[HOW TO] Create a cross platform Window and Mac share

Did you find this post useful?

  • Yes

    Votes: 0 0.0%
  • No

    Votes: 0 0.0%

  • Total voters
    0
Status
Not open for further replies.
Joined
Jun 9, 2016
Messages
9
How to create a Windows and Mac compatible share in FreeNAS

Firstly the reason for this how to is if you have both Windows domain computers and Mac's that are not integrated into your Active directory and on the domain already and need to access these shares via guest access. This guide assumes that Active Directory has already been integrated into your FreeNAS under Directory Services or that your all User accounts have been setup under Account if you’re not using A.D. This guide also assumes you have already created your base raid dataset. If you have and questions, knowledge, or feedback feel free to let me know! I have been at this awhile and through trial and error found that this setup above works best in my company's environment. That does not mean however that it is the Right Way for every situation so please keep that in mind :)

1. Create a dataset for your new share and set permissions and size limits

· Navigate to your FreeNAS web gui via your browser and log in as root (or admin equivalent).

· Next select the Storage tab from the top bar .

· Once on the Storage screen make sure Volumes tab is selected.

· In the main window pane select your main dataset that you would like your new one to go within then click the Create Dataset button at the bottom of the screen (looks like a table with a plus sign above it).

· You will now be presented with a pop up with options firstly before we fill in anything lets expand this so we can get full access to what we really need by clicking the Advanced mode button at the bottom of the window.

· Now starting from the top of the pop up lets go through the necessary fields we want.

· For Dataset Name: for this example we will call it Awesome Share but this is where you set what name the new storage location will have.

· Next for Compression level: you can set this how you see fit but for my shares I turn it to Off always (having compression really does not help much and slows performance slightly so if you have the space you need available to work with don’t waste your time on it)

· Next for Share type: we will set this to UNIX as we want both Mac and Windows to interact equally with this share

· Now we will skip a few of the options as they are fine to be left at default (feel free to change them if you need to) and go to Quota for this dataset: here we will set the size of our new Awesome Share for this example I have set mine to 2T.

· Now if you’d like you can change any other settings below but I’ll just leave mine how they are and click Add Dataset button to finish the creation.
wPOpwat


C:\Users\ISAIAH~1\AppData\Local\Temp\msohtmlclip1\01\clip_image002.jpg

· Now with the dataset created we will set the global permissions for the share to do this first navigate to the Volume on the left side bar this can be found under the Storage>Volumes>Main Dataset>Awesom Share for example Hit the plus sign next to your new share and click the Change Permissions option

· From this pop up we will start by changing the Owner(user): to nobody this will allow anyone with guest mac access to make changes

· Next for the Owner(group): we will set this to yourdomain\domain users this will allow your Active directory users to have access to make changes

· Now moving down to the Mode: you will notice that it may be grayed out and cannot be changed to fix this simply go to the permission type: and change from Unix to Windows then back to Unix this is a bug that I still don’t quite understand but you should now be able to change the Mode: permissions by clicking the boxes for this share you will give Read Write & Execute to both owner and group and give Read & Execute to other

· Finally click the check box to Set permission recursively: then click the Change button to complete the setup.
cdn1Fkn

C:\Users\ISAIAH~1\AppData\Local\Temp\msohtmlclip1\01\clip_image004.jpg


· Now with this completed we will move on to Section 2 turning on sharing for Mac and Windows

2. Turning on sharing to both Windows and Mac

· Navigate to the Services option at the top of the screen, here you’ll see a list of tons of options for today we’ll only be needing AFP (for mac) and CIFS(for windows).


· Click the wrench next to AFP to pull up a pop up window to configure.

· Check the box for Guest Access: then in the Guest account: type nobody.

· Next we can Bind IP Address if needed by default it should be set to your FreeNAS IP unless you’re running vlans for your shares in which case select the IPs you want to run AFP on.

· You can leave all else blank or fill in if you want more customization and click the ok button to finish.
uJWg4zJ


· Next we will click the wrench next to CIFS to open its configuration.

· Here go through and set your info as needed the biggest thing you want to look for is that you set Guest account to nobody and the rest can pretty much be default. So we’ll hit OK to save this.

