Errant UNIX style permissions appearing on CIFS shared items?

[BlueMagician]

Dear all,


I've followed @m0nkey_ 's videos, to set up new Windows mode Datasets, shared with CIFS/SMB, and set various ACL's from the top down recursively in Windows.

But I'm getting a wierd thing...

Every child file and folder I create under its parent is correctly inheriting whatever ACL's I've set at the root - BUT is also getting UNIX-like Everyone, Owner and Group ACE's slapped on it as well!

These errant ACE's are NOT inherited, they just appear on everything I create - from the root down (unless corrected by hand). Windows shows the entries as 'inherited from: Nowhere'

For what it's worth, I found an old BSD bug report from a couple years ago pertaining to v9.2 which describes a very similar issue:

https://bugs.pcbsd.org/issues/4076

It describes a symptom where Windows Share permissions were unintentionally bleeding/propagating to the ACL's of the files and folders themselves.

That issue was marked as resolved in v9.3 - so I'm not sure why I'm seeing it today..?


Any thoughts very much appreciated!

Simon.

 

[anodos]

Post output of zfs get aclmode <pool>/<dataset>
<pool> = name of your zpool.
<dataset> = name of the dataset you are sharing.

Post contents of /usr/local/etc/smb4.conf enclosed in [ code] tags.

 

[BlueMagician]

Apologies for the late reply - it's been quite a week!

Anywho, @anodos , as requested:

Output of zfs get:

Code:

NAME               PROPERTY         VALUE         SOURCE
Chamber1/Backups   aclmode          restricted    local

Contents of /usr/local/etc/smb4.conf:

Code:

[global]
    server max protocol = SMB2
    encrypt passwords = yes
    dns proxy = no
    strict locking = no
    oplocks = yes
    deadtime = 15
    max log size = 51200
    max open files = 934904
    logging = file
    load printers = no
    printing = bsd
    printcap name = /dev/null
    disable spoolss = yes
    getwd cache = yes
    guest account = nobody
    map to guest = Bad User
    obey pam restrictions = yes
    directory name cache size = 0
    kernel change notify = no
    panic action = /usr/local/libexec/samba/samba-backtrace
    nsupdate command = /usr/local/bin/samba-nsupdate -g
    server string = FreeNAS Server
    ea support = yes
    store dos attributes = yes
    lm announce = yes
    hostname lookups = yes
    time server = yes
    acl allow execute always = true
    dos filemode = yes
    multicast dns register = yes
    domain logons = no
    local master = yes
    idmap config *: backend = tdb
    idmap config *: range = 90000001-100000000
    server role = standalone
    netbios name = [HIDDEN]
    workgroup = [HIDDEN]
    security = user
    pid directory = /var/run/samba
    create mask = 0666
    directory mask = 0777
    client ntlmv2 auth = yes
    dos charset = CP437
    unix charset = UTF-8
    log level = 1
   

[Backups]
    path = /mnt/Chamber1/Backups
    printable = no
    veto files = /.snapshot/.windows/.mac/.zfs/
    writeable = yes
    browseable = yes
    vfs objects = zfs_space zfsacl aio_pthread
    hide dot files = yes
    guest ok = no
    nfs4:mode = special
    nfs4:acedup = merge
    nfs4:chown = true
    zfsacl:acesort = dontcare
    inheritpermissions = yes
   

[Media]
    path = /mnt/Chamber1/Media
    printable = no
    veto files = /.snapshot/.windows/.mac/.zfs/
    writeable = yes
    browseable = yes
    vfs objects = zfs_space zfsacl aio_pthread
    hide dot files = yes
    guest ok = no
    nfs4:mode = special
    nfs4:acedup = merge
    nfs4:chown = true
    zfsacl:acesort = dontcare

It's a few days since I tested both Datasets, but if I remember correctly, the one called 'Media' seems to act differently - if not correctly.

The only difference I can see is the 'inheritpermissions = yes' that sets them apart. That, and the fact that 'Media' is a Dataset that I switched modes on halfway through its life... from Unix to Windows. I understand that this is generally deemed a 'dodgy' thing to to.

