SMB shares never have correct permissions, also no guest access

[pcmofo]

I have two problems with my new 11.3-U2 install. 1) I can't get ACL permissions for my SMB shares to ever write files as 775 2) I can't get guest access to work at all.
I jumped ship after using FreeNAS since v8, just before v10 and now I'm back and ACLs are a thing. Thats fine. I have 3 primary users, a few shares easy right? Apparently not.

most of my shares should be 775, where only users in the home group can write, but guests can read.
A few shares only a single user should have access to and no one else should be able to read or write (700) eg backups etc

I setup a test dataset, made myself the owner brett:home and set up ACL so that owner can do everything, @group can do everything @Everyone can do everything etc. Should be 777 right? Nope, somehow its -rw-rwxr--+ I have tried various combinations of ACL permissions, removing, adding, resetting. I have about 20 hours over 3 days now playing with this. It's getting old fast.

I also tried setting the default file mask in SMB to 0777, I get -rw-rwxrw-+ close but no cigar

I'm not sure if this is effecting my ability for guest access or not. I've reset the dataset to 777 and guests cant even browse. I made a guest:guest user, set that to guest, also tried setting brett:home to guest, no luck with either of those.

I've watched the latest ixsystems ACL videos, Lawrence systems videos, and countless others. Anyone know what the heck might be going on here?

 

[anodos]

ls -l doesn't give you the full picture for permissions. You need to use "getfacl" to see it. The "+" next to the mode indicates that the permissions cannot be fully expressed as a POSIX mode without losing information. File masks in SMB aren't used if an ACL is present. An easy permissions setup for you might be this:

Edit the ACL, select the"restricted" template. Change the "group@"ACL entry to "FULL_CONTROL", change the everyone@ ACL entry to READ. Make sure all have INHERIT set, click "recursive", and click "apply".

Guest access requires some changes on the Windows side to get it to work correctly. It's a feature that's becoming increasingly difficult to configure due to security changes in client OSes.

 

[pcmofo]

ls -l doesn't give you the full picture for permissions. You need to use "getfacl" to see it. The "+" next to the mode indicates that the permissions cannot be fully expressed as a POSIX mode without losing information. File masks in SMB aren't used if an ACL is present. An easy permissions setup for you might be this:

Edit the ACL, select the"restricted" template. Change the "group@"ACL entry to "FULL_CONTROL", change the everyone@ ACL entry to READ. Make sure all have INHERIT set, click "recursive", and click "apply".

Guest access requires some changes on the Windows side to get it to work correctly. It's a feature that's becoming increasingly difficult to configure due to security changes in client OSes.

Thanks for the suggestion. I tried what you said and got these results when transferring a file as the owner

Code:

root@nas[/mnt/master]# getfacl smbtest
# file: smbtest
# owner: brett
# group: home
        group:home:rwxpDdaARWcCos:fd-----:allow
            owner@:rwxpDdaARWcCos:fd-----:allow
            group@:rwxpDdaARWcCos:fd-----:allow
         everyone@:r-x---a-R-c---:fd-----:allow
         everyone@:--------------:fd-----:allow
root@nas[/mnt/master]# cd smbtest
root@nas[/mnt/master/smbtest]# getfacl log19.txt
# file: log19.txt
# owner: brett
# group: home
        group:home:rwxpDdaARWcCos:------I:allow
            owner@:rw-p--aARWcCos:-------:allow
            group@:r-----a-R-c--s:-------:allow
         everyone@:r-----a-R-c--s:-------:allow
root@nas[/mnt/master/smbtest]#

To be more specific. I have several shares that FreeNAS is sending to an app server via NFS. The app server manages downloading and storing to the media share and I was hoping to have read access over SMB to guests on this share so anyone could grab something. I'm wondering how setting an ACL or changing permissions recersivly might affect the NFS portion of the share. Most other shares are NFS or SMB only.

I still can't access the SMB share without a user. I guess I could use a dummy guest:guest account with read only access.

 

[pcmofo]

*bump