SOLVED Wonky Permissions and CIFS Shares

[AndreStarTrek]

Ok it is time, I been reading a half year about FreeNAS. I did a lot of research how to build a good FreeNAS box and in my opinion I did. I been testing my build for 4 weeks now, but I keep getting problems with permissions and shares.

My FreeNAS Build:

Mainboard: Supermicro X10SL7-F (SAS controller flash to IT mode Firmware 1.6)
Processor: Intel Pentium G3440 @3.30GHz
Memory: 2x 8GB (16GB Total) Crucial DDR3 1600 1,35v DR x8 ECC UDIMM 240p (CT102472BD160B) will upgrade at some point to 32GB total.
Pool 1: 11x4TB RaidZ3 (Toshiba HD SATA 64MB MD04ACA400 7200rpm) main storage
Pool 2: 3x250GB 3 way mirror for transmission and jails + system dataset. This pool will be replaced at some point with 2 SSD.
Boot: 3x32GB 3 way mirror (Kingston DataTraveler SE9 G2 USB3.0) of course connected on USB2.0 ports.
Power supplies: Dual hot swappable power supplies 300watt
UPS: APC Smart-UPS 750VA LCD
Network: Onboard (Supermicro X10SL7-F) Dual Gigabit Ethernet Connected on a HP ProCurve 1800-24G J9028B with LACP

FreeNAS Setup:

FreeNAS-9.3-STABLE-201506042008

CIFS settings:
NetBIOS name - Isolinear, Workgroup - WARPCORE, Description - Isolinear Storage, DOS charset – CP437, UNIX charset UTF-8, Log level – Minimum, Use syslog – on, Local Master – off, Domain logons – off, Time Server for Domain – on, Guest account – nobody, File mask – empty, Directory mask – empty, Allow Empty Password – off, Auxiliary parameters – empty, Unix Extensions – on, Zeroconf share discovery – on, Hostnames lookups – off, Server minimum protocol - -----, Server maximum protocol SMB2, Allow execute always – on, Obey pam restrictions – on, Bind IP Addresses – none, Idmap Range – 90000001, Low Idmap Range High - 100000000

Users:
User1 (Me): ID - 1004, primary group - user1, home - /nonexistent, Shell - csh, Fullname - User1 something, Only Microsoft account - on, SSH Public Key - empty, Home Directory Mode - default, Auxiliary groups - none
User2 (other person): ID - 1005, primary group - user2, home - /nonexistent, Shell - nologin, Fullname - User2 something, Only Microsoft account - on, SSH Public Key - empty, Home Directory Mode - default, Auxiliary groups - none

Dataset structure:
Pool1 - Main Dataset - Main Sharepoint Dataset - Users Dataset - User1 Dataset - Sharepoint Dataset
Pool1 - Main Dataset - Main Sharepoint Dataset - Users Dataset - User2 Dataset - Sharepoint Dataset

Settings and Permissions datasets:
Settings of ‘Main Dataset’: Compression - Lz4, Share - UNIX, atime - Inherit on, dedup - off
Permissions of ‘Main Dataset’: user - on, user - root, group - on, group - wheel, apply mode - on, mode - rwx rx rx, Permission type - UNIX

Settings other Datasets: Compression - Lz4, Share - Windows, atime - off, dedup - off
Permissions other Datasets: user - on, user - User1, group - on, group - wheel, apply mode - on, mode - rwx rwx, Permission type - Windows

CIFS Shares:
CIFS Share1: Path - Main Sharepoint /mnt/Main Dataset/Main Sharepoint Dataset, Use as home share – off, Name - Main Sharepoint Dataset, Comment – empty, Apply Default Permissions – on, Export Read Only – off, Browsable to Network Clients – on, Export Recycle Bin – off, Show Hidden Files – off, Allow Guest Access – off, Only Allow Guest Access – off, Hosts Allow – empty, Hosts Deny – empty, VFS Objects – default, Periodic Snapshot Task - -----, Auxiliary Parameters – empty

CIFS Share2: Path - Main Sharepoint /mnt/Main Dataset/Main Sharepoint Dataset/Users Dataset/User2 Dataset/Sharepoint Dataset, Use as home share – off, Name - Sharepoint Dataset, Comment – empty, Apply Default Permissions – on, Export Read Only – off, Browsable to Network Clients – on, Export Recycle Bin – off, Show Hidden Files – off, Allow Guest Access – off, Only Allow Guest Access – off, Hosts Allow – empty, Hosts Deny – empty, VFS Objects – default, Periodic Snapshot Task - -----, Auxiliary Parameters – empty

The problems:

Problem 1:
If I make a CIFS share it takes a very long time before is it is visible and accessible. Rebooting FreeNAS works, but I suspect that should not be necessary.

