CIFS Local User Authentication

[auralsun]

Hey guys,

Just put together my second FreeNAS build. The first one (on my work network) is shared with NFS as none of the Windows operating systems are running Home edition. I'm trying to use a CIFS share on my home NAS as my roommates are using Windows Home edition on most of their computers.

I was following along the user guide and encountered a roadblock in the middle page 161. It says to configure "Authentication Model" to Local User, and "Authentication Model" doesn't appear to be an option on my FreeNAS version (9.2.1.7-RELEASE-x64).

My Windows PC is able to discover the new CIFS share, but when I try to authenticate nothing seems to work. It seems to me that the issue must be with the CIFS share Authentication Model configuration, but since the official user guide doesn't seem to coincide with the most recent FreeNAS release, I'm having difficulties figuring out where would be the next place to troubleshoot.

Any ideas?

 

[dlavigne]

Don't forget the Errata: http://doc.freenas.org/index.php/9.2.1.7_ERRATA.

 

[auralsun]

OK, I've spent the past eight hours or so trying to configure a FreeNAS shares on my home network using CIFS and various tutorials -- the first of which was this tutorial which is apparently irrelevant to the current version of FreeNAS as it uses a different version of Samba (did a Google search and forgot to check the last post, whoops).

The second tutorial (a YouTube video) was more recent and mentioned that the build was still working in 9.2.1.5, which gave me confidence that the tutorial would work for my purposes. However, the author's video is missing a couple of GUI options introduced in more recent versions of FreeNAS along with other behind-the-scene changes, I suspect.

I followed along the video until about 14 minutes in when I realized my "Everyone" user had permissions for "Traverse folder / execute file" and "List folder / read data", whereas this was not the case for the video's author. I suspected that the issue had something to do with the recently introduced "Apply Default Permissions" option under CIFS shares. Knowing what a pain in the ass permissions can be, I opted to factory reset and reboot the server and restart the tutorial from the beginning.

I went through the video tutorial again proceeding exactly as before: creating the ZFS volume, creating an admin and standard user, configuring the CIFS share, enabling it, and configuring permissions, this time making sure not to check "Apply Default Permissions". When everything was done, I was unable to access the share at all from my Windows 7 machine. Figuring I'd proceed with the video anyway to see what happens, I enabled "Apply Default Permissions," assuming this would cause my share to behave the way it was before (Everyone user gets more permissions than I want). I restarted the CIFS service to make sure everything would be pushed. However, the CIFS service wouldn't restart due to failing Samba configuration sanity check, even after reboots.

At this point I'm realizing that FreeNAS has a documentation problem. The Web GUI tooltips present in FreeNAS are vague and often misleading (Apply Default Permissions says "recursively set sane default windows permissions on share", for example), the official documentation is fractured across several different locations, and user-created guides on the forums and YouTube seem to be better resources than the official documentation in some cases -- however there's often no telling whether these guides will work with the current version of FreeNAS.

Does anyone have a CIFS / user permissions tutorial that is confirmed to work with the current version of FreeNAS? I'm considering trying out this one (authenticated users only at the bottom, then tweak to my needs) early next week but don't want to run into the same roadblocks I've run into with the last two tutorials. The set-up I'm looking for is probably one of the most common for home use: authentication required to access any NAS files, individual users have R/W access to their own user folders. :(

 

[auralsun]

I followed the third guide and also ran into problems because it doesn't account for the recent changes to CIFS ("guest" account was apparently removed, Authentication Model was removed, probably other behind the scenes stuff).

It seems that no matter what tutorial I follow, the "Everyone" user has R/W access to all files and folders on the share which is not what I want.

 

[auralsun]

The official documentation points to this guide for configuring a CIFS share according to my specifications (all users have access to common folder, users have their own personal folder). The forum post points to a blogspot page which is a broken link.

 

[panz]

Maybe I'm writing a stupid thing, but it remember that my Windows 7 workstations stopped having problems with CIFS shares when I deleted the Home Group...

 

[marcevan]

The main problem I have is the guides have different takes on CIFS/sharing and plugins.

Most of us probably have plugins as well as CIFS shares and ownership/permissions are different depending on which guide you read. For CIFS, it points to guest:guest as ownership if you want no passwords but CIFS locked to authorized IPs. That's fine until you dabble in plugins that have their own users|groups that are not shown to you in the freenas GUI.

And to top it off I get much different results when I try to view my freenas shares (thru CIFS) from my Win8 and Win7 PCs:

Win7 frequently can view by network name (e.g., freenas) but finds no files in directories even if I've chmod 777 a file and refresh.

