Question regarding managed users/permissions - NFS vs Samba

[boatymcboatface]

Greetings! I'm looking for some advice.

I've been reading up on NFS and Samba permissions on FreeNAS. I know the two are not to be mixed.
My current usecase is that I have a (virtualized) FreeNAS box, alongside which I have several other virtual boxes doing various things to three volumes. I have no option to create separate volumes with different permission types so it's either windows or Unix permissions across the board.
All VM's are Linux based, all my network clients are Windows based.
I set things up with Windows security with basically all permissions for everyone, because for my use case that didn't really matter.

I get stuck a bit however with setting up things like FTP services on FreeNAS as sure enough those clients try to CHMOD etc when doing directories, and that fails as the windows security prevents it.

Since all my clients run Windows 10 which I believe natively supports an NFS client, I figured I could perhaps switch everything to Unix permissions instead.
What I was wondering though - what is the best way to setup security per user?

Basically what I would like to achieve is that the various VM's (Plex for example) can authenticate in such a way that I have alignment with the UUID's on the users on FreeNAS and the users on the local Plex, so to speak. I would like the Windows clients to also use "proper" authentication so I can map their (home) drives automatically, perhaps, or at least keep ownership and access neat and tidy.
What is the best way to go about that?

 

[dlavigne]

Did you decide upon a method for doing this?

 

[anodos]

Greetings! I'm looking for some advice.

I've been reading up on NFS and Samba permissions on FreeNAS. I know the two are not to be mixed.
My current usecase is that I have a (virtualized) FreeNAS box, alongside which I have several other virtual boxes doing various things to three volumes. I have no option to create separate volumes with different permission types so it's either windows or Unix permissions across the board.
All VM's are Linux based, all my network clients are Windows based.
I set things up with Windows security with basically all permissions for everyone, because for my use case that didn't really matter.

I get stuck a bit however with setting up things like FTP services on FreeNAS as sure enough those clients try to CHMOD etc when doing directories, and that fails as the windows security prevents it.

Since all my clients run Windows 10 which I believe natively supports an NFS client, I figured I could perhaps switch everything to Unix permissions instead.
What I was wondering though - what is the best way to setup security per user?

Basically what I would like to achieve is that the various VM's (Plex for example) can authenticate in such a way that I have alignment with the UUID's on the users on FreeNAS and the users on the local Plex, so to speak. I would like the Windows clients to also use "proper" authentication so I can map their (home) drives automatically, perhaps, or at least keep ownership and access neat and tidy.
What is the best way to go about that?

if you're only trying to get FTP to work on the same dataset as an SMB share, you might be able to just set the following auxiliary parameter in your FTP config

Code:

 <Limit SITE_CHMOD>
	DenyAll
</Limit>

This will basically tell the FTP server not to let clients try to chmod. The other alternative is to not use ACLs on the samba share and set permissions type to "Unix". This requires disabling the "zfsacl" VFS module in samba. I personally wouldn't mess with trying to use NFS on windows.

 

[boatymcboatface]

if you're only trying to get FTP to work on the same dataset as an SMB share, you might be able to just set the following auxiliary parameter in your FTP config

Code:

 <Limit SITE_CHMOD>
	DenyAll
</Limit>

...The other alternative is to not use ACLs on the samba share and set permissions type to "Unix". This requires disabling the "zfsacl" VFS module in samba...

Would you recommend going down the path of Forceuser = then or something in the Samba config to avoid permission issues?
What is the easiest way to let other (Linux based) users authenticate so I don't have to synchronize UUID's across Linux installs? I ran into ownership issues before and found that quite the pain.
Many thanks!

 

[anodos]

Would you recommend going down the path of Forceuser = then or something in the Samba config to avoid permission issues?

Whether that's a suitable workaround depends on your environment.

What is the easiest way to let other (Linux based) users authenticate so I don't have to synchronize UUID's across Linux installs? I ran into ownership issues before and found that quite the pain.
Many thanks!

If you have a medium to large environment with a mixture of linux and windows boxes, I'd personally look into setting up Active Directory and going with single sign-on everywhere. If the IDMAP backend is properly configured on the Linux (so that it matches what's on your FreeNAS server), then you will have identical UIDs / GIDs for domain users and groups in your entire environment without having to use RFC2307 extensions. But this also has the downside of requiring some familiarity with Active Directory.