FreeNAS Can't Handle Basic Use Case

[Mlovelace]

Are you running an LDAP or AD environment? You haven't provided much information for people to help you. I see how you want permissions setup but you haven't posted the most basic and relevant information about your server and environment.

 

[zol]

^Ahhh... well no...I'm running on FreeNAS 9.3 :) No AD or LDAP.... just making users and groups in FreeNAS. Everything else is posted. How many drives I place in a zpool and their size is irrelevant. There are no probs with any of that. I posted all the info you need.
Windows >= ver 7, OSX >= SnowLeopard but no Mavericks, Linux distros >= 1 year old.
8 core, 32GB.

 

[jgreco]

How many drives I place in a zpool and their size is irrelevant. There are no probs with any of that. I posted all the info you need.

The Forum Rules are fairly clear, and conveniently posted at the top of each page, linked in red. You are welcome to your opinion as to what is relevant and what is not, but even if I agree with you, being snippy with people who are trying to assist you is not going to get you a lot of sympathy, and will reduce the chance of useful answers. Permissions are always intimately tied to environment and configuration, starting from the selections you make when you create the dataset. It's by far one of the most complex aspects of a NAS (not at all limited to FreeNAS) because you've got choices that have been made at multiple levels, including the UNIX filesystem level, the Samba protocol implementation level, the user management (AD etc) level, etc., and they all come into play.

 

[jgreco]

Else, I'm giving up on FreeNAS and going with another NAS solution that I know works (unfortunately I'll have to custom settup zfs, encryption, etc.... but it is actually looking like a lot less hassle than FreeNAS in the end at this point).

Also, if you can make this work on something else, then just take that configuration and twiddle Samba on FreeNAS thru the GUI to do the same thing. It should work.

 

[Mirfster]

Okay, here is how I handled your Permissions "Use-Case". /Note: I only tested this with a Win 7 Machine...

1. Created groups called "SysAdmins", "Team1" and "Team2"
2. Created User "Eva"
   • "Create a new primary group for the user" = UnChecked
   • "Primary Group" = SysAdmins
     
   • "Create Home Directory In" = /nonexistent
3. Created User "Angela"
   • Same as above; Except "Primary Group" = Team1
4. Created User "Maria"
   • Same as above; Except "Primary Group" = Team2
5. Set Permissions of my DataSet (Called "MediaShare")
   • "Owner (User)" = nobody
   • "Owner (Group)" = SysAdmins
6. Now, I then connected to the Share (In Widows) as "Eva" (Share = "\\ASC-FREENAS01\MediaShare")
   • Then I created a folders called "Proj1" and "Proj2"
     
   • Right-Clicked on "Proj1", Selected "Properties"; Then [Security] tab
     
   • Edited/Set Permissions so there was only: "SysAdmins" = "Full" and "Team1" = "Modify"; Save/Close
   • Right-Clicked on "Proj2", Selected "Properties"; Then [Security] tab
   • Edited/Set Permissions so there was only: "SysAdmins" = "Full" and "Team2" = "Modify"; Save/Close

So, that should do everything you asked.

• Eva can connect to the Share, Create Folders (at the root), Set Permissions and has Full Control of Everything
  • Also, Eva never has to access the FreeNas Web Gui, it is all done via normal "Windows Explorer" once you set it up
• Angela can connect to the Share, but only sees the folder "Proj1" and has "Modify" Rights to only the Contents within
• Maria connect to the Share, but only sees the folder "Proj2" and has "Modify" Rights to only the Contents within

Extra Notes:

• With that done, you can simply either add Users to Groups (within FreeNas) to grant them Access or you can add Groups to the Security of the Folders (outside of FreeNas)
• When testing on Windows, make sure you delete the connections in between so you remove the cached session/credentials (Command: Net Use /Delete *)

That should do it I think. If I missed anything, let me know :)

 

[zol]

@Mirfster,

Thanks you!!!