· Now at the top of the screen in the bar click on Services and make sure AFP and CIFS are turned to the ON position if not then do so now.
nQxPDMb

y19J7QC


· Now on to section 3 to do the final config on creating your shares

3. Configuring your new dataset to share to Windows and Mac

· Navigate to the Sharing option from the top bar

· Here you will see a bunch of options for sharing today we will only need AFP and CIFS

· So let’s start with AFP just below Sharing at the top click Apple(AFP) to open the management screen

· Here we will then click the Add Apple (AFP) Share button

· From this pop up change the Path to point to your new share Awesome Share for example

· For the Name it is pretty self explanatory call it what you want people to see it named as Awesome Share for example

· Now click the Advanced Mode button

· On the extended view scroll down and the only thing that really needs to be changed is to uncheck the AFP3 Unix Privs: the reason for this is because this will conflict with the global settings we applied to the share earlier and create a problem (not sure exactly why this is but if this is on a lot of time my company mac users will revert to read only permissions no matter how i set the check boxes).
zM2150d


· Finally click Ok to finish the setup
MpcgU1C


· Next at the top Click the Windows (CIFS) tab under Sharing

· Click on the Add Windows (CIFS) Share button

· From this pop up change the Path to point to your new share Awesome Share for example

· Leave use as home share unchecked

· For the Name it is pretty self explanatory call it what you want people to see it named as Awesome Share for example

· Now make sure Apply Default Permissions and Allow Guest Access are checked!

· Hit OK to finish no need to set Advanced Mode unless you feel like looking or changing anything further.
nAtauAy


· Now with this completed you officially have a Cross platform share that will allow windows and mac users to exchange info and make changes to files on this share without any issue! YAY!

Afterthought: when connecting from a windows computer it will automatically use the CIFS but for macs make sure that you use the AFP:// protocol when connecting if you use CIFS:// a bunch of programs will have problems writing directly to the raid such as indesign, printshop, etc (especially if you have multiple networks and the traffic is crossing from one the another).. So just stick with the AFP for all your Macs to avoid any headaches. With that being said your new company wide share should run flawlessly.
 
Last edited:

Nick2253

Wizard
Joined
Apr 21, 2014
Messages
1,633
I'm curious why you would be in this place at all. You can bind OSX machines to an Active Directory domain without problems. I feel it is a solution in search of a problem.
 
Last edited:

Robert Trevellyan

Pony Wrangler
Joined
May 16, 2014
Messages
3,778
Are you recommending creating an AFP share and a CIFS share, both with read/write access, pointing at the same dataset?

Please note, the images are broken (the paths point to your local hard drive):
Code:
https://forums.freenas.org/file:///C:/Users/ISAIAH~1/AppData/Local/Temp/msohtmlclip1/01/clip_image002.jpg
https://forums.freenas.org/file:///C:/Users/ISAIAH~1/AppData/Local/Temp/msohtmlclip1/01/clip_image004.jpg
 
Joined
Jun 9, 2016
Messages
9
I'm curious why you would be in this place at all. You can bind OSX machines to an Active Directory domain without problems. I like the guide, but I feel it is a solution in search of a problem.
Are you recommending creating an AFP share and a CIFS share, both with read/write access, pointing at the same dataset?

Please note, the images are broken (the paths point to your local hard drive):
Code:
https://forums.freenas.org/file:///C:/Users/ISAIAH~1/AppData/Local/Temp/msohtmlclip1/01/clip_image002.jpg
https://forums.freenas.org/file:///C:/Users/ISAIAH~1/AppData/Local/Temp/msohtmlclip1/01/clip_image004.jpg
Yes we have set up AFP and CIFS to point to the same Dataset this allows both mac and windows users to experience the best possible connection to the dataset. Thanks for the heads up on the images I will correct them when I have time today.
 

Nick2253

Wizard
Joined
Apr 21, 2014
Messages
1,633
Yes we have set up AFP and CIFS to point to the same Dataset this allows both mac and windows users to experience the best possible connection to the dataset. Thanks for the heads up on the images I will correct them when I have time today.

OSX machines connect just fine over CIFS. The idea that AFP>CIFS for OSX is outdated at best, and misguided at worst.

