CIFS permissions inheritance not working on my machine

Status
Not open for further replies.

Craig321

Dabbler
Joined
Jul 15, 2014
Messages
23
Hi,

I have the following setup (setup the same as the Wiki explains it):
Users: one user with my username which is the same as my Windows username and another with my brother's

Groups: "Users" group (this is our primary group)

Home folders are the /mnt/main folder

main volume: Owner (User): nobody, Owner (group): Users

I then set all the permissions recursively and each folder has Everyone, Users & nobody. All good.

We can both read and write to the existing files. When my brother creates a file or folder the permissions are inherited so the new file has the same permissions - Everyone, Users & nobody. However, when I create a file or folder from my machine it puts my username on the file and doesn't inherit, so I get Everyone, Users & Craig meaning he cannot write to the folder.

Any ideas please?

Thanks,
Craig.
 
D

dlavigne

Guest
Which version of FreeNAS? What type of dataset? What type of permissions? What type of share?
 

Craig321

Dabbler
Joined
Jul 15, 2014
Messages
23
FreeNAS-9.2.1.6-RELEASE-x64 (ddd1e39) - installed on a pen drive in an HP N54L

ZFS RAIDZ1 volume (4x 1.5TB).

Windows ACL on the ZFS RAID volume. Owner (user): nobody, Owner (group): Users.

We are both on Windows 8.1 and I have given us both identical accounts on FreeNAS, however when I create a file or folder it'll set the owner as myself and the account to myself whereas when my brother does it it'll inherit the permissions from the folder which is owner:nobody.

Thanks,
Craig.
 

anodos

Sambassador
iXsystems
Joined
Mar 6, 2014
Messages
9,543
Did you right-click on the root directory of your share, then click on 'properties', then click on the 'security tab', then set permissions? If you click on "advanced" is "Inherit from parent..." checked?

Assuming that you both want equal access to the share, you can enter the auxiliary parameter "force user = craig"
 

Craig321

Dabbler
Joined
Jul 15, 2014
Messages
23
Yup, it's checked. Weirdly with that aux param CIFS doesn't seem to be starting. No errors on the console, all looks normal but I just can't get into the share. As soon as I remove it things start working again.
 

anodos

Sambassador
iXsystems
Joined
Mar 6, 2014
Messages
9,543
Yup, it's checked. Weirdly with that aux param CIFS doesn't seem to be starting. No errors on the console, all looks normal but I just can't get into the share. As soon as I remove it things start working again.
That definitely sounds like a bug with nfsv4 acls. The parameter I gave you should work (ie not crash CIFS), but for simplicity's sake you should choose a user that has full access to the share. Once you set the parameter run "testparm" from the command line. Note that this "solution" is a permissions piledriver. It's a stopgap solution until you figure out what is going wrong with your ACLs.
 

cyberjock

Inactive Account
Joined
Mar 25, 2012
Messages
19,526
For starters, if you are using CIFS there's only one 9.2.1.x release you should be using... 9.2.1.7. See the security bulletin in the release notes for 9.2.1.7 for more info. This is one reason why we've started including the latest version at the top of the forum. ;)

Also, and this is somewhat baffling, but you said that "inherit from parent" is checked. I'm not sure how that's possible since it's not in the WebGUI in 9.2.1.6. The inherit from parent was removed from the WebGUI in an earlier release because they don't work how people expected them to and the feature is somewhat deprecated in Samba4.
 

anodos

Sambassador
iXsystems
Joined
Mar 6, 2014
Messages
9,543
For starters, if you are using CIFS there's only one 9.2.1.x release you should be using... 9.2.1.7. See the security bulletin in the release notes for 9.2.1.7 for more info. This is one reason why we've started including the latest version at the top of the forum. ;)

Also, and this is somewhat baffling, but you said that "inherit from parent" is checked. I'm not sure how that's possible since it's not in the WebGUI in 9.2.1.6. The inherit from parent was removed from the WebGUI in an earlier release because they don't work how people expected them to and the feature is somewhat deprecated in Samba4.
I believe he's referring to permissions as configured from Windows. If you go to "properties" --> "security" --> "advanced" there is a checkbox for "Inherit from parent the permission entries that apply to child objects. Include these with entries explicitly defined here."
 

cyberjock

Inactive Account
Joined
Mar 25, 2012
Messages
19,526
Ah. There used to be something like "inherit from parent" in the FreeNAS WebGUI. it was a checkbox. Guess that's just confusing me. :P
 

moonshine

Dabbler
Joined
Dec 4, 2014
Messages
14
Cyberjock,

You're like a freenas god. I was expecting an answer for this query... Mostly b/c I haven't seen a question you haven't answered yet and also because I'm having the same issues. I'm not sure why 2 admins with full control can't interchangeably access new files created by each admin. I thought the "inherit from parent" on the previous freenas versions solved this issue, but i guess like you said there were more problems associated with that. How is it supposed to be done in windows then? Any help would be appreciated.
 

moonshine

Dabbler
Joined
Dec 4, 2014
Messages
14
I sort of figured it out...I think the main issue is that I have two admins that are establishing ownership of their respective files (typical setup). I'm not sure if it was an isolated event, but when one admin created a file the other admin couldn't access it.

Users Admin 1 and admin 2 both in admin group along with their respective admin 1 and admin 2 groups.

I set the owner user and group (admin 1 and admins respectively) for each shared dataset and checked recursively.

In Windows I checked the permissions and it just had admin 1 (ok thus far)

I added admin 2 with full control. And of course everything is working fine for both.

Should I set the ownership in windows for the freenas/admins group for ownership instead of each individual admin? Does it make a difference?
 
Status
Not open for further replies.
Top