SOLVED CIFS ownership/authorization wipe and restart

[cods69]

Hey people. I'm not happy with how my CIFS permissions/owners were set up and would like to start again, without wiping the whole system or removing data.
System is Asrock 2750 with 8x4TBWDReds, 16GB ECC, running FreeNAS-9.10.2-U2. ~50% utilized.
Owner user is Root and owner group is shareusers (following a guide from way back when I set it up) and permission type is Windows, with 'allow guest account' enabled originally. Single volume, nothing fancy.

I've watched the guide videos on this forum and it looks reasonably easy to change owner/group, but it makes me pretty nervous after testing a few sub-directory permission changes, getting an error in Windows then having no access other than via Freenas shell to fix things. I've also read a few horror stories about ACLs which is getting towards the confusing side of things for me.

Question 1: Is there a clear, safe and definitive way to re-do permissions for this scenario?
Say I want to start from the beginning, giving full access to only one Windows user:
userx ...as part of user group
usergroupy ...defined in users/groups in Freenas and userx being the Windows login user (obviously with matching passwords).

Question 2: Is it good practice to leave root as the owner for CIFS

Question 3: If it all goes horribly wrong and get some nasty error in Windows again, when changing permissions (i.e. removing root as owner), should I have had contingency (backups) prior to starting all this or is there a way to 'get things back' via shell in Freenas and to not be too worried about this?

 

[zoomzoom]

1. No FreeNAS user should own a Dataset that's an SMB share, as permissions are managed on Windows via Properties -> Advanced Security or via CLI using icacls.
   • When creating a Dataset meant to be used as a SMB share, if the user & group option is not grayed out, the wrong permission type is selected and needs to be changed to ACLs.
     • Managing permissions on FreeNAS for a Dataset that's an SMB share will result in corrupted permissions and a major headache to fix with icacls.
     • ALL user(s) and group(s) access permissions should be added through Windows via Properties -> Advanced Security.
   
   
2. No, root should never own files/directories on a Dataset being used as an SMB share, unless one wishes for those documents and files to not be accessible to users accessing the SMB share.
   • root or wheel should never be assigned access permissions in Windows.
   
   
3. Provided you're managing permissions through Windows and NOT FreeNAS, this should never be an issue.

If multiple users need access to the same Dataset, either:

• They all need to have their own directory on the Dataset
  • The files and directories on the Dataset being used as an SMB share need to be owned by the user & group accessing them.
  • If creating separate user directories, the specified user needs to recursively own their directory on FreeNAS
  
  OR
  
  
• A new group needs to be created, all users needing access to files/directories need to be added to the group, then that group needs to own the aforementioned files/directories

 

[anodos]

No, root should never own files/directories on a Dataset being used as an SMB share, unless one wishes for those documents and files to not be accessible to users accessing the SMB share.

Rather emphatic on these points? :) The files will be accessible by members of the owner group. At least initially, the dataset should be owned by a user who can then fine-tune permissions through Windows.

Permissions can be easily reset via the FreeNAS webui via the "apply default permissions" checkbox in the share config. I made a short overview of how to modify permissions from the CLI here: https://forums.freenas.org/index.php?threads/how-to-edit-cifs-permissions-from-the-cli.40594/

 

[cods69]

Appreciate the info guys, as well as the cautions.

The original guide I followed had me set ROOT as the owner from the Freenas permissions, as well as Everyone, so the whole thing was a mess, really.
I erred on the side of caution and backed everything up, JIC.

After checking out a few more guides as well as the 'Advanced' guide I linked to in my first post (second video), I've basically changed the Owner (user) and Owner (group) in the Change Permissions dialogue, along with Set Permission Recursively. I will obviously have to wait for some time for that to finish as there are a LOT of files.
I'm led to believe that basically 'resets' all permissions back to scratch for everything on that volume, so I can start tweaking everything from the start again, via Windows.

I'll post back when it's done and give a report. Again, thanks for the advice!

EDIT: Only took 10-15 mins! Old messed up Windows permissions have been wiped and replaced by default settings as per above. Too easy!
Thanks again for all the help guys. Now to lock down the precious...