CIFS permission Woes on New files and folders

[Abel408]

I've always seemed to have this problem since day one. We have a CIFS shared drive that I manage permissions for from a Windows server. Most of our clients are Mac OS X, but that's another story. We use Active Directory so having a CIFS share managed from a Windows server makes the most sense to me.

When ever a new file or folder is created from a user, the administrator and even root account loses access to that file. I would like to keep it so that the AD administrator account and the root account have full access to every current and future file and folder.

Here is how I set up my share:

I've used to be able to remedy this by doing a quick chown -R administrator:"domain admins", but Freenas has gotten away from that and it is no longer supported. I've found that is is extremely difficult to use setfacl recursively in BSD. If anyone knows a good way to do this, please let me know.

My windows share looks something like this:

Not sure why all my folders say read only. Is that normal?

Has anyone else had this problem before? Any help is greatly appreciated!

 

[anodos]

Post:

• /etc/local/smb4.conf
• Output of "zfs get aclmode vol3/groupfolders"
• Output of "getfacl /mnt/vol3/groupfolders"

 

[Abel408]

Sure. Here they are:

[global]
server max protocol = SMB3
encrypt passwords = yes
dns proxy = no
strict locking = no
oplocks = yes
deadtime = 15
max log size = 51200
max open files = 941888
load printers = no
printing = bsd
printcap name = /dev/null
disable spoolss = yes
getwd cache = yes
guest account = nobody
map to guest = Bad User
obey pam restrictions = yes
directory name cache size = 0
kernel change notify = no
panic action = /usr/local/libexec/samba/samba-backtrace
nsupdate command = /usr/local/bin/samba-nsupdate -g
server string = MYSERVERNAME
ea support = yes
store dos attributes = yes
lm announce = yes
unix extensions = no
time server = yes
acl allow execute always = true
acl check permissions = true
dos filemode = yes
multicast dns register = yes
domain logons = no
idmap config *: backend = tdb
idmap config *: range = 90000000-100000000
server role = member server
netbios name = MYSERVERNAME
workgroup = MYWORKGROUP
realm = DIRECTORY.COMPANY.COM
security = ADS
client use spnego = yes
cache directory = /var/tmp/.cache/.samba
local master = no
domain master = no
preferred master = no
winbind cache time = 7200
winbind offline logon = yes
winbind enum users = yes
winbind enum groups = yes
winbind nested groups = yes
winbind use default domain = yes
winbind refresh tickets = yes
idmap config WILDWOOD: backend = rid
idmap config WILDWOOD: range = 20000-20000000
allow trusted domains = no
client ldap sasl wrapping = plain
template shell = /bin/sh
template homedir = /home/%U
pid directory = /var/run/samba
create mask = 0666
directory mask = 0777
client ntlmv2 auth = yes
dos charset = CP437
unix charset = UTF-8
log level = 1


[Curry Group Folders]
path = /mnt/vo3/groupfolders
printable = no
veto files = /.snapshot/.windows/.mac/.zfs/
writeable = yes
browseable = yes
shadow:snapdir = .zfs/snapshot
shadow:sort = desc
shadow:localtime = yes
shadow:format = auto-%Y%m%d.%H%M-6m
shadow:snapdirseverywhere = yes
vfs objects = shadow_copy2 zfs_space zfsacl aio_pthread streams_xattr
hide dot files = yes
guest ok = no
nfs4:mode = special
nfs4:acedup = merge
nfs4:chown = true
zfsacl:acesort = dontcare
​

#zfs get aclmode /mnt/vo3/groupfolders/
NAME PROPERTY VALUE SOURCE
vo3/groupfolders aclmode restricted local


# getfacl /mnt/vo3/groupfolders/
# file: /mnt/vo3/groupfolders/
# owner: administrator
# group: domain admins
owner@:rwxpDdaARWcCos:fd----:allow
group@:rwxpDdaARWcCos:fd----:allow
everyone@:r-x---a-R-c---:fd----:allow


Hope that helps.

 

[anodos]

Okay. Your settings look fairly typical. Some of the behavior you're describing is an ugly consequence of how freenas is configured to handle special aces. @owner and @group. You want 'domain admins' and 'administrator' to have a normal ace.

Perhaps try configuring another owner for the dataset in freenas (for instance, root:wheel), then authenticate using an off-domain windows machine using your 'root' credentials and set permissions.

Alternatively, you can use 'net use' to map IPC$ on freenas using your root crefentials ,and then use the computer management MMC snap-in to configure ntfs permissions through the 'security' tab.

PS it's fine to use chown. It can just have unintended consequences. Chmod doesn't work.

 

[rsquared]

Not sure why all my folders say read only. Is that normal?

Perfectly normal. Windows always shows that even on a local folder (and even if that folder is empty).

Sent from my Nexus 6 using Tapatalk

 

[Abel408]

Okay. Your settings look fairly typical. Some of the behavior you're describing is an ugly consequence of how freenas is configured to handle special aces. @owner and @group. You want 'domain admins' and 'administrator' to have a normal ace.

Perhaps try configuring another owner for the dataset in freenas (for instance, root:wheel), then authenticate using an off-domain windows machine using your 'root' credentials and set permissions.

Alternatively, you can use 'net use' to map IPC$ on freenas using your root crefentials ,and then use the computer management MMC snap-in to configure ntfs permissions through the 'security' tab.

PS it's fine to use chown. It can just have unintended consequences. Chmod doesn't work.

One setting I wasn't so sure of was the "set permissions recursively" in my dataset. Should that be check marked? Couldn't find a clear indication of what that exactly does and I'm afraid to check mark it in case it overwrites all the acl's I have set.

 

[anodos]

One setting I wasn't so sure of was the "set permissions recursively" in my dataset. Should that be check marked? Couldn't find a clear indication of what that exactly does and I'm afraid to check mark it in case it overwrites all the acl's I have set.

I believe in addition to performing chmod (or in lieu of), it will trigger winacl and reset ACLs to their default state. @cyberjock can weigh in on this one.