This is very similar to what I tried. But I'll try it again right now. I'll follow you steps exactly.
I'll let you know as soon as I'm done. Just wanted to drop a thanks quickly before testing.
Also, I did not use the "Net Use /Delete *" command during my testing, so thanks for that as well.

 

[zol]

@Mirfster,

Ok, tried it step by step.

Didn't work. Details:

Once I created Proj1 and Proj2 and set perms. I had Eva create a sub-dir "e" and a txt file "e.txt" in Proj1. Just as a quick test before additional tests but it failed right away. When I inspected the auto generated perms on dir "e", they were ionherited from Proj1...and looked good. But the perms on file "e.txt" was not all inherited from Proj1 settings....

Eva... the sys admin can create the file e.txt, and upon creation its size is 0KB... but she can't save content to or edit the file at all. The file does open in a text editor but can't Save.

Owner of these items is user "nobody".
Also, how does making owner "nobody" makes sense?

Notes of interest:
Tested in Win 7.
In FreeNAS....Apply default permissions was checked by def and I left it like that. Is this the problem?
It seems children of Proj1 and Proj2 (non directory child elements)...do not inherit perms from Proj1/Proj2 settings but instead from something else.

Perms:

Proj1
-SysAdmins
-----Full
-----M
-----R&E
-----L
-----R
-----W
-Team1
----M
----R&E
----L
----R
----W
----S(inherited? light gray)

Proj1\e (sub-dir)
-SysAdmins
-----Full
-----M
-----R&E
-----L
-----R
-----W
-Team1
----M
----R&E
----L
----R
----W
----S(inherited? light gray)

Proj1\e.txt file
-Eva
----S(Inherited?)
-SysAdmins
----R&E
----R
----S(Inherited?)
-Team1
----M
----R&E
----R
----W
----S(Inherited?)
-nobody
---W
---S(Inherited?)

 

[Mirfster]

Just did the same thing. Connected to the share a "Eva", created a folder called "E" in "Proj1" and a text file in that folder called "e.txt". I was able to edit the file as "Eva"

Permissions show up as:

I then disconnected, cleared cached creds; then connected as "Angela". Went in there and edited the same file and closed it:

Code:

This was edited while connected as Eva

Just edited by Angela...

 

[zol]

Yes, I see your file inherited the perms... but why does mine not? I don't get it.
Should I have disabled the option to let FreeNAS "Apply default permissions"?
I'm using FreeNAS 9.3


EDIT:
ohhhhhh, hang on! I made a mistake. I had a leftover custom samaba auxiliary command left in CIFS service configuration. I just realized that, got rid of it and now I get same result as you! :) Thanks!

Now I'll continue testing on Win and OSX. I'll report back in about 30min. This should serve as fantastic guide for others.

 

[zol]

OK, testing finished. Does not work (yet).

Report:
OSX connected to as Angela.... Can't even get into Proj1. Don't have enough perms it says (fail test). Red minus symbol on Proj1 dir.
I am connected as Angela for sure... not as guest.

OSX connected to as Eva.....Can see all Proj folders, can go into them... but can't mod files (fail test).
WIN7 connected to as Maria....Can't see Proj2... even though Team2 is given access to Proj2...just as Team1 is assigned to Proj1 (fail test).
WIN7 connected to as Angela works fine... but any document she makes she owns (ok).
WIN7 connected to as Eve works fine...any document she makes she owns (great).


EDIT:
Perhaps the problem is that FreeNAS doesn't handle groups properly. I'll set individual user rights instead and try again.

 

[Mirfster]

WIN7 connected to as Angela works fine... but any document she makes she owns (ok).

Any new documents would/should have the "Creator" as the owner; this is default behavior. Eva (or anyone in the "SysAdmins") can forcibly take ownership if desired/needed.

