Permissions mystery (Mac clients)

Status
Not open for further replies.

-fun-

Contributor
Joined
Oct 27, 2015
Messages
171
Can anybody please help me understand permissions in more depth. I have troubles accomplishing what I think should be easy to do.

My Setup:
  • I have two Mac Notebooks running Mavericks (OS X 10.9) and I expect more Macs with latest Mac OS in the next few months to join in. All Macs are used by one family member each.
  • Macs backup using Time Machine to FreeNAS on individual AFP shares. For this I created individual users for each Time Machine dataset.
  • There are no Windows machines (and will not be). I do not run a directory server and I do not intend to put home shares on the FreeNAS box.
My goal:
  • One common family share on my FreeNAS box must be available to all Macs / users.
  • Users must be able to work with their own files and folders.
  • Users must be able to modify file and folder permissions of their own stuff to grant or revoke access to other users.
  • All activities must be possible using the Mac Finder.
  • Users should be able to read files and folders of other users by default and to check who owns files and folders on the share.
  • Users should not be required to handle different identities for FreeNAS, especially not for using Time Machine as well as a family share. I can work around this however.
I read the FreeNAS manual (9.10). Setting up shares as explained there did not do what I need. (Users not being able to check and set permissions from Finder, users not being able to access other users' files and folders, etc.) What I found in the forum is targeting rather Windows, not Macs.

How would I do this the best and easiest way? Is there a good how to for Mac users I should read before asking more detailed questions?

-fun-
 

nojohnny101

Wizard
Joined
Dec 3, 2015
Messages
1,478
Ok I'm assuming you have the other "goals" of yours accomplished but are having trouble with the ones you specifically mentioned.

Users not being able to check and set permissions from Finder
To the best of my knowledge, this can't be done. I have never heard of someone or read anything on these forums of someone running a setup like that. Modification of permissions through windows explorer when you're running SMB shares with ACL permissions (windows permissions) is very doable and is actually the preferred method, but this is not supported on the mac side of things with "mac permission" (I'm assuming that is what you're using, did' see you mention that). I could be wrong, but I just don't think it is possible.

users not being able to access other users' files andfolders, etc.
This should be possible if I am understanding what you are saying. This could be granted through modifying the group permissions. Although this may not work in your situation because I am assuming you are using a group with appropriate read/write access to give everyone access to the shared "family drive". Is that correct? If that is the case, I don't think there is a way around that unless you go into the CLI.
 

-fun-

Contributor
Joined
Oct 27, 2015
Messages
171
Thank you for your answer, sounds bad though.

I'm targeting a setup without command line to achieve wife acceptance.

If users can't check or even change permissions and if several users want to work with the same files and folders then the consequence is that all users must be authorized to do anything with any files or folders. If there is no other way, well, I try to setup this way.

(Btw, whats wrong with the forum, has it been hacked? I'm bugged by awfully twisted ponylike creatures in the browser causing eye cancer. Does anyone else experience this also? Little girls might actually like it because of the colors.)

-fun-
 

nojohnny101

Wizard
Joined
Dec 3, 2015
Messages
1,478
If users can't check or even change permissions and if several users want to work with the same files and folders then the consequence is that all users must be authorized to do anything with any files or folders. If there is no other way, well, I try to setup this way.
There are two parameters to controlling permissions from the GUI, owner:user and owner:group. You can set one type of permission (read, read/write, read/write/execute) for the owner of the dataset, and you can set one set of permissions for the group for the dataset (read, read/write, read/write/execute). You can also add a user to multiple groups but that is the extent of customization without going into the CLI (as far as I understand things).

Forum hasn't been hacked, check here for discussion:
https://forums.freenas.org/index.ph...-on-the-forums-please-read.52868/#post-365179
 

-fun-

Contributor
Joined
Oct 27, 2015
Messages
171
Thanks again. I got this to work as far as apparently possible: One user is now able to delete files creates by another user, multiple users can add files to the share.

I need to do more and systematic testing though.
 

Glorious1

Guru
Joined
Nov 23, 2014
Messages
1,210
For the backups, it might work better if the Time Machine datasets are owned by the respective users, rather than additional users that are created just for that.

