldn't have mattered either, as anyone in the group should have had access. But something wasn't working when I had a media crawler looking at the directory. I wouldn't read it. That's when I changed the owner to my username (not the name the media crawler was using) to get it to work.

That said, all of this started with the 9.2.1 chain of releases with the samba change. I had it set up previously with nobody as the owner. I wish I could be of more help to you.

 

[Hexland]

Thanks for the help - I appreciate it.

It's just so damned frustrating... I've been trying to get this new server up and running for months now, and each successive version of FreeNAS has had something major wrong that I have had to wait around for the next version. I finally thought this version was it, but it looks like the Samba upgrade has fubar'd quite a lot.

I can't complain too much, it is Free after all - but I have to wonder how the paying customers from iX systems feel about this right now...

 

[cyberjock]

Paying customers get support straight from iX.. so when you have a problem you call them and they solve it.

Some people just want a checkup on their server to make sure all is configured reasonably, and I offer services for stuff like that. I also do data recovery if things go horribly wrong and help do hardware consultation, etc.

One or two others have helped with jail installation for specific programs too.

It's just about how much you are willing to pay for it to work.

 

[toadman]

Yes to what cyberjock said. And likely customers running production systems in a business are slower to upgrade to a new version, especially one with a substantial change (I would be).

 

[Hexland]

A fresh install of 9.2.1.4-BETA and still the same issues... I'm at a bit of a loss now.

 

[cyberjock]

Hexland-

If your permissions get buggered up, you'll have to fix it on the server itself. Or(and a very big "OR") you have to log into the server with a user that has permissions for the file in question to fix it.

So why is the 'or' so big? Because 99% of the time the permissions are buggered in a way that you'd have to use multiple logins to fix it, and Windows doesn't let you do that easily.

Additionally, if your permissions are buggered up, you probably don't even understand the magic pixie dust that went on behind the scenes that screwed up permissions. And unless you learn that mistake you're probably going to make things worse. Many people in this forum have decided to give up and did 777 permissions for their entire pool as root. It works great, for about 5 minutes. Changing permissions for the jails that were on the server usually renders the jails nonfunctional. So now they're rebuilding the jails and when they try to "add storage" to the pool it doesn't work.. So then they screw up permissions trying to get it to work in the jail.

The real key is to understand permissions when you create the server. And 99.9% of the time, the average user doesn't understand file permissions, so they get it all wrong and are left scratching their heads, making posts in the forum, and sometimes even doing bug tickets asking for it to be fixed. Its almost always not broken.. the admin is broken. ;)

Now, Samb4 did change how guest permissions work, and that has thrown off many users that weren't aware of the change. But, it still worked "as designed", the problem was that the admin didn't understand the changes and was shocked when upgrading from some old version to 9.2.1 brought about a change in behavior they weren't aware of.

 

[Hexland]

Thanks for taking the time to reply, cyberjock - I appreciate and admit that I may not know the complete in's and out's of the whole samba stack, and the extent of the changes from smb3 to smb4 - but your answer doesn't really cast any light on the problem.

Given all the information in this thread posted above - where did I go wrong? It's not like it's a complicated process here... I created a user, and a share and switched on CIFS -- and the result was that a very basic copy operation failed... what part of samba 4's behaviour am I missing here?

Judging from the number of permissions posts/problems on the forum (not just from me, but other admins unaware of the changes in behaviour) - I'm not alone in being confused.

Is there a document or post somewhere that spells out exactly the changes between smb3 and 4, and the knock on effects?

 

[cyberjock]

I can't really say where you went wrong. We could easily exchange posts for a week and never find your problem. That's why the experienced users don't try to help people with permissions(and we see them every day). There's lots of nuances and whatnot that is just too complicated to try and solve on a case-by-case basis for users. Sorry, but you are on your own with permissions.

I think you mean Samba3 to Samba4 and not smb3 to smb4. There is documentation on it. The FreeNAS manual has some, but if you want very detailed information try wiki.samba.org or some Google searches. FreeNAS simply bundles Samba and provides some basic information on how to use Samba. Some aspects aren't covered in the FreeNAS manual. I'm not sure if you need to consult the Samba wiki for your problem or not. That's something you are going to have to figure out in your quest to identify and then solve the problem.