Also, you should never have more than one sharing protocol looking at the same dataset. The way different protocols handle files (locking, writing, etc) mean that it is surprisingly easy to hose things and lose data. Especially in an enterprise environment, where you will have more users doing more things simultaneously (and where, I'm assuming, the data is more valuable). Sometimes you'll see people use multiple protocols, with only one being allowed to write (the others are read only), and that's usually fine, but not always.
 
Joined
Jun 9, 2016
Messages
9
OSX machines connect just fine over CIFS. The idea that AFP>CIFS for OSX is outdated at best, and misguided at worst.

Also, you should never have more than one sharing protocol looking at the same dataset. The way different protocols handle files (locking, writing, etc) mean that it is surprisingly easy to hose things and lose data. Especially in an enterprise environment, where you will have more users doing more things simultaneously (and where, I'm assuming, the data is more valuable). Sometimes you'll see people use multiple protocols, with only one being allowed to write (the others are read only), and that's usually fine, but not always.
Thank you for this feedback well then maybe you can help me troubleshoot my issues which is why I went about having to go this way. When using cifs only protocol all mac users on our network experience issues with writing to the share via Adobe CS 5.5 products and are prompted that they have insufficient privileges or program errors, as well we have another facility on a different network that has similar issues with permissions from printshop and any adobe suite products. The only way I was able to get my mac computer to write to the shares without magically deleting files or refusing to save the files on the share was to have them use afp . CIFS is an extension of SMB which has constant issues with older adobe products and is why i am at a loss as how to get my design department or print department able to manipulate files without running dual protocols on the share.

When saving to a mounted SMB/CIFS point, users report one of two errors:


  • Could not save <filename> because of a program error
  • Could not save <filename> because write access was not granted
 
Joined
Jun 9, 2016
Messages
9
Thank you for this feedback well then maybe you can help me troubleshoot my issues which is why I went about having to go this way. When using cifs only protocol all mac users on our network experience issues with writing to the share via Adobe CS 5.5 products and are prompted that they have insufficient privileges or program errors, as well we have another facility on a different network that has similar issues with permissions from printshop and any adobe suite products. The only way I was able to get my mac computer to write to the shares without magically deleting files or refusing to save the files on the share was to have them use afp . CIFS is an extension of SMB which has constant issues with older adobe products and is why i am at a loss as how to get my design department or print department able to manipulate files without running dual protocols on the share.

When saving to a mounted SMB/CIFS point, users report one of two errors:


  • Could not save <filename> because of a program error
  • Could not save <filename> because write access was not granted
Also we have tried having the macs integrated to Active directory and granting rwe to all domain users or outside and using guest and having the share wide open to allow rwe by guest both ways still throw these errors.
 

Nick2253

Wizard
Joined
Apr 21, 2014
Messages
1,633
Thank you for this feedback well then maybe you can help me troubleshoot my issues which is why I went about having to go this way. When using cifs only protocol all mac users on our network experience issues with writing to the share via Adobe CS 5.5 products and are prompted that they have insufficient privileges or program errors, as well we have another facility on a different network that has similar issues with permissions from printshop and any adobe suite products. The only way I was able to get my mac computer to write to the shares without magically deleting files or refusing to save the files on the share was to have them use afp . CIFS is an extension of SMB which has constant issues with older adobe products and is why i am at a loss as how to get my design department or print department able to manipulate files without running dual protocols on the share.

When saving to a mounted SMB/CIFS point, users report one of two errors:


  • Could not save <filename> because of a program error
  • Could not save <filename> because write access was not granted

Could you share a little more information about your configuration? For example, what version of OSX are you using? What version of FreeNAS are you using? Do you have any customizations set on FreeNAS? What version of Active Directory is your domain using? Are you doing anything special on the OSX clients? Are the users local administrators?

Also, what troubleshooting steps have you done? Are you getting this error with all CS5.5 products, or only some? Do you get an error with other programs, or is it only CS5.5? Is it only writing, or do you have problems with reading as well? Does it only do it with large files/small files, or does it always happen? Are you seeing any connection issues in the log files?

