Can write to CIFS shares, but applications get access denied

[Toxic Waste]

I ran into the following problem last night, I have set up my FreeNAS with CIFS shares that are mounted as network drives on my computer(s). My user that logs into CIFS is part of the group that owns the files, I can perfectly add a new file via CIFS, I can edit names, delete files, create folders, basically everything that I want to do.

When I log in with my user and edit files with vi for example, this also works perfectly fine. However, when I open external programs on my computer (such as Subtitle Edit, Notepad or MKVtoolnix for example) and I edit or modify a file, I can't save it because I get an access denied error.

When mkvtoolnix tries to read a file, he can't even do that properly to see MKV headers for example.

Anyone got any clue where I might have gone wrong? If you need extra troubleshoot information, I'd be happy to provide it ofcourse

 

[Mirfster]

So when you are running the "External Programs" are they running as the same user that is authenticating to the CIFS share: "mkvtoolnix" or are they being ran as "Administrator" on the PC?

Also, I have seen a few mentions where others have said that connecting/mapping to CIFS Shares via IP acts differently as far a rights than if using the FreeNas HostName... Have not looked into this myself, but perhaps give that a whirl and let us know?

 

[Toxic Waste]

well, if I use subtitle edit on one of those files, it's in the program displayed like "T:\The Blacklist\filename.srt" and I can edit that file with Vi/Vim when I ssh to the machine with my user. But when I tried to edit it with an application via cifs, I get the access denied.

I will try the trick with the IP's now, let you know if that makes a chance or not :) thanks!

edit: tried it with mapping my networkdrive on the IP of freenas instead of the name, doesn't change anything it seems..

 

[Mirfster]

So, when you look at the properties of folder "T:\The Blacklist", what permissions to you show there?

 

[Toxic Waste]

So, when you look at the properties of folder "T:\The Blacklist", what permissions to you show there?

you mean the permissions in the security tab?

 

[Mirfster]

you mean the permissions in the security tab?

Yes, sorry forgot to mention that.

 

[Toxic Waste]

would you like to see the advanced settings or just the normal ones? It looks like this:

I must honestly say that windows security/sharing in combination with FreeNAS is a big mystery so far..

 

[Mirfster]

Take a look at this thread where I provided instructions (Page 2); it may assist you: FreeNAS Can't Handle Basic Use Case

 

[Toxic Waste]

so basically the fault is in my windows machine and I should change the security settings via this machine? I shall try it tonight and let you know :) Basically the permission of my group is lacking?

 

[Mirfster]

Thinking so. Give it a whirl and see how things go. :)

 

[Toxic Waste]

Thinking so. Give it a whirl and see how things go. :)

I've been looking into this now, but I can't say I'm really understanding what I need to change exactly, when I try to change permissions I mostly get access denied..

Currently on my Freenas, everything that is Media (so the files I want to edit) are owned by mediadaemon (a user that exists in FreeNAS and every jail) and the group that owns it is media (which also exists in every jail and on freenas). My user "michael" is part of that media group so he should be owner right?

But how does this translate in the windows settings exactly?

 

[Mirfster]

so basically the fault is in my windows machine and I should change the security settings via this machine? I shall try it tonight and let you know :) Basically the permission of my group is lacking?

Thinking so. Give it a whirl and see how things go. :)

Not really meaning that the fault is in your Windows Machine. What I was trying to suggest is that your CIFS share should be setup along the lines of:

1. In FreeNas the DataSet (Not sure what yours is named):
   • "Owner (User)" should be set to "nobody"
   • "Owner (Group)" should be set to whatever Group you desire; I think you said this is "Media"...?
   • Your User "mediadaemon" should be a member of the Group "Media"
   • Your User "michael" should be a member of the Group "Media"
   • Any other Users you want to have full control should also be a member of the Group "Media"
2. Now from a Windows Machine, you should be able connect to the Share (Whatever "T" is) as "michael"
   • Right-Click on the Folder "The Blacklist"; go to the [Security] Tab and set permissions as desired
   • May not be needed, unless you wanted to add others to have different rights.
     • If that is the case, then simply create another Group in FreeNas (say call it "MediaReadOnly")
     • Add Users in FreeNas to that Group
     • Grant the Group "MediaReadOnly" rights via Windows Explorer
3. If you wanted to add another folder under "T"; simply create it in Windows Explorer and use same steps from #2 to set Permissions

Thinking that this should do the trick.

 

[Toxic Waste]

Not really meaning that the fault is in your Windows Machine. What I was trying to suggest is that your CIFS share should be setup along the lines of:

1. In FreeNas the DataSet (Not sure what yours is named):
   • "Owner (User)" should be set to "nobody"
   • "Owner (Group)" should be set to whatever Group you desire; I think you said this is "Media"...?
   • Your User "mediadaemon" should be a member of the Group "Media"
   • Your User "michael" should be a member of the Group "Media"
   • Any other Users you want to have full control should also be a member of the Group "Media"
2. Now from a Windows Machine, you should be able connect to the Share (Whatever "T" is) as "michael"
   • Right-Click on the Folder "The Blacklist"; go to the [Security] Tab and set permissions as desired
   • May not be needed, unless you wanted to add others to have different rights.
     • If that is the case, then simply create another Group in FreeNas (say call it "MediaReadOnly")
     • Add Users in FreeNas to that Group
     • Grant the Group "MediaReadOnly" rights via Windows Explorer
3. If you wanted to add another folder under "T"; simply create it in Windows Explorer and use same steps from #2 to set Permissions

Thinking that this should do the trick.

I haven't had the time to dive into this yet (I admit I postpone it a bit at times..), but I have noticed something peculiar. When I actually add the files from the CIFS share (and so my "Michael" user is the owner), it seems that programs are perfectly fine of editing the files that can't when the are owned by mediadaemon, even though the user is in the owning group.

Is this in line with what you expected or is the problem elsewhere then ? (in the unix permissions?)