How to use UNIX permissions with CIFS

[chris.shelton]

Hi all,

I just want a simple way to set up UNIX shares and have them accessible by Windows clients.

I tried to set FreeNAS up with a dataset with a share type of UNIX, then created a CIFS share. I created a text file with r + w permissions for the owner (me) and group (staff). However, the file was only editable by me, and not anyone else, even if they are part of the staff group.

This prompted me to learn that the best and easiest way is to use Windows shares for Windows clients and fine tune permissions through Windows. However, the person who I am building this for doesn't want that.

I just want to know how to set up UNIX shares and have them work with r/w permissions for all.

Can anyone help? Thanks.

 

[Jailer]

On storage tab select the dataset you are sharing and hit the change permissions icon at the bottom. Place a check mark in all the boxes for owner, group and other.

 

[chris.shelton]

On storage tab select the dataset you are sharing and hit the change permissions icon at the bottom. Place a check mark in all the boxes for owner, group and other.

Thanks, I tried this, but it didn't work. I still get the 'Save as' box appear when I try and write to a file I do not own.

 

[anodos]

Also see the following share auxiliary parameters:
https://www.samba.org/samba/docs/man/manpages-3/smb.conf.5.html#VALIDUSERS
https://www.samba.org/samba/docs/man/manpages-3/smb.conf.5.html#WRITELIST

 

[chris.shelton]

Also see the following share auxiliary parameters:
https://www.samba.org/samba/docs/man/manpages-3/smb.conf.5.html#VALIDUSERS
https://www.samba.org/samba/docs/man/manpages-3/smb.conf.5.html#WRITELIST

Thanks, I am aware of these but they don't solve my problem.
This is the file I am trying to edit:

-rw-rw-rw- 1 test staff 603 Sep 7 15:34 chris.txt

I am a member of staff, therefore I should have write permissions to this file, but I do not.
I have write permissions to the share, as I can create my own new file.

I want to be able to edit files other than my own.

 

[anodos]

Thanks, I am aware of these but they don't solve my problem.
This is the file I am trying to edit:

-rw-rw-rw- 1 test staff 603 Sep 7 15:34 chris.txt

I am a member of staff, therefore I should have write permissions to this file, but I do not.
I have write permissions to the share, as I can create my own new file.

I want to be able to edit files other than my own.

Use getfacl to check for presence of ACLs on the folder (s) where chris.txt is located.
Verify that the DOS attribute "read-only" isn't set on the file(s). These can be viewed by right-clicking on file/folder , clicking 'properties', and viewing "attributes" on the "General" tab.

 

[chris.shelton]

Use getfacl to check for presence of ACLs on the folder (s) where chris.txt is located.
Verify that the DOS attribute "read-only" isn't set on the file(s). These can be viewed by right-clicking on file/folder , clicking 'properties', and viewing "attributes" on the "General" tab.

When I run getfacl on the directory containing the file, it outputs:

[root@freenas] /mnt/pool# getfacl dataset/
# file: dataset/
# owner: super
# group: staff
owner@:rwxp--aARWcCos:------:allow
group@:rwxp--a-R-c--s:------:allow
everyone@:rwxp--a-R-c--s:------:allow

The "read-only" attribute is not checked for the file.

 

[Jailer]

Do you have "allow guest access" checked on the cifs share in the sharing tab? Were the permissions ever set to windows on this dataset?

 

[chris.shelton]

Do you have "allow guest access" checked on the cifs share in the sharing tab? Were the permissions ever set to windows on this share?

Allow guest access is not checked on the share.

No, it has always been share type UNIX.

 

[Joshua Parker Ruehlig]

I've done this for other's systems...
* Add a user in freenas to own the dataset
in the CIFS share..
* allow guest access + only allow guest access
* set an auxiliary parameter to "force user = USER"

 

[Jailer]

check the box to allow guest access.

 

[chris.shelton]

check the box to allow guest access.

Why should I do that though? I can access the share perfectly fine as myself, and I can create new files. I can't however, edit any files not owned by myself. I don't really want to just open it up to guests for no reason.

