Permissions changing on their own everynight

[scottroberts6]

Hello,

Quickly, for reference:
FreeNAS 8.3.0 - Release
1 Volume (5 disks; Raid Z1)
Shared via CIFS for Anonymous/Guest access (per wiki instructions)

Everything worked fine for a few months, but lately I've been having serious issues with permissions. Every night, the permissions on the main volume ("SERVER") are somehow being changed so that the "guest" account can only read (but not write). Currently, my only workaround is to get to the office before anyone else and run the following:

chmod -R 777 /mnt/SERVER​

This fixes the issue, but inevitably the next morning I will see access denied whenever I try to delete, rename, or save to any file or folder. Also, when I check the "guest" account I see that Write permissions is UNchecked for group and other. I continually RE-check those boxes and they stay checked for a while, but ultimately they end up becoming unchecked again. The same is true if I check the "Change Permissions" dialogue for the volume in question.

I am posting screenshots of the various parts of my configuration in the hopes that they will help.

The issues seemed to begin after I enabled the SSL service and created several new user accounts to allow some users to connect via SFTP. Those users home directory is set to "/nonexistent" and the permissions for those users are set to 777.

Is it possible that there is some nightly cronjob that attempts to "fix" permissions based on some set of parameters? I'm at a loss as to how to keep things in order without constantly fixing permissions.

I appreciate the support of the tremendous FreeNAS community, and I'm sure that whatever is going wrong here is my fault and I don't mean to seem like I'm blaming anyone else or complaining - you can't complain about free!

Thank you!

 

[pirateghost]

I'm pretty sure that your 'anonymous' authentication and guest only access negates the use of a guest account. Aside from your use of the 'homes' directory options on your share and the use of a guest account I have the same setup without any such issues.

I think your problem stems from trying to take ownership of the share with the guest account considering your other permissions contradict the use of such ownership.

I could be wrong but I have never configured any user account access or permissions on an anonymous authenticated guest share before.

Sent from my Galaxy Nexus

 

[scottroberts6]

I'm not sure I follow you, so forgive me if I'm misunderstanding, but it sounds like you do not think the guest account is necessary? I followed the instructions in the wiki which specifically direct the user to create a "guest" account:

1. Create a guest user account to be used for anonymous access in Account → Users → Add User with the following attributes:​

• • Username: guest
  • Home Directory: browse to the volume to be shared
  • check the Disable logins box

If my understanding is correct, whenever any user "logs in" to the share, their login credentials are ignored/replaced with "guest" (no password) and they are logged on as said user. Thus, if ownership of the volume is under guest:guest/777, then every user should be the "owner" of the volume, allowing unrestricted access? The problem is that, for whatever reason, the "guest" account is losing control of the write perms every night for reasons that are beyond me. Again, this is per the wiki:

2. Associate the guest account with the volume to be shared in Storage → Volumes. Expand the volume's name then click Change Permissions. Select guest as the Owner(user) and Owner(group) and check that the permissions are appropriate for the share. If non-Windows systems will be accessing the CIFS share, leave the type of permissions as Unix. Only change the type of permissions to Windows if the share is onlyaccessed by Windows systems.​

3. Create a CIFS share in Sharing → Windows (CIFS) Shares → Add Windows (CIFS) Share with the following attributes:​

• • Name: freenas
  • Path: browse to the volume to be shared
  • check the boxes Allow Guest Access and Only Allow Guest Access
  • Hosts Allow: add the addresses which are allowed to connect to the share; acceptable formats are the network or subnet address with CIDR mask (e.g. 192.168.2.0/24 or 192.168.2.32/27) or specific host IP addresses, one address per line

4. Configure the CIFS service in Services → CIFS with the following attributes:​

• • Authentication Model: Anonymous
  • Guest Account: guest
  • check the boxes boxes Allow Empty Password and Enable Home Directories
  • Home Directories: browse to the volume to be shared

If something I've done doesn't match that I'm not seeing it...

I'm not sure how/why "enable home directories" was checked or the path configured. I have changed that (unchecked, and left blank). Is this possibly the source of the issue?

 

[pirateghost]

I do not even HAVE a user called guest on my system.

My CIFS service is set to 'nobody'
My volumes/datasets are owned by 'nobody' and 'nogroup'

Which I suppose is the same thing as setting a 'guest', but I have never done anything of the sort to configure my open shares.

In looking at your screenshots a little closer (I'm on my laptop now), I noticed you are using WINDOWS ACL, thats really the only other major difference I see between my setup and yours, aside from the user and the home directory settings. I do not ever use the Windows ACL on my FreeNAS boxes, simply because I have never seen it work properly.

Maybe try setting the ACL to UNIX ACL?

 

[scottroberts6]

Perhaps this is the way to go then... what's up with the wiki making up a bunch of unnecessary steps? Anyway, I'll give it a shot and report back when I know more.

Thanks!

 

[pirateghost]

Don't know. I never followed any wiki to set up my shares. I used the documentation and trial and error.

Sent from my Galaxy Nexus

 

[gpsguy]

Like pirateghost, I don't use guest either.

You might want to take a look at the last message in this thread: permissions-set-up-example-for-dummies. NASA posted a "how to", earlier today.

 

[cyberjock]

Yeah, you shouldn't be creating a "guest" account at all. Not sure why they wiki says you should. That's just crazy talk.