FYI, these problems are rarely caused by the program, but problems with the underlying OS. They seem like program problems, but it's because only those programs attempt to do whatever it is that the OS doesn't support properly. In my experience with Apple, this is usually because Apple picks some kind of non-standard default option that breaks compatibility. The trick is tweaking the correct config file back to a "better" setting.

For the record, I'm doing exactly this in my home environment without issue: Active Directory (2012 R2) with bound OSX clients (El Capitan) saving files from Photoshop and Illustrator 5.5 over CIFS. If I recall, I had some issues with earlier versions of OSX (before circa 2012) that needed minor config changes to correct, but I don't recall any problems with OSes newer than Mavericks (or so).
 
Joined
Jun 9, 2016
Messages
9
Could you share a little more information about your configuration? For example, what version of OSX are you using? What version of FreeNAS are you using? Do you have any customizations set on FreeNAS? What version of Active Directory is your domain using? Are you doing anything special on the OSX clients? Are the users local administrators?

Also, what troubleshooting steps have you done? Are you getting this error with all CS5.5 products, or only some? Do you get an error with other programs, or is it only CS5.5? Is it only writing, or do you have problems with reading as well? Does it only do it with large files/small files, or does it always happen? Are you seeing any connection issues in the log files?

FYI, these problems are rarely caused by the program, but problems with the underlying OS. They seem like program problems, but it's because only those programs attempt to do whatever it is that the OS doesn't support properly. In my experience with Apple, this is usually because Apple picks some kind of non-standard default option that breaks compatibility. The trick is tweaking the correct config file back to a "better" setting.

For the record, I'm doing exactly this in my home environment without issue: Active Directory (2012 R2) with bound OSX clients (El Capitan) saving files from Photoshop and Illustrator 5.5 over CIFS. If I recall, I had some issues with earlier versions of OSX (before circa 2012) that needed minor config changes to correct, but I don't recall any problems with OSes newer than Mavericks (or so).

Sure we are running Active Directory (2008) R2, our macs are all on Yosemite or El Capitan, Users are not local admins but their profiles are local and not A.D. integrated (trying to resolve this, but thats a whole nother monster), FreeNas 9.10 Stable with no added customization's. As for Adobes issues primarily it seems that using CIFS with InDesign the files will either say that they saved and just disappear when you go to the folder they are just gone, or will throw the 2 errors mentioned above and not allow saving the file to the shared dataset. As for troubleshooting we have tried all sort of things from server and client side and then we stumbled on to turning both protocols on as a work around and pretty much stopped there. I think that the real issue lies in the fact that all of the mac's here in our company are not integrated with A.D. because of this they are really not given the proper permissions they need to have full control via CIFS but as I still have not found a solution to migrate the employees profiles from local to network based on the newer mac OS's without moving the profiles off the computer to a external network location so I am kind of stuck...Basically these macs have 500gb to 2tb worth of design artwork stored on each and so moving these profiles off the local system is going to be a nightmare. Whereas with the older OSx versions you could delete the local profile, keep the home dir., and rename it to the network profile change the permissions over and BAM login under network profile and all your data is where you need it (short version). On a side note we have a Samba share that has the exact same issues as the new freenas shares so neither SMB or CIFS seems to work for our macs. Sorry if I am rambling but I have been trying to fix a very broken network and finding nothing but problems at every step of the way.
 

Robert Trevellyan

Pony Wrangler
Joined
May 16, 2014
Messages
3,778
Yes we have set up AFP and CIFS to point to the same Dataset this allows both mac and windows users to experience the best possible connection to the dataset.
This supposedly works with Linux, but is expected to lead to trouble with FreeBSD, which (you probably know) is the OS underlying FreeNAS. If you're finding that in your environment it actually works better than all-CIFS, that's interesting.
Adobes issues
Adobe applications have been a thorn in the side of BitTorrent Sync in the past. If I remember correctly, it has something to do with a rapid sequence of filesystem operations that occur at the moment when you save a file.
 

Nick2253

Wizard
Joined
Apr 21, 2014
Messages
1,633
Whereas with the older OSx versions you could delete the local profile, keep the home dir., and rename it to the network profile change the permissions over and BAM login under network profile and all your data is where you need it (short version).

I'm pretty sure I recently did something exactly like this with El Capitan. What is the reason you ran into not being able to do this?

