Issue With Share Permissions & Plex

[alexg]

Who is the owner of dataset? What user id is used to login to CIFS? CIFS permissions are big mess since Samba upgrade, but if you know what you doing and get to shell it can be fixed. Use getfacl to dump dataset permissions.

 

[qwerion]

IMO, the easiest way to allow plex access is to create a group inside the plex jail with the same group ID as the group owner in FreeNAS. Assuming, of course, that you're allowing group read (and write?).

 

[wutang200]

Who is the owner of dataset? What user id is used to login to CIFS? CIFS permissions are big mess since Samba upgrade, but if you know what you doing and get to shell it can be fixed. Use getfacl to dump dataset permissions.

Which dataset? I've selected Windows ACL's so it's all disabled in FreeNAS. I don't have enough knowledge to use the command line.

 

[wutang200]

I've now granted full access to every single folder so I can start again with the permissions (yet again) one by one.

I need to get the Windows ACL's working in order for me to run Plex as a user and lock it down.

 

[wutang200]

Finally got it all working how I wanted it to!

After I granted full access to all 3 shares (Movies, Documentaries & Photos), I changed the mode for each one to Windows ACL's within each ones Dataset permissions.

Set the owner as myself and set the group as Users.

Allow Guest Access is unchecked and Inherit Permissions, ACL's etc are all unchecked too for all 3 datasets and shares.

Once this was done, I then used Windows Security to uncheck every single box for the Everyone group.

For the Users group (from within Windows), which all the other family members are a part of, I granted it read & execute access but denied write access. Did this for all 3 of my shares.

Next, I added another User to each of the 3 Windows shares called Media which is a member of it's own group. I granted this account full access as it's a dedicated account to only be used by my media streamer (WDTV).

Next, I created a dataset called SFTP with an owner called SFTP too which has full access to itself. No group is assigned to this dataset. This allows me to SFTP into my FreeNAS box from outside of my network and ONLY gain access to the SFTP folder and nothing else. This way, if my SFTP account and connection is compromised, the hacker won't be able to get to anything other than the SFTP dataset!

I then created my Plex jail and configured it's IP settings. Then followed the instructions from earlier in this thread about assigning it to the Plex account. This means the jail runs under the Plex account which has it's own permissions instead of running as a Guest which is insecure.

Took a long time to get my head around how things work but was worth it.

Hope my experience helps someone out.

 

[wutang200]

Just need to go and buy a hardware firewall that allows Stateful Packet Inspection to stop these Chinese guys from brute forcing my SFTP connection lol.

 

[alexg]

If you want next adventure, you can go with pfSense or one of Linux LAMP distribution and setup a firewall. There are several distros that offer GUI based configuration. pfSense is based on BSD and works really well.

 

[wutang200]

Are you talking about me ditching FreeNAS for another variant of the FreeBSD O/S?

It's not worth the hassle in my opinion! It means understanding and learning everything all over again. I've been heavily reading and going through FreeNAS documentation to get a better understanding of it.

Sent from my XT1052 using Tapatalk

 

[alexg]

Nope, I was just commenting on your need to buy hardware SPI firewall.

 

[wutang200]

So could I keep my FreeNAS as it is and run PFSense in a jail?

 

[alexg]

Technically it may be possible to do that and you will find several posts on how to. However, from security perspective, I would strongly advise against it! Just find any old computers with minimum memory and two NIC cards. Most of these Linux or BSD based firewalls can run on 256M of memory and old Pentiums.

 

[wutang200]

Technically it may be possible to do that and you will find several posts on how to. However, from security perspective, I would strongly advise against it! Just find any old computers with minimum memory and two NIC cards. Most of these Linux or BSD based firewalls can run on 256M of memory and old Pentiums.

Unfortunately space is a big issue for me so I'll just buy an off the shelf firewall unit by Cisco or Netgear that offers stateful packet filtering. This will keep the size down to a minimum where an old PC will take up quite a bit of room.

 

[wutang200]

Just to update this thread for anyone else that comes across this kind of a headache.

The best thing I did was to ditch FreeNAS and install XPEnology (based on the Synology Disk Manager)! Found it much much simpler to understand and configure permissions than FreeNAS without even reading any documentation!

Extra benefits over FreeNAS:

-Works really well even with 2GB RAM although I wasted my money and bought 8GB!
-Saved me £200 as it includes a built in firewall which works well against DDOS attacks as well as chinese hackers trying to brute force my SFTP connection
-Only uses 1 IP address for everything as no need to create tedious jails to do things!
-Plex took me just 10 minutes to setup including setting up permissions how I wanted them as per my original post. FreeNAS took me days and lots of reading through documentation!
-I can plug USB 2.0 and 3.0 devices directly into my box and access them through XPEnology (wasn't supported on FreeNAS)
-I didn't need to rely on setting up Windows ACL's for the Shares as the system handles the permissions very well. No need to do anything on the command line like I had to on FreeNAS
-Hybrid RAID allows you to expand your RAID pool by adding disks later instead of requiring all the disks to be purchased first to create the RAID pool
-Supports Wireless connections
-Supports Bluetooth

Hopefully it saves others the headache of going through what I went through with FreeNAS.

 

[cyberjock]

Good for you.. but it's not a "RAID pool". It's a RAID, and it's *not* ZFS(found by 1 minute of Googling), which is the main feature people want. You've given up one of the most advanced file systems ever created to protect data integrity.

Some of your stuff is purely superficial... you're going to be upset because you can't have 1 IP for everything? You're upset because you can't run security software on a file server(which you *shouldn't* do anyway)?

While FreeNAS isn't for everyone, if you are happy that's all that matters. It's your data to keep or lose based on your choices.

Me personally, I'm happy as a clam that I have ZFS and I'd never try one of those old "last-gen" file systems. ;)

 

[wutang200]

I couldn't care less about having ZFS as the XPEnology clearly has a lot more advantages and features than FreeNAS. Was just stating my own experience with FreeNAS and to save other people time.

Data integrity wise, if it's good for high end Synology NAS servers, I'm pretty sure it's good enough for me! Just seems more of a complete solution to me when using after FreeNAS how I did.

LOL I'm far from upset, I'm actually very happy about switching. Although, at times I feel like this XPEnology is too good to be true. Very glad I found it and went for it.

Sent from my XT1052 using Tapatalk