Just for reference, in my scenario I have the "MediaShare" DataSet configured as:

 

[zol]

Any new documents would/should have the "Creator" as the owner; this is default behavior. Eva (or anyone in the "SysAdmins") can forcibly take ownership if desired/needed.

Just for reference, in my scenario I have the "MediaShare" DataSet configured as:

Same here... we have the same settings. Does not work on OSX though.

By the way... the volume the dataset was on just corrupted... was also encrypted.
Error getting available space after decription. ahhh... lolz. They joys of life :D

 

[Mirfster]

What are your system specs anyways? Also, do you really need encryption? For what its worth the "use cases" for encryption are pretty slim IMHO.

 

[zol]

i7 47xx server edition, 32GB ram.
WD Red drives for data. WD black for sys.
intel nics compatible with BSD, linux, Win (don't remember the model right now but this was a requirement at time of purchase).

Testing in VMWare. Hardware is doing well. Everything is very fast and smooth.

Encryption is a requirement.

 

[Mirfster]

Well, if it is just for Dev maybe you want to just blow the thing away and re-create from scratch? Of course since it is in VMWare, you may have a snapshot you could revert to... Also, might think about trying it without encryption at first; then encrypt and test if initial testing works out. Sorry, I don't have OSX otherwise I would test against it as well.

 

[Mlovelace]

i7 47xx server edition

that's a new one...

 

[zol]

@Mirfster
Yes, I'm not too concerned. I know what caused the corruption. It was hard shutdowns. Not concerned cause in testing phase right now. Quite frankly it is sobering. It brought back to mind from the ZFS manual that it is not a good idea to put encryption on the outside layer of a zpool because if these is a fu** up zfs won't be able to detect it and fix it... cuz u can't even open the encrypted container. I was lying and deceiving myself. This hit home and now I see that common sense must come first. The zfs warnings were not something to ignore. Ofcourse, outside the zfs world this can't even be escaped... it is actually the norm... but if I'm to use ZFS it should be used to its full.

Since FreeNAS doesn't use zfs encryption, I'm actually sabotaging much of the safety that zfs offers in terms of autohealing... I mean if there is a real bad corruption due to thinkgs like unfortunate shutdowns and all... i'm in the same boat as without zfs... so yeah... the price of not using zfs built in encryption. At this point I have to step back and think through the value proposition. I was so eager to offload my admin responsibilities to FreeNAS's built in convenience... but it seems... I'm left with no option but to hand settup everything from scratch... write snapshot and scrub scripts... blahh. So much to do... so little time.

@Mlovelace
No, it's not so new ;) Extremely power efficient yet powerful... entire server only uses 60Watts. And that's with the aggressive powers savings tuned off. CPU, hhd drives don't cycle down.
http://ark.intel.com/products/75124/Intel-Core-i7-4770S-Processor-8M-Cache-up-to-3_90-GHz

 

[Mlovelace]

@Mirfster
@Mlovelace
No, it's not so new ;) Extremely power efficient yet powerful... entire server only uses 60Watts. And that's with the aggressive powers savings tuned off. CPU, hhd drives don't cycle down.
http://ark.intel.com/products/75124/Intel-Core-i7-4770S-Processor-8M-Cache-up-to-3_90-GHz

The "S" in the sku is not for server. I was aluding to the fact that there isn't a i7 server edition. The S is a low power part typically used in laptops and AIO configurations.

You can encrypt the entire pool if you'd like encryption on the freenas server.

 

[zol]

I know, I did. But as far as I know, the FreeNAS encryption is geli based and not zfs built in encryption. This means until your storage is "opened"... your zpool can't autoheal... and if it is so corrupt that you can't open it... you can have lots of fun with manually fixing headerblocks in the hopes that it will open.

 

[Mirfster]

I mean if there is a real bad corruption due to thinkgs like unfortunate shutdowns and all... i'm in the same boat as without zfs... so yeah... the price of not using zfs built in encryption.

But that is what a UPS is for. ;)