Windows File Permissions Not Staying??

Status
Not open for further replies.
N

NightNetworks

Explorer
Joined
Sep 6, 2015
Messages
61
Ok, so here is what I have done....

I have a dataset named "Backups and Images" with the following permissions set to it.
upload_2015-9-12_23-10-44.png


I then have a windows CIF share configured as follows...
upload_2015-9-12_23-12-3.png


If I then navigate to the freenas box via Windows 7 and log in as sa-elite and then right click on the "Backups-Images" file share go to properties and security the following permissions are set...
Everyone (group) >> Read & Execute, Read, and Write
BackupUsers (group) >> Full
sv-backup01 (user) >> Full

All sub folders and files have the same permissions as well.

I then remove the "Everyone" and "BackupUsers" group and add "sa-elite".... click apply...ok...acknowledge the warnings... Checking the sub folders and files again shows that they all have the correct permissions (or at least what I want).
sa-elite (user) >> Full
sv-backup01 (user) >> Full

However this is where things get strange... If I create a new folder within the share the only rights that the new folder will have is Full for user sa-elite.

Why is this happening? How can I set it up so that only sa-elite and sv-backup01 have full permissions and so new files and folders will also have those same rights.

Thank You!
 
SweetAndLow

SweetAndLow

Sweet'NASty
Joined
Nov 6, 2013
Messages
6,421
Is there a inherit permissions option in the windows security tab? I think that is what you want to do but I would have to test it to know for sure.
 
anodos

anodos

Sambassador
iXsystems
Joined
Mar 6, 2014
Messages
9,554
I've seen this problem before when the ZFS aclmode property of the dataset is set to 'passthrough' instead of 'restricted'.

Check output of 'zfs get aclmode <pool>/<dataset>'
 
D

dgs2001

Dabbler
Joined
Oct 28, 2012
Messages
26
I had a similar amount of confusion!

Firstly you should not need to remove the BackupUsers group. Looking at your pictures, this group contains the user sv-backup01. So full access should be granted to user av-backup01 as a member of the group BackupUsers.

Secondly as well as deleting the everybody group and adding user av-elite, you will need to tick the box which sets the child permissions as inherit. In windows 10 I think it's says "replace all child permissions with inherited permissions from this parent"

once you press apply, if any of the files have to be skipped it is likely because the owner is a different user, in which case you will also need to change the owner of all sub files and folders to either of the users av-elite or sv-backup01. This is done from the same window where the users are added and deleted and the advanced permissions can be changed

Once this is done I recommend stopping your sharing service, and deleting the users authentication cache on your windows machine, this can be done by using the cmd window, but do not right click it just run cmd as the user, then type "net use * /delete"

Finally restart your windows machine and restart the FREENAS sharing service.
Having done all this you will have to re map your shares in windows, but hopefully all will be working as expected.

One final word of caution, don't accidentally type "net user * /delete". I did this and it doesn't end well :). I had to start from scratch and reinstall windows.
 
N

NightNetworks

Explorer
Joined
Sep 6, 2015
Messages
61
SweetAndLow said:
Is there a inherit permissions option in the windows security tab? I think that is what you want to do but I would have to test it to know for sure.
Click to expand...

Yes, you have to go to "advanced" under the security tab... it is called "Replace all child object permissions with inheritable permission from the object" however that is what I think was not working thus causing the above issue. Although I am thinking that maybe if I set the permissions that I want at the root level and then restart the CIFS service... then go back and check that box to make them inheritable that restart the CIFS service again that might be do the trick. I will have to try it and let you know.

anodos said:
I've seen this problem before when the ZFS aclmode property of the dataset is set to 'passthrough' instead of 'restricted'.

Check output of 'zfs get aclmode <pool>/<dataset>'
Click to expand...

I will have to check...

dgs2001 said:
I had a similar amount of confusion!

Firstly you should not need to remove the BackupUsers group. Looking at your pictures, this group contains the user sv-backup01. So full access should be granted to user av-backup01 as a member of the group BackupUsers.

