CIFS, Permissions and Linux

[STREBLO]

So from what I have read you're not supposed to mix protocols on shares and datasets. So if I wanted to access the same data with a Linux and Windows computer and I used a CIFS share with Linux and Windows what happens to the permissions when you attempt to use access this its share on Linux? Is this also advised against? Do I need to separate all Windows and Linux data so that my permissions stay correct?

 

[pirateghost]

what?

I use windows and linux on Cifs, and I have NFS shares pointing to the same datasets the CIFS shares are running...

 

[STREBLO]

what?

I use windows and linux on Cifs, and I have NFS shares pointing to the same datasets the CIFS shares are running...

I have read that it is recommended against doing that, in cyberjocks guide that that is advised against.

Do not try to mix Unix and Windows ACLs in CIFS shares shares. You used to be able to do this with Samba3 with some trickery, but in Samba4 you must dedicate yourself to either Unix permissions or Windows ACLs. Use datasets to separate CIFS shares from other shares.

Maybe I am interpreting it wrong but is that not what he means when he says this?

 

[pirateghost]

I don't really know what he is talking about.

I have had CIFS and NFS sharing the same data for 12+ years without any issues. I know what systems and users have access to what files, so I am not worried about it.

 

[SweetAndLow]

It can cause problems because permissions get complicated and you might run into some file locking problems. If you can deal with this scenarios then I think you can mix and match.

I would just use cifs with everything, that's what I do and it works great. I use Linux, osx and windows in my environment.

 

[STREBLO]

I don't really know what he is talking about.

I have had CIFS and NFS sharing the same data for 12+ years without any issues. I know what systems and users have access to what files, so I am not worried about it.

So what do you do, set all your volume permissions to Windows or UNIX? And then access that volume with CIFS and an NFS share? What happens to the permissions when you try to access windows share with a Linux system using NFS?

 

[pirateghost]

So what do you do, set all your volume permissions to Windows or UNIX? And then access that volume with CIFS and an NFS share? What happens to the permissions when you try to access windows share with a Linux system using NFS?

I use UNIX on everything. I only have a couple of windows computers in the house.

 

[STREBLO]

Yeah I have a bunch of Linux computers but I want other people on my network who are using Windows to be able to access the same data as well.

I'm unsure if I should just divide up my volume into NFS and CIFS data sets so that I can access my files using NFS and get that extra speed. Then duplicate the files that I will also want to be accessible with Windows computers, that seems kind of wasteful though. I'd be curious to see what cyberjock has to stay on the topic and why is he recommended separating them and why it might cause problems.

 

[pirateghost]

I have a few windows computers. They can access the shares just fine.

 

[STREBLO]

I have a few windows computers. They can access the shares just fine.

So you just set everything up as Unix but when you make shares on Windows you make them CIFS and on Linux NFS?

 

[pirateghost]

Yes

 

[STREBLO]

The documentation does advise against this actually.

Note: while the GUI will let you do it, it is a bad idea to share the same volume or dataset using multiple types of
access methods. Different types of shares and services use different file locking methods. For example, if the same
volume is configured to use both NFS and FTP, NFS will lock a file for editing by an NFS user, but a FTP user can
simultaneously edit or delete that file. This will result in lost edits and confused users. Another example: if a volume
is configured for both AFP and CIFS, Windows users may be confused by the extra filenames used by Mac files and
delete the ones they don’t understand; this will corrupt the files on the AFP share. Pick the one type of share or service
that makes the most sense for the types of clients that will access that volume, and configure that volume for that one
type of share or service. If you need to support multiple types of shares, divide the volume into datasets and use one
dataset per share.

 

[pirateghost]

I know. Like i said, i know what systems are accessing what shares. I know how my setup is and how files don't get edited by the 2 people at the same time or by 2 different apps at the same time.

My network is under control.

 

[solarisguy]

The warning has to be in the documentation, so people do not trivially inflict damage on themselves.

Of course, in real life™, access to the same storage area using multiple protocols is a highly desirable feature. Even if locking remains incompatible.

If one dispenses with security (e.g. if all CIFS users map to the same user nobody), then it is very easy to have the same share accessible using CIFS and NFS. Can that be recommended? Only sometimes the answer is yes.

 

[Robert Trevellyan]

You can run a share on CIFS with the dataset's Permission Type set to Unix if you want.

 

[mattbbpl]

You can run a share on CIFS with the dataset's Permission Type set to Unix if you want.

This is what I do. All my shares are done through CIFS, and they're accessible from both Windows and Linux machines. I'm not using NFS at all, I just access the CIFS shares from Linux using SAMBA.

 

[STREBLO]

This is what I do. All my shares are done through CIFS, and they're accessible from both Windows and Linux machines. I'm not using NFS at all, I just access the CIFS shares from Linux using SAMBA.

So what's the benefit of using CIFS instead of NFS when you're on Linux machines? Do you do that so that you only have one share per dataset?

 

[mattbbpl]

So what's the benefit of using CIFS instead of NFS when you're on Linux machines? Do you do that so that you only have one share per dataset?

Yeah, for me it was a matter of simplicity vs. needs.

I knew that I only wanted to use one protocol on the same share based on the recommendations you cited above, but I also knew that I wanted to have these files available to a variety of clients - namely windows and a variety of Linux clients. That made CIFS with SMB/SAMBA on the clients the obvious choice.

 

[cyberjock]

I know. Like i said, i know what systems are accessing what shares. I know how my setup is and how files don't get edited by the 2 people at the same time or by 2 different apps at the same time.

My network is under control.

Sure, it can be done. I have done it before. Since I only access from 1 machine at any given time I will never have a problem with NFS/CIFS file locking conflicts. But, lots of users *have* had corrupt files and lost data as a result. There is a feature request that FreeNAS 10 not allow you to share the same location with 2 different protocols simultaneously because this often-unknown mistake will not be immediately obvious as to the problem or how to fix it.

You can run a share on CIFS with the dataset's Permission Type set to Unix if you want.

Yes, you "can" do it, but it is totally unsupported. The devs won't even troubleshoot issues on servers that use that configuration if the debug hints at it. :P

 

[pirateghost]

Sure, it can be done. I have done it before. Since I only access from 1 machine at any given time I will never have a problem with NFS/CIFS file locking conflicts. But, lots of users *have* had corrupt files and lost data as a result. There is a feature request that FreeNAS 10 not allow you to share the same location with 2 different protocols simultaneously because this often-unknown mistake will not be immediately obvious as to the problem or how to fix it.



Yes, you "can" do it, but it is totally unsupported. The devs won't even troubleshoot issues on servers that use that configuration if the debug hints at it. [emoji14]

I seriously hope this 'feature' doesn't make it in the final product or if it does, we can turn it off.

Do not punish those of us that know what we're doing because of the actions of a few. I simply cannot use freenas if this were to come about.