Problem 2:
This is a major problem. Most of the times I cannot change/add FreeNAS users and groups from windows with in my CIFS share. This because they cannot be found, reboot will work sometimes but the moment I make changes in FreeNAS Web gui, like make/change new user or CIFS share. It will break something and I cannot find any users or groups from windows.

Problem 3:
Wen I don’t have the problem descript as above, I am getting another problem. When using user1 from a windows 8.1 system and add user2 to the ‘Pool1 - Main Dataset - Main Sharepoint Dataset - Users Dataset - User2 Dataset - Sharepoint Dataset’ with full permissions user2 can’t access it. I have no idea why that is, as I can see I did everything right.

Am I missing something, is there a bug in FreeNAS 9.3 Stable? After having this problems for 4 weeks I am going nuts. I have 15-20 year’s experience with windows server editions, shares and permission. I got everything else working like it should be, except this, where did I go wrong?

EDIT: All my clients running Windows 8.1

Sorry about my English, I am native Dutch

 

[Ericloewe]

If I make a CIFS share it takes a very long time before is it is visible and accessible. Rebooting FreeNAS works, but I suspect that should not be necessary.

Restarting Samba is necessary, at the very least. Worked for me just the other day.

Problem 2:
This is a major problem. Most of the times I cannot change/add FreeNAS users and groups from windows with in my CIFS share. This because they cannot be found, reboot will work sometimes but the moment I make changes in FreeNAS Web gui, like make/change new user or CIFS share. It will break something and I cannot find any users or groups from windows.

There was a bug around FreeNAS 9.2.1.6 or 7 that caused mayhem in the group mappings, but users have always worked fine. (Gotta gather the patience to fix the problems caused by that bug one of these days)

Problem 3:
Wen I don’t have the problem descript as above, I am getting another problem. When using user1 from a windows 8.1 system and add user2 to the ‘Pool1 - Main Dataset - Main Sharepoint Dataset - Users Dataset - User2 Dataset - Sharepoint Dataset’ with full permissions user2 can’t access it. I have no idea why that is, as I can see I did everything right.

I don't see any obvious problems either. Diagnosing permissions issues is not my specialty, unfortunately...

Sorry about my English, I am native Dutch

Your English is fine, no need to worry.

 

[AndreStarTrek]

Restarting Samba is necessary, at the very least. Worked for me just the other day.

Ok, did not read that anywhere that i need to that, good to know.

There was a bug around FreeNAS 9.2.1.6 or 7 that caused mayhem in the group mappings, but users have always worked fine. (Gotta gather the patience to fix the problems caused by that bug one of these days)

Strange that I experiencing this problem with 9.3

I don't see any obvious problems either. Diagnosing permissions issues is not my specialty, unfortunately...

If a experience user like you don't know it, boy what am I in trouble :P

Anyone else has a idea?

 

[Ericloewe]

I just noticed both users have the same ID. Is that a typo?

 

[AndreStarTrek]

I just noticed both users have the same ID. Is that a typo?

Yes that is a typo, copy paste and forgot to change it. It is ID 1004 and 1005

 

[AndreStarTrek]

Anyone a idea?

 

[anodos]

Anyone a idea?

Click on 'system' -> 'advanced' -> 'save debug' and attach to thread. If you feel uncomfortable posting the info, PM me.

 

[AndreStarTrek]

Click on 'system' -> 'advanced' -> 'save debug' and attach to thread. If you feel uncomfortable posting the info, PM me.

I send you a PM, thanks for taking the time for me :)

 

[anodos]

A few quick points.

1) Don't nest shares. This can make permissions behave oddly.
You have:

Code:

[Isolinear Storage]
/mnt/Isolinear-Storage-Assembly/IsolinearStorage

[Media Storage]
/mnt/Isolinear-Storage-Assembly/IsolinearStorage/Media Storage

etc.
Try create a flat file structure:

Code:

[Isolinear Storage]
/mnt/Isolinear-Storage-Assembly/IsolinearStorage

[Media Storage]
/mnt/Isolinear-Storage-Assembly/Media Storage

2) Don't use deduplication. Your system doesn't have enough memory. You will need to copy data from your datasets with dedup enabled to a new dataset (without dedup enabled) and destroy the datasets with dedup enabled.