 

[chris.shelton]

I've done this for other's systems...
* Add a user in freenas to own the dataset
in the CIFS share..
* allow guest access + only allow guest access
* set an auxiliary parameter to "force user = USER"

Thanks, but this just sounds like a workaround and not a solution to the problem. I can't see why this isn't working, group has write access, I am part of that group yet I can't write to a file I don't own.

I don't want to allow guests to access the share for no reason. Plus, it can't be a guest issue, because I have access to the share and I can read and write. I just can't edit files not owned by myself.

 

[Joshua Parker Ruehlig]

Thanks, but this just sounds like a workaround and not a solution to the problem. I can't see why this isn't working, group has write access, I am part of that group yet I can't write to a file I don't own.

I don't want to allow guests to access the share for no reason. Plus, it can't be a guest issue, because I have access to the share and I can read and write. I just can't edit files not owned by myself.

Ahh ok, the solutionI posted has no security so doesn't sound like that's what you want.

Can you post a screenshot of the folder's permissions (ls -l /path/to/folder)? And point out files create by your user, and files you can't edit.

 

[chris.shelton]

Ahh ok, the solutionI posted has no security so doesn't sound like that's what you want.

Can you post a screenshot of the folder's permissions (ls -l /path/to/folder)? And point out files create by your user, and files you can't edit.

Yeah, this needs to be pretty secure.

Sure, quite simply I have one dataset with a text file in it like so:

[chriss@freenas /mnt/pool/dataset]$ ls -l
total 1
-rw-rw-rw- 1 test staff 53 Sep 7 16:22 chris.txt

So as far as I am concerned, I should be able to write to this file shouldn't I?

But, when I look at the permissions through Windows, it says that:

Everyone has read access
Staff have read access
Owner has read + write access

It seems like it's using the Windows permissions but I don't know why, I haven't intentionally set it up that way.

 

[Joshua Parker Ruehlig]

Yeah, this needs to be pretty secure.

Sure, quite simply I have one dataset with a text file in it like so:

[chriss@freenas /mnt/pool/dataset]$ ls -l
total 1
-rw-rw-rw- 1 test staff 53 Sep 7 16:22 chris.txt

So as far as I am concerned, I should be able to write to this file shouldn't I?

But, when I look at the permissions through Windows, it says that:

Everyone has read access
Staff have read access
Owner has read + write access

It seems like it's using the Windows permissions but I don't know why, I haven't intentionally set it up that way.

Can your user create new files in the folder through CIFS?

You aren't being stopped from writing to that file by UNIX permissions, it's world writable. It's something on the windows/CIFS which I personally can't help with.

 

[chris.shelton]

Can your user create new files in the folder through CIFS?

You aren't being stopped from writing to that file by UNIX permissions, it's world writable. It's something on the windows/CIFS which I personally can't help with.

Yes I can create new files/folders just fine. I just can't edit something that I am not the owner of, regardless if I am in the staff group.

It's worth noting that if I SSH into FreeNAS as myself, I can edit the file there and save changes. It's only when done through Windows that it won't let me. So it must be a samba/CIFS/Windows issue.

Thanks for your help anyway!

 

[Joshua Parker Ruehlig]

no prob, goodluck

 

[anodos]

Out of curiosity, try manually editing your share in /etc/local/smb4.conf, making the following changes to your share config (not the global config):

• remove "zfsacl" from the "vfs objects" for the share
• comment out the following: nfs4:* (i.e. all parameters beginning with nfs4), zfsacl:*

Once you make these changes, type "service samba_server restart". Then try to access it again.

The script that generates the smb4.conf file in FreeNAS doesn't look at whether the share is a "windows" or "unix" one and therefore by default throws all the config options in there for using nfsv4 acls. This might be screwing with your permissions.

 

[cyberjock]

To be up front and blunt, it's non-trivial (basically nearly impossible if you want a secure setup) to use UNIX permissions while simultaneously using Windows clients. Windows clients should use (and rely on) Windows ACLs. That cannot be easily avoided without simply circumventing permissions by forcing users, using guest, etc.