-
Important Announcement for the TrueNAS Community.
The TrueNAS Community has now been moved. This forum has become READ-ONLY for historical purposes. Please feel free to join us on the new TrueNAS Community Forums
CIFS / SAMBA Permissions - Who LOVES upgrades?
- Thread starter bluonek
- Start date
- Status
I've stopped updating my FreeNAS since 9.2.1.7 because of the CIFS/Samba mess. It took me several days to figure out how to work around it by reseting groupmap and Samba SID. I thought that 9.3 would fix it, but I still see this issue in the latest 9.3 version. Samba is configured as standalone server, not part of domain/AD.
Ultimately, I find there's 3 kinds of people that do CIFS stuff.
1. Those that know permissions.
2. Those that think they know permissions, but don't.
3. Those that have zero clue and are trying to get started.
Unless you are in group 1, you are in for some pain. Unfortunately, the majority of those in group 2 are convinced they know what they are doing and the product itself is to blame. The problem is that the product works just fine, when used properly. I talk to people every day that use CIFS in large scale situations, using AD too, and they aren't calling regularly with permissions problems. I do have one or two permissions problems that come up regularly, and I show them the proper permissions for their files, and they go "damn... I feel silly" and then they call back next month with another permission issue.
Permissions aren't hard. It's just understanding them and making them work for you that is.
1. Those that know permissions.
2. Those that think they know permissions, but don't.
3. Those that have zero clue and are trying to get started.
Unless you are in group 1, you are in for some pain. Unfortunately, the majority of those in group 2 are convinced they know what they are doing and the product itself is to blame. The problem is that the product works just fine, when used properly. I talk to people every day that use CIFS in large scale situations, using AD too, and they aren't calling regularly with permissions problems. I do have one or two permissions problems that come up regularly, and I show them the proper permissions for their files, and they go "damn... I feel silly" and then they call back next month with another permission issue.
Permissions aren't hard. It's just understanding them and making them work for you that is.
- Joined
- Feb 15, 2014
- Messages
- 20,194
Yeah, those have supposedly been fixed recently. Not sure the fix solves the problem for those of us with older setups, as I haven't had the time to try it out properly.
Apparently not, see this https://bugs.freenas.org/issues/9411
I did some of my own testing this weekend on 9.3 and seeing the same issue. Created fresh VM, new dataset, two users assigned to a unix group.
I did some of my own testing this weekend on 9.3 and seeing the same issue. Created fresh VM, new dataset, two users assigned to a unix group.
And do you see John's response? LOL.
I also know dozens of people using what is equivalent to what you just described (fresh machine, new dataset, 2 users in a group). In fact, I *am* one of those guys. And I *just* did this last month. In fact, I've rebooted that machine almost daily since then.
So I'm with John... I'm skeptical. So... are you in group 2? Not trying to sound like a jerk, but I get this gut feeling....
For the record, local users and groups in FreeNAS follow unix account conventions, so there is no SID in the same sense. It's instead the UID. And if UIDs were broken then FreeBSD and FreeNAS could never function. ;)
Last edited:
- Joined
- Mar 6, 2014
- Messages
- 9,553
The problem with SIDs is related to changes made in 9.2.1.7 or 9.2.1.8 and affects only standalone servers that were in production before that release (as far as I can tell). I started with a fresh freenas install and redid my config (rather than import it) for 9.3 and haven't seen the problem since. Things were also a bit hairy before they set aclmode=restricted. These changes (along with "apply default permissions") have significantly decreased the amount of posts complaining about permissions problems. I think by and large the remaining people with problems are those who don't really understand how the permissions work.
I won't lie:
1. I didn't switch to 9.2.1.x until 9.2.1.6 came out. I was one of the last holdouts that stuck on 9.2.0. In fact, it took serious nudging to convince me to switch to 9.2.1.x because of all of the reported problems. My system worked, so I wasn't quick to upgrade and risk breaking permissions.
2. I didn't even fully understand permissions when I upgraded to 9.2.1.6. I had previously stuck with using the root user login for everything (I'm a single user at home, so I don't need to protect myself from myself).
3. I have also had to do a small amount of learning since switching to 9.2.1.6+. I've never had a need to deal with Windows permissions, so I did have to spend a few days of reading to fully understand them. Most of that time was trying to figure out if there were weird edge cases with permissions or if everyone that is complaining about permissions daily (it used to literally be daily, sometimes multiple times a day) just didn't have a clue. I can't really find any "edge cases" where things might look like they should work, but don't. It was just as straight forward as I thought it would be.
bluonek
Dabbler
- Joined
- Oct 27, 2014
- Messages
- 34
Cool! Initially I wasn't sure this poll was going to be productive. It was me letting out my frustrations without annoying anyone (too much). But after reading through the thread I have high hopes of just completely re-implementing the server. I'm a person who is an expert with linux permissions (sticky bits and all...) and proficient (but no expert) with windows permissions and ACLs. Before upgrading to the version of FreeNAS that introduced the version of Samba that no longer saw groups I had a decent setup that worked (and I get it, maybe Samba actually still sees groups, but the upgrade somehow broke ID references). I had full confidence and control over the original setup.
