Here's the background:
I run a FreeNAS server in a domain environment with primarily Windows 7 Professional clients, but there's a handful of other versions of Windows, and a couple Macs. For numerous logistical reasons I won't get into, the FreeNAS server absolutely cannot be a member of the domain. All accounts and permissions for the shares need to be handled locally on the FreeNAS server (or through a client interface).
For the last couple years, I had 8.3-release running just fine, using Unix permissions on datasets shared through CIFS. I was able to set up users and groups the way I wanted to, and authenticate just fine. On the windows clients, I would authenticate by "connect using different credentials" or typing a ".\" before the username to change from domain to local authentication in the credential popup box. It was a good way to manage access at the time.
Now, I'm setting up a 9.3-STABLE server (completely new machine), and running into a lot of trouble with the permissions. When I try Unix permissions, I can authenticate just like before, but any new files created have write access only by the creator, and other members of the same group have only read and execute access. Other members of the group do not get write access, even though it is checked for group write in the GUI (as 775).
Is this a bug? Or do Unix permissions no longer apply to (and no longer take effect on) CIFS shares in FreeNAS 9.3? Is using Windows ACL permissions mandatory for CIFS shares? If so, will Mac users still be able to work with these CIFS shares?
I did have better luck using Windows permissions, where everyone in the group has r/w/e access, but it also appears that EVERYONE has read access, which is not what I want. I have about 40 users spread across about 10 groups, and I have about a dozens datasets and shares. For a couple of the datasets/shares, it is absolutely necessary that other users do not have read access.
I tried going to the share properties from a Windows client and going to the Security tab and removing the "Everyone" group which by default had read and execute permissions. This did not change the behavior at all. In retrospect, I'm thinking I should have kept the "Everyone" group listed, but checked "Deny" for read and execute to achieve what I want. Is that the proper way of doing this?
Cliff's notes:
I need to authenticate different groups of users to different shares
Certain users need to have write access to certain shares, read access to others, and no access to others.
I used to do it with Unix permissions on 8.3
How do I set this up on 9.3, where Unix permissions do not give write access?
Any help is much appreciated.
I run a FreeNAS server in a domain environment with primarily Windows 7 Professional clients, but there's a handful of other versions of Windows, and a couple Macs. For numerous logistical reasons I won't get into, the FreeNAS server absolutely cannot be a member of the domain. All accounts and permissions for the shares need to be handled locally on the FreeNAS server (or through a client interface).
For the last couple years, I had 8.3-release running just fine, using Unix permissions on datasets shared through CIFS. I was able to set up users and groups the way I wanted to, and authenticate just fine. On the windows clients, I would authenticate by "connect using different credentials" or typing a ".\" before the username to change from domain to local authentication in the credential popup box. It was a good way to manage access at the time.
Now, I'm setting up a 9.3-STABLE server (completely new machine), and running into a lot of trouble with the permissions. When I try Unix permissions, I can authenticate just like before, but any new files created have write access only by the creator, and other members of the same group have only read and execute access. Other members of the group do not get write access, even though it is checked for group write in the GUI (as 775).
Is this a bug? Or do Unix permissions no longer apply to (and no longer take effect on) CIFS shares in FreeNAS 9.3? Is using Windows ACL permissions mandatory for CIFS shares? If so, will Mac users still be able to work with these CIFS shares?
I did have better luck using Windows permissions, where everyone in the group has r/w/e access, but it also appears that EVERYONE has read access, which is not what I want. I have about 40 users spread across about 10 groups, and I have about a dozens datasets and shares. For a couple of the datasets/shares, it is absolutely necessary that other users do not have read access.
I tried going to the share properties from a Windows client and going to the Security tab and removing the "Everyone" group which by default had read and execute permissions. This did not change the behavior at all. In retrospect, I'm thinking I should have kept the "Everyone" group listed, but checked "Deny" for read and execute to achieve what I want. Is that the proper way of doing this?
Cliff's notes:
I need to authenticate different groups of users to different shares
Certain users need to have write access to certain shares, read access to others, and no access to others.
I used to do it with Unix permissions on 8.3
How do I set this up on 9.3, where Unix permissions do not give write access?
Any help is much appreciated.
