Updated to 11.3, paying for my mistakes

IT_Trashman

Cadet
Joined
May 12, 2021
Messages
2
I was running FreeNAS 11.1. I upgraded to 11.2 and then 11.3 because I have been having permissions issues for some time and was hoping gaining access to the ACLs would help me resolve this. Clearly not.

I have a single Pool, named StorageServer, which then contains my datasets, for example, a dataset name is Work, and there is a matching SMB share also for Work.

Under 11.1, things were functional, however I have permissions issues which I would like to resolve. For example, I have a dataset for FTP which I need in order to share out files, where I provide logins and they can hop in and pull files from the FTP share which requires strict permission controls, for example, my user should have full control, but other users should be limited to read only. Again, I was hoping updating to 11.3 and getting into the ACLs would help me resolve this.

Currently, I am unable to access any of the shares from Windows 10 build 20H2. I have removed all the shares entirely and only recreated a handful of shares, but have not been able to resolve the permissions aspect, and before digging myself any deeper, I'm here to hopefully get it all resolved.

I'm listing below several outputs in the hopes someone can maybe break down where I screwed up in here? I'm also not opposed to nuking all permissions and starting from scratch, however avoiding data loss is crucial.

Code:
root@freenas:~ # getfacl /mnt/StorageServer
# file: /mnt/StorageServer
# owner: root
# group: staff
            owner@:rw-p--aARWcCos:-------:allow
            group@:rw-p--a-R-c--s:-------:allow
         everyone@:rw-p--a-R-c--s:-------:allow


Code:
root@freenas:~ # testparm -sa
Load smb config files from /usr/local/etc/smb4.conf
Loaded services file OK.
Server role: ROLE_STANDALONE

# Global parameters
[global]
        aio max threads = 2
        bind interfaces only = Yes
        disable spoolss = Yes
        dns proxy = No
        enable web service discovery = Yes
        kernel change notify = No
        load printers = No
        logging = file
        max log size = 51200
        nsupdate command = /usr/local/bin/samba-nsupdate -g
        restrict anonymous = 2
        server min protocol = SMB2_02
        server role = standalone server
        server string = FreeNAS Server
        unix extensions = No
        workgroup = HOME
        idmap config *: range = 90000001-100000000
        idmap config * : backend = tdb
        allocation roundup size = 0
        directory name cache size = 0
        dos filemode = Yes
        include = /usr/local/etc/smb4_share.conf


[FTP]
        aio write size = 0
        ea support = No
        mangled names = illegal
        path = /mnt/StorageServer/FTP
        read only = No
        vfs objects = streams_xattr zfs_space ixnas zfsacl
        nfs4:acedup = merge
        nfs4:chown = true


[Music]
        aio write size = 0
        ea support = No
        mangled names = illegal
        path = /mnt/StorageServer/Music
        read only = No
        vfs objects = streams_xattr zfs_space ixnas zfsacl
        nfs4:acedup = merge
        nfs4:chown = true


[Personal]
        aio write size = 0
        ea support = No
        mangled names = illegal
        path = /mnt/StorageServer/Personal
        read only = No
        vfs objects = streams_xattr zfs_space ixnas zfsacl
        nfs4:acedup = merge
        nfs4:chown = true


[Photos]
        aio write size = 0
        ea support = No
        mangled names = illegal
        path = /mnt/StorageServer/Photos
        read only = No
        vfs objects = streams_xattr shadow_copy_zfs zfs_space ixnas zfsacl
        nfs4:acedup = merge
        nfs4:chown = true


[Work]
        aio write size = 0
        ea support = No
        mangled names = illegal
        path = /mnt/StorageServer/Work
        read only = No
        vfs objects = streams_xattr zfs_space ixnas zfsacl
        nfs4:acedup = merge
        nfs4:chown = true


Code:
root@freenas:~ # net getlocalsid
SID for domain FREENAS is: S-1-5-21-2323056048-1179890799-4016471343



Code:
root@freenas:~ # net groupmap list
Guests (S-1-5-32-546) -> 90000006
staff (S-1-5-21-2323056048-1179890799-4016471343-1015) -> staff
ftp (S-1-5-21-2323056048-1179890799-4016471343-1010) -> ftp
Administrators (S-1-5-32-544) -> 90000004
Users (S-1-5-32-545) -> 90000005
wheel (S-1-5-21-2323056048-1179890799-4016471343-1013) -> wheel



Code:
root@freenas:~ # getfacl /mnt/StorageServer/Work
# file: /mnt/StorageServer/Work
# owner: root
# group: staff
            owner@:rwxpDdaARWcCos:fd-----:allow
            group@:rwxpDdaARWcCos:fd-----:allow
         everyone@:--x---a-R-c---:fd-----:allow
         everyone@:--------------:fd-----:allow


The long story short is that I can see \\freenas.home and I can see all of my shares, but I get a permissions error when I try to open any specific share.
freenas permissions error.JPG



Also, worth noting, I am going to be adding an HBA and creating a totally new pool in the future with more storage than what I have now. This current pool I plan to remove entirely once the new pool is created, so if there's some permissions disasters in here that I can avoid in the future, I'm all ears. I've watched the permissions setup videos, I've read through other threads, but at the end of the day, while none of this is new, I think I'm just not looking at this correctly at all and need some new eyes on this to help. The primary goal right now is to restore access to the shares on Windows. Once I regain access, I can correct the permissions so it functions the way I intend.

If any other commands are needed, I can run them whenever. I'm sure something is wrong, maybe it was the upgrade, maybe it was me from the beginning, but I already made the mistake of updating the pool, so roast me, but I'm all ears. Just need to get back in. Appreciate whatever help I can get here.
 

anodos

Sambassador
iXsystems
Joined
Mar 6, 2014
Messages
9,543

root@freenas:~ # getfacl /mnt/StorageServer
# file: /mnt/StorageServer
# owner: root
# group: staff
owner@:rw-p--aARWcCos:-------:allow
group@:rw-p--a-R-c--s:-------:allow
everyone@:rw-p--a-R-c--s:-------:allow


No users have execute on root dataset. This cuts off access for all non-root users. chmod +x /mnt/StorageServer.
 

IT_Trashman

Cadet
Joined
May 12, 2021
Messages
2
Is this something that could have broke when I updated FreeNAS? I ask because I'm not allowed to change the permissions of the Pool. I understand to run this in the shell, I'm just asking if this is something that could have otherwise been avoided by configuring differently from the beginning?
 

anodos

Sambassador
iXsystems
Joined
Mar 6, 2014
Messages
9,543
Is this something that could have broke when I updated FreeNAS? I ask because I'm not allowed to change the permissions of the Pool. I understand to run this in the shell, I'm just asking if this is something that could have otherwise been avoided by configuring differently from the beginning?
No, we don't touch permissions on root-level datasets (middleware explicitly prevented from doing this). Most common scenario I've seen is manual intervention by administrator (i.e. running chmod -x /mnt/<pool>).
 
Top