One tip on permissions - don't ever alter the ownership or permissions of the root dataset (in the storage screen it appears right under the volume/pool line, but inset, and it has the same name).

Set dataset permissions in the WebGUI. I think users can adjust permissions in the Finder for folders and files created within the dataset, but should not mess with dataset permissions.
 

-fun-

Contributor
Joined
Oct 27, 2015
Messages
171
My Time Machine backups are already running fine. I have setup one Time Machine dataset for each Mac within one parent dataset reserved for Time Machine. The rationale for separate datasets is that they can be rolled back individually which unfortunately I'm required to do from time to time when the datasets get corrupted and one of the Macs wants to start from scratch. I got the recommendation for the setup from this forum quite a while ago.

For the family share I now added an additional group. All family users are also member of this group and I grant permissions in the family share for this group. This works.

What I did not accomplish is that users can manipulate permissions of files from the finder. If you have any tip to get this actually working this would be great. However after browsing through the netatalk documentation I suspect that without Directory Server this will not be possible.
 

strikeing_789d

Dabbler
Joined
Apr 7, 2017
Messages
13
Hi, not to join in on your thread but I am a bit lost too. I am trying to do something kind of similar but no. I am trying to have my Mac network users home folders stored on FreeNAS. I got the freeNAS setup I can log into It from the server and read and write files. The problem I run into is getting the system (server) permissions correct to be able to read write from the share. I can manually copy the home folder to the share but what good is that if the LDAP server does not have permissions to read and write. I had a similar problem with an external HDD I plugged into the server and all I had to do was allow everyone the permissions to read and write or add a group and or user.

Break down on what I am trying to achieve:
-Have my already running LDAP server authenticate user logins
-Have their home folders stored on the NAS
I am not going to remake users on the FreeNAS server that is pointless.

I know I can make this work I just do not know how and every time I try and change permissions on the share from the server it says I do not have permission.... :( Is there a way to run a command in the shell to allow access to everyone to read and write on the share, because right now it says no access.

And yes I have checked every box on the FreeNAS side in terms of permissions for the user I logged in with to connect to the share. As well as changed permissions for the dataset, share, mount point etc,..

Thank You for your time
 

Attachments

  • screenshot.png
    screenshot.png
    446.9 KB · Views: 349

Glorious1

Guru
Joined
Nov 23, 2014
Messages
1,210
I got the freeNAS setup I can log into It from the server and read and write files.
??? from what server

I can manually copy the home folder to the share but what good is that if the LDAP server does not have permissions to read and write.
Your post is kind of confusing. I don't know why you would copy a home folder to the FreeNAS server (it should be created when you create a user), but if you can, you can write to the server. But you say you can't.

You say you "changed permissions for the dataset, share, mount point, etc." You should not change permissions for the mount point or root dataset. When you look at the Storage > Volumes page of the WebUI, you will see at least one volume listed. In my example below, that is Ark. Below that is an indented line of the same name. That is the root dataset, created automatically. Leave both of those alone. If you don't have too much in it, you might be better off destroying your pool and starting over. Create datasets within the root dataset and set permissions for them.
Screen Shot 2017-04-19 at 5.30.34 AM.png


You show an image of permissions in the Finder. Apparently the AFP implementation in FreeNAS does not allow one to modify permissions from the Finder. I have not found this to be a problem, but others might.

Note that you set up basic permissions when you create the dataset. That determines access to the dataset. Then, when you create or edit a share for the dataset, you can set default permissions for files and directories (click the Advanced Mode button). If the owner has full permissions in both of those controls, and you access the share as the owner, there shouldn't be a problem.

If there is, either using the Console or via SSH, navigate to the directory you're having trouble with and do a long list ( ls -l) and examine the ownership and permissions. You can change them with chown and chmod, but it might be easier to do it recursively in the webGUI, Storage > Volumes > Change Permissions.

If you need more help, please post detailed information and images of ownership and permissions on a particular dataset, share, directory and file, including the output of ls -l. Also exactly how you are trying to access the share.
 
Last edited:

strikeing_789d

Dabbler
Joined
Apr 7, 2017
Messages
13
??? from what server


Your post is kind of confusing. I don't know why you would copy a home folder to the FreeNAS server (it should be created when you create a user), but if you can, you can write to the server. But you say you can't.