However, that shouldn't have anything to do with your share problem.

On a side note we have a Samba share that has the exact same issues as the new freenas shares so neither SMB or CIFS seems to work for our macs.

SMB and CIFS are basically one and the same. FreeNAS uses Samba to do shares, so it sounds like a Samba/OSX issue. I have seen posts online about disable SMB streams in OSX; is this something you've tried?
 
Joined
Jun 9, 2016
Messages
9
This supposedly works with Linux, but is expected to lead to trouble with FreeBSD, which (you probably know) is the OS underlying FreeNAS. If you're finding that in your environment it actually works better than all-CIFS, that's interesting.

Yes I have found here in my office that running both AFP and CIFS on the same share seems to work flawless as to issues down the road with FreeBSD that was my main concern and why I posted this because I wanted more insight into whether or not this will cause an issue running both at some point.

Adobe applications have been a thorn in the side of BitTorrent Sync in the past. If I remember correctly, it has something to do with a rapid sequence of filesystem operations that occur at the moment when you save a file.

As for Adobe yes there have been know issues with its interaction with filesystems using the CIFS protocol due to the "rapid sequence of filesystem operations that occur at the moment when you save a file." I just cant understand why which was what lead me to the whole idea of having our macs under domain policy and using a different route for permissions than just leaving nobody with full access to the share and having them use guest login.
 
Joined
Jun 9, 2016
Messages
9
I'm pretty sure I recently did something exactly like this with El Capitan. What is the reason you ran into not being able to do this?

However, that shouldn't have anything to do with your share problem.

Well that is good to hear that it is possible then! Basically because of the sandboxing that is now done by OSx in the latest versions when you migrate the profile to the networked profile it breaks all the permissions in the library and basically hoses the entire profile. I actually found a possible fix for this which I plan on attempting today so we'll so how it goes....As for what it has to do with the share problem I just feel that maybe using the guest function to write to these shares is not what the guest access is meant for and therefore causing the issue so if we move the macs under domain policy it will work more smoothly.

SMB and CIFS are basically one and the same. FreeNAS uses Samba to do shares, so it sounds like a Samba/OSX issue. I have seen posts online about disable SMB streams in OSX; is this something you've tried?

No I have not tried this I did search into it a bit and see that if you force your macs to use SMB1 protocol it tends to eliminate some permissions issues on samba shares but that is not really a great solution either and does not help with my CIFS shares in any way. I will toy around and research this more. Thanks for the feedback again!
 

Nick2253

Wizard
Joined
Apr 21, 2014
Messages
1,633
As for what it has to do with the share problem I just feel that maybe using the guest function to write to these shares is not what the guest access is meant for and therefore causing the issue so if we move the macs under domain policy it will work more smoothly.

When you put a Mac on an Active Directory domain, the only thing you're really doing is telling the Mac to use the domain controller for user authentication. There's no deeper integration like group policy, or anything like that.

You shouldn't need to use guest permissions to access the share. You can connect to a share using any credentials from the "Connect to Server" window: smb://username:*@server

.. and does not help with my CIFS shares in any way

When you say this, is that because you've tried it, or are you assuming it won't work?
 
Joined
Jun 9, 2016
Messages
9
There's no deeper integration like group policy, or anything like that.

Sure there is if the mac tries to connect to a share that is set to only allow Domain Users access if their mac is integrated with AD it will then allow them right into the share without prompting for login info every time they remount. Now with the option you presented below "smb://username:*@server" this may serve as a workaround to remove the prompt to login or choose guest but basically I am in the process of moving all the companies date which is stored across about 5 small outdated storage servers ranging from win 2003 to samba running on outdated hardware all on to this new FreeNAS build and in doing so I want the transition to be seamless on the employees end. I have actually just successfully moved one of our macs local profiles onto a networked profile and then connected via CIFS to a graphics storage share on FreeNAS and it allowed me right in and had Zero permissions issue. So the group policy definitely has an effect on the interaction of the mac with the dataset! As well i tested to see if the newly added mac could get into another share i have setup to only allow a certain department in the company access and they could not get into it, it immediately prompted for correct login credentials.


