Question about CIFS sharing / Can't delete file or folders "sometimes"

[BlazeStar]

Hi guys,

I have this setup :

FreeNAS 9.2.1.8
One volume, several dataset.

For sharing, I use CIFS and NFS.

I have a separate machine that allows SFTP connections, and so the SFTP users can access the FreeNAS NFS shares... I did this way so FreeNAS stays "unexposed" to the Internet (or you know, at least not directly)

Every dataset was created for a CIFS share.

All dataset have USER = root and GROUP = a groupe that has the same name as the share / dataset

All permissions are UNIX permissions set to 770

Now my problem is :

Sometimes, when someone uploads a file or creates a directory, it is absolutely impossible to delete it...

When I SSH into FreeNAS and check out the permissions, they are (for example)
user = nobody, groupe = the good one, permission = 770

So nothing wrong there ?!?

The only thing I noticed is that at the end of the file name there is a *
(correct me if I'm wrong but this simply means the file is executable?)
I don't know if it's related

So just to make sure :

user X uploads a file to a share called A
the share A is sharing the dataset A and belongs to group A
user X uploads it through FTP and because it passes through NFS, the file has user = nobody (which I don't see why it'd be an issue)
However, the file has group A (which is good) and permissions 770 (which is also good)

I open the CIFS share A and see the file.
I can't delete it!
Why???


Thanks!

 

[anodos]

First off, do not share the same dataset with multiple protocols.

The reason why you can't delete it is probably because of ACLs, which you can view by entering 'getfacl [file or folder]'.

 

[BlazeStar]

I'm wondering about this part:

First off, do not share the same dataset with multiple protocols

Why?

And how would I be able to achieve what I described without doing so?

I could always use CIFS to share the folder on the other SFTP service but then I would loose all the awesome benefits of NFS (asynchronous writes, etc.)

 

[BlazeStar]

The reason why you can't delete it is probably because of ACLs, which you can view by entering 'getfacl [file or folder]'.

Here's the result of getfacl:

Code:

# owner: nobody                                                                
# group: srh                                                                   
            owner@:rwxp--aARWcCos:------:allow                                 
            group@:rwxp--a-R-c--s:------:allow                                 
         everyone@:------a-R-c--s:------:allow 

 

[anodos]

Here's the result of getfacl:

Code:

# owner: nobody                                                               
# group: srh                                                                  
            owner@:rwxp--aARWcCos:------:allow                                
            group@:rwxp--a-R-c--s:------:allow                                
         everyone@:------a-R-c--s:------:allow 

See setfacl manpage for explanation of these ACL entries. The short answer is that the group lacks "delete" privileges. The reason why it lacks the privileges is because you're mixing and matching protocols and using nfsv4 ACLs. The appropriate way of setting remote access for CIFS shares is through a VPN. BTW, samba has AIO support baked into it.

 

[BlazeStar]

Thank you for your reply !

Interesting... but VPN makes things much slower...

How about I mount CIFS shares on my "SFTP Server" instead of NFS share ?

Would that solve the problem ?


Thanks !

 

[BlazeStar]

Ok so I just removed all NFS shares and now all my shares are only mounted with CIFS.

I still have the problem described above though.

By the way, now that only CIFS is used, should I change the permission type of all my shared datasets to WINDOWS ??

 

[anodos]

Ok so I just removed all NFS shares and now all my shares are only mounted with CIFS.

I still have the problem described above though.

By the way, now that only CIFS is used, should I change the permission type of all my shared datasets to WINDOWS ??

1. Change permissions type of datasets to "Windows"
2. set your admin user as owner of datasets
3. authenticate with admin user
4. navigate to \\server
5. right-click on share and click on "properties" -> "sercurity"
6. Edit the ACE for the group "srh" check the box "modify" and hit Apply and OK

 

[BlazeStar]

alright !

Seems everything works !

many thanks anodos