You say you "changed permissions for the dataset, share, mount point, etc." You should not change permissions for the mount point or root dataset. When you look at the Storage > Volumes page of the WebUI, you will see at least one volume listed. In my example below, that is Ark. Below that is an indented line of the same name. That is the root dataset, created automatically. Leave both of those alone. If you don't have too much in it, you might be better off destroying your pool and starting over. Create datasets within the root dataset and set permissions for them.
View attachment 17900

You show an image of permissions in the Finder. Apparently the AFP implementation in FreeNAS does not allow one to modify permissions from the Finder. I have not found this to be a problem, but others might.

Note that you set up basic permissions when you create the dataset. That determines access to the dataset. Then, when you create or edit a share for the dataset, you can set default permissions for files and directories (click the Advanced Mode button). If the owner has full permissions in both of those controls, and you access the share as the owner, there shouldn't be a problem.

If there is, either using the Console or via SSH, navigate to the directory you're having trouble with and do a long list ( ls -l) and examine the ownership and permissions. You can change them with chown and chmod, but it might be easier to do it recursively in the webGUI, Storage > Volumes > Change Permissions.

If you need more help, please post detailed information and images of ownership and permissions on a particular dataset, share, directory and file, including the output of ls -l. Also exactly how you are trying to access the share.


Hi, Thank you for your reply. So just to be clear I will go over again what I am trying to accomplish.

Current Setup (Working)

- I have a running Mac Server with Open Directory Services Authenticating network users for login
- That currently running Open directory server has the Users home folders (storage) stored on a external hard drive connected directly to the server (yes I know its slow)
~To get this working all I did was open the workgroup manager on the Mac server and tell it where to make home folders. At first I had some permissions issues so I literally right clicked on my external hard drive and gave my network user group permission to access it, as well as creating a share of that external hard drive in the file sharing section of the server.


Future Setup (Not working)

-I recently bought another server and installed freeNAS on it.
-Created a volume and then a dataset within that volume and shared that dataset over afp for the Mac server
-I can see the NAS when I click on the "network" section in finder, so I just click "connect as" and I log in as the user I created directly on the NAS which trust me has full fledged rights and ownership to everything
-I can copy files directly to the NAS read files etc etc. no problem, but when I try to go into workgroup manager and point it to make home folders there (the NAS share) it gives me an error "unable to create home directory"
-I have typed in the home url and full path to the share in different formats and paths with no luck.

To sum it up I want to keep my existing open directory server running on the Mac and simply point the network users storage to the new NAS server. I know its not impossible its just a permissions thing but I have checked every box opened every permission for every dataset and volume and the workgroup manager will not create home folders there.

Am I typing in the share URL/path wrong in the workgroup manager ?
Is there a command to just allow everyone to read and write on the share ?

Yes I understand that you can make users and run directory services on the NAS, but I shouldn't have to do that. I just want my network users storage (home folders) stored on the NAS and able to be accessed when they are logged in. Why is this so difficult ?

Thanks.


P.S my setup of volumes and datasets in exactly like yours in the screen shot minus the names and the second data set.
 

Glorious1

Guru
Joined
Nov 23, 2014
Messages
1,210
I don't have any experience with running a Mac server or workgroup manager as you described. Maybe someone with such experience will respond. But if you can fully access FreeNAS from your client computer but not your Mac server, I would say the problem is with the Mac server or how you're using it, not with FreeNAS setup.

I don't know what you mean by "clicking on the "network" section of the Finder". Do you mean from the menu bar, Go > Connect to Server? Try to be more explicit about what you're doing and it is more likely someone can help. Give actual paths. For example, when I click on Go > Connect to Server, one of the shares I can choose there is "afp://Tabernacle.local/Ark.Media". Tabernacle is my FreeNAS server's name, and Ark.Media is the name I gave to one of the shares.

I suggest you also try Apple's forums. And when you say, "Am I typing in the share URL/path wrong in the workgroup manager ?", I think no one could answer that unless you state exactly what you have typed in.

Finally, as I stated before, since you said you changed the permissions on the root dataset/mount point, I suggest you destroy the pool and start over, leaving them at the defaults.
 
Status
Not open for further replies.
Top