Win8 was working swimmingly until I rebooted my freenas and then it errors out when browsing by network name; however if I browse by IP (e.g. //10.10.x.x) then it works perfectly.

Final point: why is there no security forum group in Help&Support here? I'd like to think we're all wise enough to know there could be exploits for freenas, so if some admin could create a Security section, that's where's I'd like to troll.

 

[cyberjock]

Final point: why is there no security forum group in Help&Support here? I'd like to think we're all wise enough to know there could be exploits for freenas, so if some admin could create a Security section, that's where's I'd like to troll.

I've asked about this before (year or so ago). The reality is that if there is a security problem it should be taken up with the FreeNAS developers first so that they can fix it and do a release as appropriate. In the bigger picture it's like this:


1. The developers don't come to the forums unless explicitly asked to. So anything discussed will never see their eyes nor have their response.
2. Any problem that exists shouldn't be resolved with some kind of patch or hack that isn't officially sanctioned by iX. Things can get messy when the typical FreeNAS users are expected to apply their own patches. They seem to make things worse, have errors that nobody has ever seen before, and post threads in the forums of their problems when they are actually self-inflicted.
3. *if* you think you have found one, the best place to go is bugs.freenas.org. Since the devs don't come to the forums if you want their attention that's the best way to do it. IRC is also a close second because they do read IRC regularly even if they don't reply.

Overall, while it "sounds like the right thing" if you stop and think about what the intent is, I don't think having a security section really does anyone any good. Just like the "Feature requests" section of the forums it's someplace that sounds great but adds zero value. Every time someone posts "the next great idea" the first response is "go to bugs.freenas.org and put in the request".

 

[marcevan]

That said, there are multiple sections for the forum and the developers don't visit them either.

If there's a new feature/bug we go to the proper way to report it the devs, then come back here to say we did so.

For a security section, it would be worthwhile for folks to post and read on any exploitations that they or others have seen, or some best practices with user/group setup, etc. Same as it is for all the other sections here.

 

[cyberjock]

For a security section, it would be worthwhile for folks to post and read on any exploitations that they or others have seen, or some best practices with user/group setup, etc. Same as it is for all the other sections here.

To be honest I'm not aware of any exploits that anyone has posted that were for FreeNAS systems....

 

[anodos]

To be honest I'm not aware of any exploits that anyone has posted that were for FreeNAS systems....

To expand on this a bit, the portion of FreeNAS that iXsystems is responsible for is actually comparatively small. Almost every component that we use daily is a third-party project. Samba is 3rd party. Netatalk is third party. Even OpenZFS is third party. The simple fact of the matter is that if you are a sysadmin you will subscribe to multiple mailing lists. For instance, if you use CIFS in production on FreeNAS you should subscribe to the relevant samba mailing lists. The same goes for other projects.

 

[marcevan]

I suspect that if one had an exploit to post it would be proper for them to post in Help & Support / Security

:)

 

[anodos]

I suspect that if one had an exploit to post it would be proper for them to post in Help & Support / Security

:)

Or even more proper to file a bug report so that it can get fixed :)

 

[auralsun]

Public forums are not an ideal place to be detailing security vulnerabilities

On the topic of my CIFS share, no matter what I did I couldn't get FreeNAS to make my files inaccessible to "Everyone". That said, I was ultimately able to create an admin user in FreeNAS, connect to the share using that user and remove permissions for "Everyone" from Windows (Properties > Security > Advanced > Change Permissions...). I think I tried nearly every possible configuration for a CIFS share in FreeNAS before realizing I could accomplish what I was trying to do from within Windows...

 

[marcevan]

Ugh... I give up. I see Security in a lot of other forums so people can ask questions, and post information.

For the bugs: why have that in forums if the only place to log them is with the dev team?

 

[cyberjock]

For the bugs: why have that in forums if the only place to log them is with the dev team?

Same question could be asked of the feature's section (which I mentioned above)....

 

[dlavigne]

It's my understanding that both of those sub-forums pre-date the bug ticketing system and definitely pre-date the dev team's policy to put all bug and feature requests in the bug tracker so that they don't get lost and can be tracked. Once that policy started to be actively enforced, the descriptions for those sub-forums were changed to indicate that they were for discussion only (eg I'm not sure this is a bug or a PEBKAC, or do you guys think this is a feature other users could benefit from) before creating an issue at the bug tracker.

While using the bug tracker seems like "yet another thing I have to sign up for just to say something", it really is the best way to get any type of issue before the devs' eyeballs. The bug tracker sends all of the devs an email as issues are created and sends even more emails as an issue does not get actioned.

 

[marcevan]

Your logic is.... flawless.