This is a small implementation
- 2 x 4TB hard drives in mirror
- One share
- Five Users
- Three Groups
I was able to decide what portions of the share each of my devices (phones, laptops, tablets) had read and/or write access. It was pure bliss. Then a version came out late last year and that was it. Group permissions were no longer honored - as if groups no longer existed to Samba.
THEN
I learned how to use setfacl / getfacl and we were back in business. I replicated (for most intents and purposes) the linux permissions that no longer worked into Samba ACLs. I learned they were pretty cool and while I personally didn't need the flexibility it provided I was more than happy to utilize it since it worked - it only added a small level of overhead from what I was doing previously.
!!!THEN!!!
Another release came out and all hell broke loose. NOTHING (security wise) is working the way I expect (hey, I might be a jackass, but I'm a reasonable jackass). I even begrudgingly created a windows VM JUST so I could "FTFM" (follow the f'n manual) that recommends to use windows to manage ACLs on Samba/CIFS shares. After 6 HOURS of waiting for windows to reset and cascade the permissions from the root folder (something setfacl previously took 2 minutes to do) and after a million clicks (due to the error "this file not found blah blah windows sucks my balls") I then went through to replicate the needed ACLs. After all that the only account with any access is the account I deemed as Administrator in smb.conf.
SOOOO
Based on some of the comments here it seems the upgrade broke stuff that probably could be fixed but may take more time than it's worth to sort out vs. just starting from scratch. It sounds like I'm actually doing everything correctly (aside from fixing whatever broke during the upgrade) and I can even go back to the simpler posix style permissions after doing a re-install on 9.3.
Glad I got that off my chest - thanks for reading. And for those of you that voted me a jackass, you're about right.
bluonek
This is a small implementation
- 2 x 4TB hard drives in mirror
- One share
- Five Users
- Three Groups
I was able to decide what portions of the share each of my devices (phones, laptops, tablets) had read and/or write access. It was pure bliss. Then a version came out late last year and that was it. Group permissions were no longer honored - as if groups no longer existed to Samba.
THEN
I learned how to use setfacl / getfacl and we were back in business. I replicated (for most intents and purposes) the linux permissions that no longer worked into Samba ACLs. I learned they were pretty cool and while I personally didn't need the flexibility it provided I was more than happy to utilize it since it worked - it only added a small level of overhead from what I was doing previously.
!!!THEN!!!
Another release came out and all hell broke loose. NOTHING (security wise) is working the way I expect (hey, I might be a jackass, but I'm a reasonable jackass). I even begrudgingly created a windows VM JUST so I could "FTFM" (follow the f'n manual) that recommends to use windows to manage ACLs on Samba/CIFS shares. After 6 HOURS of waiting for windows to reset and cascade the permissions from the root folder (something setfacl previously took 2 minutes to do) and after a million clicks (due to the error "this file not found blah blah windows sucks my balls") I then went through to replicate the needed ACLs. After all that the only account with any access is the account I deemed as Administrator in smb.conf.
SOOOO
Based on some of the comments here it seems the upgrade broke stuff that probably could be fixed but may take more time than it's worth to sort out vs. just starting from scratch. It sounds like I'm actually doing everything correctly (aside from fixing whatever broke during the upgrade) and I can even go back to the simpler posix style permissions after doing a re-install on 9.3.
Glad I got that off my chest - thanks for reading. And for those of you that voted me a jackass, you're about right.
bluonek
For the record, I voted you a jackass. But I had to because I thought that it was so up-front-and-in-your-face that I just had to laugh at that one.
To be honest, the jackasses are the ones that assume they can do no wrong with the ACLs and any problem clearly must be the result of FreeNAS.
I help people daily with various problems. Many/most use AD or other directory services (as seen when I do Teamviewer sessions with them). So I can definitely say that this stuff works properly. I have yet to see a situation where things "didn't work properly" or "didn't work as I expect them to" and I work with people that have all sorts of different versions of FreeNAS and TrueNAS.
So when I read about someone's permissions problem, unless they provide steps that give me a hint that some kind of edge case is at work, I tend to immediately chock it up to "they just don't understand what they are doing" and leave it at that.
To be honest, the jackasses are the ones that assume they can do no wrong with the ACLs and any problem clearly must be the result of FreeNAS.
I help people daily with various problems. Many/most use AD or other directory services (as seen when I do Teamviewer sessions with them). So I can definitely say that this stuff works properly. I have yet to see a situation where things "didn't work properly" or "didn't work as I expect them to" and I work with people that have all sorts of different versions of FreeNAS and TrueNAS.
So when I read about someone's permissions problem, unless they provide steps that give me a hint that some kind of edge case is at work, I tend to immediately chock it up to "they just don't understand what they are doing" and leave it at that.
Thank you for constructive response.
- Status
Related topics on forums.truenas.com for thread: "CIFS / SAMBA Permissions - Who LOVES upgrades?"
Similar threads