You shouldn't need to use guest permissions to access the share. You can connect to a share using any credentials from the "Connect to Server" window: smb://username:*@server

I will have to give this a try and see how it works.

When you say this, is that because you've tried it, or are you assuming it won't work?

I did actually try this, this morning, on a tester mini mac I have setup next to me i toyed with smb streaming and since cifs is its own seperate protocol that builds off smb changing the smb setting do not appear to interact with the cifs interaction to the freenas server. I will say however that it did work in fixing the issues connecting to the old samba share that we were having issues connecting with.
 
Joined
Jun 9, 2016
Messages
9
There's no deeper integration like group policy, or anything like that.

Another interesting fact i just discovered on this is that if you connect to the FreeNAS shared dataset from the mac via SMB it will abide by not showing groups that have group policy in place and will only show groups that have access to everyone, BUT if you use CIFS it abides by group policy fully and shows all folder structures that the domain users account should have access to so CIFS does work fully with GP and SMB ignores / excludes GP folders on Mac's :)
 

Nick2253

Wizard
Joined
Apr 21, 2014
Messages
1,633
Sure there is if the mac tries to connect to a share that is set to only allow Domain Users access if their mac is integrated with AD it will then allow them right into the share without prompting for login info every time they remount. Now with the option you presented below "smb://username:*@server" this may serve as a workaround to remove the prompt to login or choose guest but basically I am in the process of moving all the companies date which is stored across about 5 small outdated storage servers ranging from win 2003 to samba running on outdated hardware all on to this new FreeNAS build and in doing so I want the transition to be seamless on the employees end. I have actually just successfully moved one of our macs local profiles onto a networked profile and then connected via CIFS to a graphics storage share on FreeNAS and it allowed me right in and had Zero permissions issue. So the group policy definitely has an effect on the interaction of the mac with the dataset! As well i tested to see if the newly added mac could get into another share i have setup to only allow a certain department in the company access and they could not get into it, it immediately prompted for correct login credentials.

You seem to be misunderstanding how all this works.

When you connect to a share on your Mac, your Mac provides the user's authentication credentials to connect to the share. If you log in to the Mac with an account that has access to a share, then those credentials will be passed, you will be validated, and you will connect without seeing a login box. If your credentials are not valid, you will be presented with a login box. That has nothing to do with Active Directory. It has everything to do with access credentials. The fact that your machine is connected to the domain or not is irrelevant: what matters is what account you are using. If you use the same access credentials from a non-bound machine, you would see exactly the same behavior.

Also, Group Policy is not user authentication. Group Policy provides central management of user and machine settings. An OSX machine bound to an Active Directory domain is not impacted whatsoever from Group Policy, unless you use a 3rd-party extension to GPO.

I did actually try this, this morning, on a tester mini mac I have setup next to me i toyed with smb streaming and since cifs is its own seperate protocol that builds off smb changing the smb setting do not appear to interact with the cifs interaction to the freenas server. I will say however that it did work in fixing the issues connecting to the old samba share that we were having issues connecting with.

Again, you are creating a distinction between CIFS and SMB that does not exist. SMB and CIFS are the same protocol. CIFS is simply a more modern dialect of the SMB protocol, where SMB usually refers to one or more outdated dialects. Please read the following: https://msdn.microsoft.com/en-us/library/windows/desktop/aa365233(v=vs.85).aspx

Another interesting fact i just discovered on this is that if you connect to the FreeNAS shared dataset from the mac via SMB it will abide by not showing groups that have group policy in place and will only show groups that have access to everyone, BUT if you use CIFS it abides by group policy fully and shows all folder structures that the domain users account should have access to so CIFS does work fully with GP and SMB ignores / excludes GP folders on Mac's :)

What do you mean by "groups that have group policy in place"? That doesn't make any sense. Also, what are "groups that have access to everyone"? Do you mean a group that is a member of "Everyone"? What do you mean by a "GP folder"? Do you mean an OU in the GPO management interface?

Based on your comment, I'm understanding the following: by connecting to the share with an old dialect of SMB, you are unable to see anything (?), but when you connect using the CIFS dialect, then you see the folder structure. So, what is the problem now? Are you still seeing the behavior with Adobe products? Has anything changed regarding your initial problem?
 
Status
Not open for further replies.
Top