Simple example of how to configure share permissions - FreeNAS 9

anodos

Sambassador
iXsystems
Joined
Mar 6, 2014
Messages
9,544
Step 1: Create Dataset
00.Create Dataset.JPG

Comment:
You should create and share out datasets. Do not manipulate permissions / share out the main dataset of your pool. Set "Share Type" to "Windows".

Step 2: Create Group
01.Create Group.JPG

Comment:
This should be the group you use to administer the share.

Step 3: Create User
02 Create User.jpg

Comment:
If you check the box "disable password login" you will lock the user out from your CIFS shares. Don't turn knobs you don't understand.

Step 4: Change Dataset Owner and Switch Permissions Type to "Windows"
03. Change Dataset Owner.JPG


Step 5: Add Windows (CIFS) Share
04. Add Windows (CIFS) Share.JPG


Step 6: Navigate to Server
05. Navigate to Server.JPG


Step 7: Fine-Tune Permissions
06. Fine-Tune Permissions.JPG

Comment:
Right-click on your share, then click on "properties" and the "security" tab. For reference on how to set permissions see here:
http://windows.microsoft.com/en-us/windows/what-are-permissions
https://msdn.microsoft.com/en-us/library/bb727008.aspx

Caveat: if you have been mucking around with permissions prior to taking these steps, you may need to umap any network drives and clear cached / saved credentials.
 
Last edited:

Ericloewe

Server Wrangler
Moderator
Joined
Feb 15, 2014
Messages
20,175
Do not manipulate permissions / share out the mail dataset of your pool.
Typo there ;)

Comment: A general observation I've noticed is that samba likes it better when you don't create groups with the same names as your user. Switch primary group to the one the user should be a member of.
So the "have a group just for yourself with the same name" thing causes problems with Samba? Great, just what I needed after going through the pain of making neat groups for the existing users... :rolleyes:
 

anodos

Sambassador
iXsystems
Joined
Mar 6, 2014
Messages
9,544
Typo there ;)
I've noticed I make a lot of those these days. It might be lack of sleep, mind slipping, etc. It might also be that I am slowly becoming a crotchety old man who no longer gives a crap about his spelling, grammar, and punctuation. You should see the looks I get from people who have to proof-read what I right. :) Though, it might also be because I will sometimes randomly run a few paragraphs through the "swedish chef translator" midway through a 150 page document. Heh. Sometimes you have to make sure people are doing there jobs.

So the "have a group just for yourself with the same name" thing causes problems with Samba? Great, just what I needed after going through the pain of making neat groups for the existing users... :rolleyes:

Background: I have two users who are excellent samba fuzzers.

A long time ago I saw a git commit message stating that groups with the same name as users was bad samba juju (of course, I could be totally mis-remembering. Mind slipping and all that jazz). I have noticed the following (I'm not sure if this is the case on recent versions of samba and FreeNAS, and reproducing the bug was always a challenge for me but not my two samba fuzzers). Suppose I have a user "wilbur" and a corresponding group "wilbur", and another user "user1". Then I make a dataset "badger" owned by "wilbur:admins" and apply default permissions. The end result sometimes appears as:
Code:
# file: /mnt/Tank/badger
# owner: wilbur
# group: admins
group:wilbur:rwxp-daARWc---:fd----:allow
group@:rwxpDdaARWcCo-:fd----:allow

So a "group" ACE is generated rather than the special "owner@" ACE. Then I fuzz the samba share by letting users "1" and "2" have at it. Somehow they ended up generating the following:
Code:
# file: GoatPron.wow
# owner: user1
# group: admins
owner@:r-------------:------:deny
group:wilbur:rwxp-daARWc---:fd----:allow
owner@:-wxp--aARWcCos:------:allow
group@:rwxpDdaARWcCo-:fd----:allow
everyone@:-wxp--a-R-c--s:------:allow


So evidently, samba got confused by the lack of owner@ ACE in the root directory of the share when file ownership changed through user1 generating a new file. Then in typical samba fashion (2+2 = 15), I ended up with random "deny" ACE being generated for the file owner with a few other random ACEs being generated for good measure. The problem didn't seem to appear if the dataset was owned by a user who didn't have an identically-named primary group.

Users 1 and 2 have almost feline levels of unreliability in reproducing the results of their samba fuzzing and almost feline levels of indignation when I try to get their fuzzing methods from them (they think I'm mocking their ability to properly use a computer). That means this is all very unscientific. I'm probably contributing my own samba voodoo to the community, but I haven't had coffee yet and I woke up too early.