3) Configure freenas to be "local master". This may help make freenas appear quicker. Note that master browser elections happen approximately every 15 minutes. This parameter does not ensure that FreeNAS will win master browser elections. You can also set it as "preferred master" to force elections when nmbd turns on (with the caveat that you shouldn't have multiple preferred masters on the same network).

 

[AndreStarTrek]

A few quick points.

1) Don't nest shares. This can make permissions behave oddly.
You have:

Code:

[Isolinear Storage]
/mnt/Isolinear-Storage-Assembly/IsolinearStorage

[Media Storage]
/mnt/Isolinear-Storage-Assembly/IsolinearStorage/Media Storage

etc.
Try create a flat file structure:

Code:

[Isolinear Storage]
/mnt/Isolinear-Storage-Assembly/IsolinearStorage

[Media Storage]
/mnt/Isolinear-Storage-Assembly/Media Storage

Can you explain to me why this would not work? With windows systems this normal practice and has never been a problem. I love the master/sub share system, of course if this is something that can't be done with FreeNAS/FreeBSD i just have to abandon it, that simple. But I really like to understand what cause this behavior. I believe that understanding is the most important thing of learning.

2) Don't use deduplication. Your system doesn't have enough memory. You will need to copy data from your datasets with dedup enabled to a new dataset (without dedup enabled) and destroy the datasets with dedup enabled.

I am aware of that, it is a test setup to see how things work. I won't put a lot of data in there and the data that go in there will be 100% sure duplicated data, i don't expect this takes a lot of resources. Also the way i set it up it is easily reversed like you described. I read a lot about deduplication and I will be monitoring the server very closely ;)

3) Configure freenas to be "local master". This may help make freenas appear quicker. Note that master browser elections happen approximately every 15 minutes. This parameter does not ensure that FreeNAS will win master browser elections. You can also set it as "preferred master" to force elections when nmbd turns on (with the caveat that you shouldn't have multiple preferred masters on the same network).

I have turn that off because i read that local master could be troublesome and it would not really be necessary. Al do I could not find the reason for that, but then again i find a lot of advise without a explanation.

Maybe it is important to know, I also have a Windows 2003 server running what I will upgrade shortly to Windows 2012 server. I know FreeNAS and the Windows Server will struggle for master browser, that is why I turn it off because it is a bitch to turn master browser off for a Windows server. Big chance is that am wrong but with all the documentation, threads and walkthroughs it get difficult to understand or what is true.

Again thanks for taking the time.

 

[anodos]

Can you explain to me why this would not work? With windows systems this normal practice and has never been a problem. I love the master/sub share system, of course if this is something that can't be done with FreeNAS/FreeBSD i just have to abandon it, that simple. But I really like to understand what cause this behavior. I believe that understanding is the most important thing of learning.

There are subtle differences between how ACLs work in ZFS / FreeBSD and Windows. For instance, files and folders are invisible if users lack "read attributes" privilege. I will link to a few resources below. I haven't tested doing master / sub shares, but my intuition is that it will cause problems. You're dealing with the interactions between ZFS's ACLs, the samba module that handles translating these ACLs into something that windows explorer can understand and interact with, Samba share level permissions, and how perhaps how winacl on FreeNAS interprets sane permissions. These interactions can be somewhat unpredictable and so I feel it's best to keep shares separate. Hence I'd try removing the sub-shares - and resetting to default permissions via the webgui - to see if it resolves your permissions problems.

Resources:

• http://archive.sambaxp.org/fileadmi...ecentimprovementsinusingNFS4ACLswithSamba.pdf
• http://archive.sambaxp.org/fileadmi...ATA/wed/track2/Alexander_Werth-NFSv4-ACLs.pdf
• https://github.com/jelmer/samba/blob/master/source3/modules/README.nfs4acls.txt
• https://github.com/jelmer/samba/blob/master/docs-xml/manpages/vfs_zfsacl.8.xml
• https://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/AccessControls.html

Note that most of the samba documentation refers to acl_xattr and such vfs objects. Normal linux filesystems do not support nfsv4 ACLs, and so samba devs have put this extra information into filesystem extended attributes. This isn't the way that permissions are handled on FreeNAS since ZFS natively supports nfsv4 acls.

