File Permissions - Transmission and CIFS/SMB

[TravisT]

My lacking linux experience is showing now. I have figured out how to setup transmission and flexget on my freenas box. Things are working almost perfectly (still plenty of tweaking to do). I'm still having one major problem though.

I created a transmission user named 'transmission'. When files are downloaded, they are put on a volume that is shared out to windows. Because the owner of these files is 'transmission', the windows users can't modify/move/edit them, even though they belong to the guid of the files and should have access to them. I know there is an easy way to make sure the files written by the transmission process are editable by authenticated windows users (in the 'domain users' group, which is assigned to that folder).

The flip side is that I'd like windows users to be able to drop files into transmissions watch directory and have the torrents start automatically. Same deal here... files added in windows give permission denied when the transmission process tries to access them.

Is there a easy solution to either/both of these issues? I've searched everything I can think of and didn't find anything conclusive.

 

[Daisuke]

Since you use CIFS, you probably defined already the name of your server in Windows hosts file.
If you did, add your transmission user credentials to User Accounts in Windows (Manage your credentials).

I presume you already set the volume permissions to transmission user in NAS and defined the ACL as being a Windows type.

 

[TravisT]

I'm running AD with a DNS server, so there are no host files in play. The ACL for the share is set as windows, with user set to transmission and group set to domain\domain users.

Not sure where to go from here. Everything I tried didn't seem to work.

 

[Daisuke]

Every Windows box has a hosts file, with the same role as the Linux file. I have no idea how to use credentials in AD. Windows has a User management tool that allows you to add specific credentials for a host, in your case the NAS.



Than, when you map a drive, you use the new credentials.
Edit: if you run AD, you are probably dealing with an Enterprise setup. Contact your network administrator.

 

[TravisT]

Understood about the hosts file. I have several users/computers that are on the domain, and they can all access files with no problem. The problem lies in that files saved to my shared directory are saved by my freenas user 'transmission' regardless of what the permissions of the parent folder are on freenas. Originally, my permissions for my shared folders were user ID 'domain\administrator' and group ID 'domain\domain users'. This worked well until the freenas system started saving files with a local user account (transmission).

I see what you are saying about the hosts file, but hope that there is a better solution since this is using AD authentication. Maybe somehow have transmission run as a windows domain user? Or have files saved to this share have certain permissions regardless of who saves them?

 

[TravisT]

Edit: if you run AD, you are probably dealing with an Enterprise setup. Contact your network administrator.

Problem is.... I'm the network administrator! This is a home/lab/test network, and I'm trying to learn as much as I can from it. I'd love to learn a little more about this but I'm stumped. Seems there should be an easier way, but without understanding much about linux (yet), I don't know what it is. Hoping someone can help lead me in the right direction.

 

[Daisuke]

What do you mean by "This worked well until the freenas system started saving files with a local user account (transmission)."? You created the user transmission. If you add a user in FreeNAS, you should have the equivalent in AD also.

 

[TravisT]

All sharing worked fine until I added transmission on freenas along with the local user to run transmission as (on freenas as well). In active directory, I can add user 'transmission', but it will be domain\trnasmission instead of freenas\transmission. Not sure if it's possible to run a process on freenas as a domain user. Domain users don't show up in the freenas user list (only locally created and built in freenas users), only in the list for permissions of volumes and shares in the freenas GUI.

 

[Daisuke]

Regardless what you have set in AD, your users should still look like that:



My NAS is named 'pluto', hence 'pluto\floren' user. Add your NAS to the domain and your problems are solved. Note the NAS hostname:

 

[TravisT]

Sorry I didn't get back to you sooner.

As of right now, my volume permissions are essentially the same as in your screenshot with a few exceptions. In the FreeNAS gui, I have 770 privileges set, with the owner being my transmission user and the group being my "domain\domain users" group (anyone authenticated on the domain). Files that exist when I apply these permissions can be accessed by domain users or by the transmission user.

If a domain user saves a file to the share, the permissions are correct (770), but the user that saves the file is listed as the owner (in this case my user name) instead of the transmission user. Because of this, the transmission user doesn't have read access to the file.

If I save a file from the FreeNAS terminal, the files have 770 permissions as well. The user saving the file is the owner, and the group is still "domain\domain users". In windows however, the permissions only show as read, read and execute, and special permissions. I don't have write permissions from windows on anything created by a local FreeNAS user, such as transmission or root.

I don't have any permissions set for "everyone" on this share. I would like only authenticated users (either on freenas or my domain) to be able to read the files.

I think the FreeNAS box is on the domain, even though there is no way to "join" it. It shows the full domain name of my domain, but it is not listed in active directory.

 

[Daisuke]

If a domain user saves a file to the share, the permissions are correct (770), but the user that saves the file is listed as the owner (in this case my user name) instead of the transmission user. Because of this, the transmission user doesn't have read access to the file.

That is the intended behavior in any Unix box. Make all your users part of a group named 'managers' and include also the 'transmission' user into it. Then, assign Read permissions for group 'managers' to the volume/directory where your pirated files are stored.

 

[TravisT]

How can I add the transmission user into active directory? "FreeNAS\transmission" is a user on FreeNAS, and can't be added to active directory (that I know of). If I add it to active directory, it would be "domain\transmission". I don't know how to run a process on FreeNAS with a domain account. Am I missing something here?

 

[dannyb78]

I'm not an AD expert, but the only way I know to add a YYY\user to *** domain is a domain trust. this sounds not reasonable for your needs.
You can instead creat a DAOMAIN\transmission user, add it to your freenas and change the permissions on your nas. this should be easier to do and more reasonable.

 

[TravisT]

See that's the problem. I could add a domain\transmission user with no problem. The problem is that transmission saves files as the owner of that process, and I don't know if it's possible or how to run a process on freenas under a windows AD user. Doesn't seem that it would be possible without a bunch of workarounds, as the way I understand it the windows AD users are integrated into samba, not the underlying FreeBSD OS.

A domain trust may be the only way. Not sure tilt it's worth the trouble, as I really don't even use torrents much. Guess it could be a learning experience...

 

[dannyb78]

I have not an AD domain at home, where I use freenas+transmission, but I just chmod -R 777 transmissions folder then downloaded files are accessible from any pc. You may need to enable "allow guest access" and "allow guest access only", if this can be a solution for your needs.
anyway a domain trust should be a very interesting learning experience. If you're able to do that please post youre procedure :D