NTFS ACL's are getting wrecked

Status
Not open for further replies.

martingl

Cadet
Joined
Apr 18, 2018
Messages
2
Hi,

We have a weird situation happening.

--

Here’s some infos on our config :

FreeNAS version 11.1U4
AD 2012 R2 Forest / Domain Functionnal Level
No UNIX extensions
No NIS server

The FreeNAS is not in production yet.

smb4.conf generated by FreeNAS attached to thread.

Code:
wbinfo -t
checking the trust secret for domain OURDOMAIN via RPC calls succeeded


klist list 3 principales at start ( krbtgt, ldap, cifs ) and seems to fall to 1 ( krbtgt ) after a while.

id a_username resolves ok and groups are listed within the idmap range

wbinfo -u and wbinfo -g lists are ok

One dataset per share. With initial permissions set on the dataset as (user: root / group: ourdomain/Domain Admins)

What’s happening:

I’m trying to move a Windows share content to a CIFS share (800GB) on FreeNAS via ROBOCOPY.

Here’s the Robocopy command line :

Robocopy \\windows_server\sharename \\freenas1\sharename /MIR /COPYALL

Requirements:

- Permission must follow (ACL)
- Ownership must follow


The problem we are having.

When running the robocopy after a period of time (unknown) FreeNAS begins to wreck the permissions and set various interpretations.

Example:

The share/files/folders should have these permissions:

- ad_group_a should have read access
- ad_group_b should full control
- specific_ad_user should be the owner of everything


if we transfer only a small part of the share (~10GB) everything is set correctly. If we transfert at least 500GB of data we start getting the issue.

On some files permissions are set to:

- Everyone read & execute
- Specific_ad_user has Full Control
- OURDOMAIN\Domain Admins ( interpreted as BUILTIN\Administrators in FreeNAS ) has Full Control

Instead of the source permissions describe previously.

I could post/add getfacls of both OK and Wrecked scenario and also post/add icacls from the windows side. If needed for clarification.
 

Attachments

  • smb4_conf.txt
    2.3 KB · Views: 335

anodos

Sambassador
iXsystems
Joined
Mar 6, 2014
Messages
9,554
To clarify, do you need permissions to match the source of the robocopy job or the destination where it is being copied to? I'm asking because /COPYALL in robocopy will copy the source ACL. Perhaps try with only /MIR.
 

martingl

Cadet
Joined
Apr 18, 2018
Messages
2
To clarify, do you need permissions to match the source of the robocopy job or the destination where it is being copied to? I'm asking because /COPYALL in robocopy will copy the source ACL. Perhaps try with only /MIR.

Hi

Yes as stated in the "requirements" I need the acl's to follow
 
Status
Not open for further replies.
Top