Ironically, it's 'Backups' that I have an issue with - and indeed any other new Dataset that I create - just seems to get these wierd ACE's slapped on child folders - but NOT inherited as far as Windows is concerned...


Again, any advice appreciated. I'm sure I'm missing something, but I can't for the life of me see what!

Thanks,
S.

 

[anodos]

Apologies for the late reply - it's been quite a week!

Anywho, @anodos , as requested:

Output of zfs get:

Code:

NAME               PROPERTY         VALUE         SOURCE
Chamber1/Backups   aclmode          restricted    local

Contents of /usr/local/etc/smb4.conf:

Code:

[global]
    server max protocol = SMB2
    encrypt passwords = yes
    dns proxy = no
    strict locking = no
    oplocks = yes
    deadtime = 15
    max log size = 51200
    max open files = 934904
    logging = file
    load printers = no
    printing = bsd
    printcap name = /dev/null
    disable spoolss = yes
    getwd cache = yes
    guest account = nobody
    map to guest = Bad User
    obey pam restrictions = yes
    directory name cache size = 0
    kernel change notify = no
    panic action = /usr/local/libexec/samba/samba-backtrace
    nsupdate command = /usr/local/bin/samba-nsupdate -g
    server string = FreeNAS Server
    ea support = yes
    store dos attributes = yes
    lm announce = yes
    hostname lookups = yes
    time server = yes
    acl allow execute always = true
    dos filemode = yes
    multicast dns register = yes
    domain logons = no
    local master = yes
    idmap config *: backend = tdb
    idmap config *: range = 90000001-100000000
    server role = standalone
    netbios name = [HIDDEN]
    workgroup = [HIDDEN]
    security = user
    pid directory = /var/run/samba
    create mask = 0666
    directory mask = 0777
    client ntlmv2 auth = yes
    dos charset = CP437
    unix charset = UTF-8
    log level = 1
  

[Backups]
    path = /mnt/Chamber1/Backups
    printable = no
    veto files = /.snapshot/.windows/.mac/.zfs/
    writeable = yes
    browseable = yes
    vfs objects = zfs_space zfsacl aio_pthread
    hide dot files = yes
    guest ok = no
    nfs4:mode = special
    nfs4:acedup = merge
    nfs4:chown = true
    zfsacl:acesort = dontcare
    inheritpermissions = yes
  

[Media]
    path = /mnt/Chamber1/Media
    printable = no
    veto files = /.snapshot/.windows/.mac/.zfs/
    writeable = yes
    browseable = yes
    vfs objects = zfs_space zfsacl aio_pthread
    hide dot files = yes
    guest ok = no
    nfs4:mode = special
    nfs4:acedup = merge
    nfs4:chown = true
    zfsacl:acesort = dontcare

It's a few days since I tested both Datasets, but if I remember correctly, the one called 'Media' seems to act differently - if not correctly.

The only difference I can see is the 'inheritpermissions = yes' that sets them apart. That, and the fact that 'Media' is a Dataset that I switched modes on halfway through its life... from Unix to Windows. I understand that this is generally deemed a 'dodgy' thing to to.

Ironically, it's 'Backups' that I have an issue with - and indeed any other new Dataset that I create - just seems to get these wierd ACE's slapped on child folders - but NOT inherited as far as Windows is concerned...


Again, any advice appreciated. I'm sure I'm missing something, but I can't for the life of me see what!

Thanks,
S.

Don't use the "inherit permissions" smb.conf parameter. NFSv4 ACLs have their own inheritance flags. I can easily see this parameter causing weirdness.

Other problems may be accounted for as follows:
You create a samba share under /mnt/Tank/media and set permissions a certain way. Then you create a new dataset /mnt/Tank/media/movies. The permissions under /mnt/Tank/media/movies will reflect the default ACL set on new "windows datasets": User@ - full control Group@ - full control, Everyone@ - read only (with the user and group set via the FreeNAS webgui).

The best way to fix this will be as follows:
1) recursively reset permissions on the datasets /mnt/Tank/media and /mnt/Tank/media/movies via the FreeNAS webui so that they are owned by the same user / group.
2) In the samba share, toggle "apply default permissions".
[1-2 will reset permissions to a consistent default across the datasets]
3) Use Windows explorer to fine-tune permissions.