I haven't had the problem since Thor's Hammer came down on permissions through the zfs aclmode property, but a part of my wonders if this (aclmode=restricted) was just a workaround to problems with the smb.conf parameter "nfs4:mode=special" or how samba handles nfsv4 acls. Alas, this is far above my paygrade as a lowly server-herder.

Crap, now that I have written all this stuff up I don't think the problem was really related to the groups at all. Well... here goes one more revision to my "simple" sharing guide.
 
Last edited:
Joined
Jan 9, 2015
Messages
430
GoatPorn.....haha
Wonder how many people will notice?
 

Ericloewe

Server Wrangler
Moderator
Joined
Feb 15, 2014
Messages
20,175
I don't think I clicked on anything. Those are checked by default.
I think that's actually a workaround to the user/group with same name problem. ;)
 

anodos

Sambassador
iXsystems
Joined
Mar 6, 2014
Messages
9,544
I think that's actually a workaround to the user/group with same name problem. ;)
Hey, this is my thread. I'm the only one allowed to make short delphic utterances here. ;) Anyway, I cut out that comment because either (1) it's a bug and should be reported or (2) it's my imagination and I should actually do more research before posting stuff. Either way, it shouldn't be in a 'simple example'.
 
Last edited:

Rainwulf

Explorer
Joined
Jul 12, 2015
Messages
67
Is it really bad if you just have 1 large dataset, and then create folders inside that dataset and share them all? They all have the same permissions. Its what i would do on a windows storage drive.


i tried the other method, 1 dataset per share, but freespace kept changing as i was copying to the share. it seemed a bit.. weird. So i just create one dataset, and under that created my share folders, and shared each folder out with CIFS.

So is this BAD or just bad. I remembered reading something about samba getting confused with different permissions, but all mine are identical.
 

Ericloewe

Server Wrangler
Moderator
Joined
Feb 15, 2014
Messages
20,175
Is it really bad if you just have 1 large dataset, and then create folders inside that dataset and share them all?
Yes. Make sub-datasets instead.
 

Rainwulf

Explorer
Joined
Jul 12, 2015
Messages
67
But then they change size depending on how much data is in the other datasets, is that normal behaviour?
 

rogerh

Guru
Joined
Apr 18, 2014
Messages
1,111
But then they change size depending on how much data is in the other datasets, is that normal behaviour?
I think they just show how much space is available to them depending on how much space is left on the pool. But windows calculates it differently as total size equals amount used plus free space. If you don't like this behaviour you can just set quotas for the datasets which can be done so as not to include size used by child datasets. But it is all purely cosmetic really.
 

Rainwulf

Explorer
Joined
Jul 12, 2015
Messages
67
Ah. I just want to treat this thing as a gigantic pool of data with folders that indicate its contents.
 

rogerh

Guru
Joined
Apr 18, 2014
Messages
1,111
Ah. I just want to treat this thing as a gigantic pool of data with folders that indicate its contents.
I think you will get the effect you want if you just have a single dataset (ignoring the system generated ones, which are pretty small), and set a quota of about 90% (but don't use it all) of the pool, to include child datasets. And then make directories below this. I think if you then share the dataset and use Windows to set permissions on the directories as desired then FreeNAS and Windows will agree about how much data and total size, though not necessarily about the size of each folder. ICBW!

Edit: the multiple child datasets shared separately is a much tidier solution, but it does seem to have the size anomaly you have noted, resulting in seeming to have a total size much bigger than the real one.
 

Rainwulf

Explorer
Joined
Jul 12, 2015
Messages
67
Ahh i see what you mean!
So my server (which is called riva) will just have one share, so \\riva\public
and then the other shares sit inside that one?
 

rogerh

Guru
Joined
Apr 18, 2014
Messages
1,111
I'm not an expert, but I think so!
 

Rainwulf

Explorer
Joined
Jul 12, 2015
Messages
67
mm, i cant see how thats different then having \\riva\share1 and then \\riva\share2, and share1 and share 2 are just folders inside the same dataset.
I just want to emulate my current windows server heh
 

rogerh

Guru
Joined
Apr 18, 2014
Messages
1,111
mm, i cant see how thats different then having \\riva\share1 and then \\riva\share2, and share1 and share 2 are just folders inside the same dataset.
I just want to emulate my current windows server heh
The differences are firstly that sharing folders in the root pool just seems to work badly in unpredictable way and secondly that sharing a dataset below the pool means you can set a size quota on it. Your client machines won't show the shares any differently just because the path to them is a little longer.
 
Top