Can't get my CIFS shares working correctly

[CraftyClown]

Hi guys,

I feel like I'm hitting my head against a brick wall here.

I've been trying to set up a system that completely automates and organises my home entertainment whilst allowing my Windows 8.1 clients access via my Microsoft email logon.

For the most part I had everything working fine, but there were a couple of minor permission issues I was still having with one of my plugins (Mylar, a comic reader) and I just couldn't leave them unresolved, but much like pulling on a loose thread on your favourite sweater, my configuration is unravelling and I've ended up in a worse state than when I started.

The ever helpful Joshua Parker Ruehlig has been attempting to help me fix some of the permissions issues with Mylar, however this seems to be giving me greater issues with my CIFS shares.

If someone could help me to get my shares working properly again, that would be fantastic :)

My setup:

1. I have added a user Richard with a UID of 816 he belongs to a group called admin with a GID of 1001 (The only other user I have added is BTSync UID 817) (The only other group I have added is BTSync GID 817)

2. The user Richard is also a microsoft login account, allowing me to access my CIFS share with full permissions

3. I have 3 datasets with recursive windows permissions 775. The owner and group of those datasets are Richard:admin

4. I have a number of CIFS shares, linked to my dataset

5. I have 6 Plugins, all in separate jails, located on another dataset; BTSync, Couch Potato, Sickrage, Plex, Mylar, Headphones




My problem:

From a windows machine I only have read-only access to my files. If I look at properties/security on any of the files, the user is marked as 'account unknown' accompanied by a long string of numbers

(I've attached a screen grab of the properties screen)

Thanks

 

[dlavigne]

Did you make any headway with this?

 

[CraftyClown]

Did you make any headway with this?

Ha ha, funny you should ask.

Yes and no is the answer.

I have my system back to a smooth running state, however security wise it's now a wide open door!

It appears that the reason I had been hitting my head against a brick wall, is due to a feature within Freenas that prevents recursively added Windows ACLs from being changed back to UNIX ACLs https://forums.freenas.org/index.php?threads/cant-chmod-files-operation-not-permitted.22229/

I was attempting to make changes from within the GUI, but could not understand why they just wouldn't take. When I realised chmod wouldn't work either, I knew something was definitely up!

I have now setup one of my datasets afresh with UNIX permissions and re-added the files. My Mylar plugin once more works correctly, as do all of my other plugins. My datasets however are back to UNIX with 0777 permissions.

I'm honestly not quite sure where to go from here.

The problems I still have, as I see them are;

1. The permissions on my working datasets (and by working I mean, my plugins have full access, as do I from a Windows client) are all set to UNIX 0777

2. My main pool directories (I have three separate pools) are still stuck with unchangeable Windows ACLs. I have no idea whether this is a problem or not. I'm hoping it doesn't matter, as the only way I can see to fixing that is by deleting the pools and starting again.

[root@freenas /mnt]# ls -l
total 11
drwxrwxr-x+ 6 root wheel 6 Mar 7 12:42 Movies_and_Music
drwxrwxr-x+ 3 root wheel 3 Mar 6 23:34 Music
drwxrwxr-x+ 6 root wheel 6 Mar 10 23:06 TV
-rw-r--r-- 1 root wheel 5 Jan 31 03:19 md_size

The position I would like to be in is:

1. I have a number of datasets that are accessible and modifiable to both my plugins and myself from a Windows client

2. My Freenas box is just a little bit more secure than it currently is (really not that hard right now!)

I'm not panicking too much right now, seeing as I have a VPN on my router and I only use my Freenas box to manage my home entertainment needs. That said it would be great to finally get this sorted out.

 

[CraftyClown]

Did you make any headway with this?

Sorry to dig this up again, but as you were kind enough to ask, I was wondering if you might have an opinion?

 

[dlavigne]

Nope, just wondering if you had found a solution.

 

[AndreStarTrek]

<--- FreeNAS Noob :p

I am pretty much in the same boot. I have made a FreeNAS server and I am experimenting with 9.3 stable.

But after 4 day tinkering with users, datasets and permissions, I have the idea things don't work like i would aspect as they do with Windows permissions. The working of Windows ACL with FreeNAS and Windows 8.1 client wont work as they should be.

After while trying to get Windows ACL working I gave up and switch to Unix ACL, but i got the same problem as @CraftyClown, I could not change chmod, i drop the dataset and made a new one. I found out later that the windows ACL did not work well because of the checkbox in the user account "Microsoft Account".

I begun experimenting to make a group account for each dataset I make, that way i can add user to that group that need more access. I have no idea if this is a good working strategy, Please comments on this are welcome.

I have some questions:

1. Long term(in terms of problems) is it better to use Unix ACL or Windows ACL?
2. I have read many times that it is important that the account and password in freenas should be the same as the login that you use for windows. Why is that important?
3. If I would like to use Windows ACL with windows 8 or higher, what are the things that must me configured to make work is it should?.
4. The problem after changing dataset from windows ACL to Unix ACL, is this a bug or work as intended?
5. What does "Set permission recursively" really do? I cant find a source that explain it.

 

[dlavigne]

1. Long term(in terms of problems) is it better to use Unix ACL or Windows ACL?

For Windows shares, you should always use Windows ACL.

2. I have read many times that it is important that the account and password in freenas should be the same as the login that you use for windows. Why is that important?

It's not necessary but makes things easier.

4. The problem after changing dataset from windows ACL to Unix ACL, is this a bug or work as intended?

This is intended. Switching back to Unix ACLs breaks Windows ACLs.

5. What does "Set permission recursively" really do? I cant find a source that explain it.

Recursive means it applies to all subdirectories. As the docs mention, this should usually be done on the client side to prevent a performance lagg on the FreeNAS side.

 

[AndreStarTrek]

For Windows shares, you should always use Windows ACL.

In that case, is it possible give a plugin/jail the right permissions with the use of special account for specific plugin/jail with Windows ACL?

It's not necessary but makes things easier.

Ok not much differed that how you could connect to a Windows Server

This is intended. Switching back to Unix ACLs breaks Windows ACLs.

That means that i always need to make a new data set wen i want to change to a other ACL, or could I reset the dataset and set a new ACL?

Recursive means it applies to all subdirectories. As the docs mention, this should usually be done on the client side to prevent a performance lagg on the FreeNAS side.

Ok that is what i thought :) are other dataset that are made below that dataset also affected?

This question still stands 3. If I would like to use Windows ACL with windows 8 or higher, what are the things that must me configured to make work is it should?

One other question based on question 3, if check "Microsoft Account" could I still u a older windows (vista, 7 or even xp, server 2003) to configure the Windows ACLs. And will it give conflicts with other service like nfs/iscsi share or cifs use with linux?

I want to know this because i like to be able to troubleshoot FreeNAS before i really going to use the server. I hate to lose data only because i have no idea what I am doing.

 

[wungun]

Similar issue here...you don't have permission from "unknown user S-XXXX" ...
Everything worked before....after a reboot of the server (9.3) everything changed like this. Why? And how can I fix it?
I'm a free as noob of the first order!
Thanx