Secondly as well as deleting the everybody group and adding user av-elite, you will need to tick the box which sets the child permissions as inherit. In windows 10 I think it's says "replace all child permissions with inherited permissions from this parent"

once you press apply, if any of the files have to be skipped it is likely because the owner is a different user, in which case you will also need to change the owner of all sub files and folders to either of the users av-elite or sv-backup01. This is done from the same window where the users are added and deleted and the advanced permissions can be changed

Once this is done I recommend stopping your sharing service, and deleting the users authentication cache on your windows machine, this can be done by using the cmd window, but do not right click it just run cmd as the user, then type "net use * /delete"

Finally restart your windows machine and restart the FREENAS sharing service.
Having done all this you will have to re map your shares in windows, but hopefully all will be working as expected.

One final word of caution, don't accidentally type "net user * /delete". I did this and it doesn't end well :). I had to start from scratch and reinstall windows.
Click to expand...

You are correct sv-backup01 is part of the backupusers group so there is really no need for that account to be there. Its there as I was unable to create the dataset without it being applied to it by default and then I just never removed it.

I had already tied using "Replace all child object permissions with inheritable permission from the object" as mentioned above, but I am going to give it another shot here soon and see what happens.

I had not thought about restarting the service... seems like a great idea I am going to try that as well. I already new about the net user * /delete, but thanks.

Thanks everyone for all of the suggestions! I will mess around with it some more and let everyone know what I have found.
 
N

NightNetworks

Explorer
Joined
Sep 6, 2015
Messages
61
Ok, so I figured out the issue...

First I realized that my volumes/datasets are configured as such...
  • Data = Volume
    • Data = Dataset
      • Backups and Images = Dataset
The hierarchy here is of greater importance than I initially realized particularly the dataset named "Data" which was created when the volume "Data" was created. The importance of this is that it appears that any new datasets that are created are actually a subset of the "Data" dataset. It appears that the permissions that were set on the "Data" dataset is what was causing all of my issues in my original post, as those permissions were being inherited by the sub datasets.

Originally I had created a dataset called "Backups and Images" and created a CIF for that dataset... I thought at the time that I would be able to navigate to that share on a windows PC and change the file permissions at the root of the share. From what I have determined it is not possible to make permission changes at the root of the share as you can not remove the inherited permissions from the "Data" dataset thus causing the issues that I was having.

Here is what I did to get around this issue so that I was not making permission changes at the root of a share...

  1. First I went ahead and turned the CIFS service off and after a few minutes turned it back on.

  2. I then went to the storage tab and selected the "Data" dataset and applied the following permissions to it...

    upload_2015-9-13_18-30-42.png


    This gave the user "root" and the group "RootLevel" full permissions to the "Data" dataset while also applying the "everyone" group with read only rights.

  3. I then went and created a CIF for the "Data" dataset, using just the default settings nothing special... Note: I was not able to make any changes to the permissions of this share outside of FreeNAS so make sure the owner user and owner group from above are such so that you dont end up giving to many permissions to people. In my case the owner group "RootLevel" is an empty group therefor "root" has full access and everyone else only has read only access.

  4. On a Windows PC using the "root" account I navigated to the network share that I created in step 3. Doing so then allowed me to navigate to the sub folder Backups and Images (which we know is really another dataset) where I was then able to apply the correct user permissions and prevent it from inheriting permissions from the "Data" dataset as I was no longer trying to make changes to the root of a share which at this time appears is not possible.
Does that make since, I hope so... lol

Thanks again everyone for the help!
 
Status
Not open for further replies.

Similar threads

N
  • Locked
Cant Access CIFS Share on Ubuntu
Replies
6
Views
3K
NightNetworks
N
C
  • Locked
CIFS permissions w/Jails
Replies
2
Views
1K
Chip Sprague
C
T
  • Locked
How to setup CIFS Share for Windows Permission Access
Replies
10
Views
15K
Thousandbuckle
T
V
Active Directory authentication for SMB shares works for users but not for groups
Replies
2
Views
5K
svennd
svennd
A
  • Locked
Windows users/groups not refreshing?
Replies
2
Views
2K
aseikola
A
Top