I am aware of that, it is a test setup to see how things work. I won't put a lot of data in there and the data that go in there will be 100% sure duplicated data, i don't expect this takes a lot of resources. Also the way i set it up it is easily reversed like you described. I read a lot about deduplication and I will be monitoring the server very closely ;)

I have turn that off because i read that local master could be troublesome and it would not really be necessary. Al do I could not find the reason for that, but then again i find a lot of advise without a explanation.

Troubleshooting netbios name resolution problems is always tricky. Enabling local master just allows FreeNAS to participate in browser elections. If you have a DC on the network, FreeNAS will most likely lose master browser elections.

Maybe it is important to know, I also have a Windows 2003 server running what I will upgrade shortly to Windows 2012 server. I know FreeNAS and the Windows Server will struggle for master browser, that is why I turn it off because it is a ***** to turn master browser off for a Windows server. Big chance is that am wrong but with all the documentation, threads and walkthroughs it get difficult to understand or what is true.

The short answer is that if you have DNS configured properly on your network, you don't really need netbios name resolution.

If you have already have a windows domain, then you should give serious thought to making your FreeNAS server an AD member server. This will most likely resolve your problems with network discovery, and also simplify permissions management.

 

[AndreStarTrek]

There are subtle differences between how ACLs work in ZFS / FreeBSD and Windows. For instance, files and folders are invisible if users lack "read attributes" privilege. I will link to a few resources below. I haven't tested doing master / sub shares, but my intuition is that it will cause problems. You're dealing with the interactions between ZFS's ACLs, the samba module that handles translating these ACLs into something that windows explorer can understand and interact with, Samba share level permissions, and how perhaps how winacl on FreeNAS interprets sane permissions. These interactions can be somewhat unpredictable and so I feel it's best to keep shares separate. Hence I'd try removing the sub-shares - and resetting to default permissions via the webgui - to see if it resolves your permissions problems.

Resources:

• http://archive.sambaxp.org/fileadmi...ecentimprovementsinusingNFS4ACLswithSamba.pdf
• http://archive.sambaxp.org/fileadmi...ATA/wed/track2/Alexander_Werth-NFSv4-ACLs.pdf
• https://github.com/jelmer/samba/blob/master/source3/modules/README.nfs4acls.txt
• https://github.com/jelmer/samba/blob/master/docs-xml/manpages/vfs_zfsacl.8.xml
• https://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/AccessControls.html

Note that most of the samba documentation refers to acl_xattr and such vfs objects. Normal linux filesystems do not support nfsv4 ACLs, and so samba devs have put this extra information into filesystem extended attributes. This isn't the way that permissions are handled on FreeNAS since ZFS natively supports nfsv4 acls.

Thank you, I found my problem. My Master / Sub share it possible without a problem. But your post and documentation let me realize something. Cifs share in Windows system point in a different way to a folder than a UNIX based system, let me explain.

A map stucture of a windows system looks like this:
C:\Users\User1\Sharepoint

A map stucture of a Unix system ZFS in this case look like this
\Sharepoint Dataset\Users Dataset\User1 Dataset\Sharepoint Dataset

With windows it is simple you point '\\Sharepoint' to Map 'Sharepoint' and as long that user is add to that 'Sharepoint' map it works.

But with Unix/FreeNAS/ZFS '\\Sharepoint' does not point to map/dataset 'SharePoint Dataset' but to '\Sharepoint Dataset\Users Dataset\User1 Dataset\Sharepoint Dataset' the user has to be able to travel thru all the folder/dataset to get in the 'Sharepoint Dataset'. Essentially what i did is put up walls between all folders.

What i did is give the user the ability to travel thru all the folder with the "Traverse folder/Execute file" (Dutch 'Door map bladeren/Bestand uitvoeren') permission. This way a Master / Sub share system it is easy to do, i just needed to think different than the way windows works. YAY I am happy, I learn something today :p

Troubleshooting netbios name resolution problems is always tricky. Enabling local master just allows FreeNAS to participate in browser elections. If you have a DC on the network, FreeNAS will most likely lose master browser elections.

The short answer is that if you have DNS configured properly on your network, you don't really need netbios name resolution.

If you have already have a windows domain, then you should give serious thought to making your FreeNAS server an AD member server. This will most likely resolve your problems with network discovery, and also simplify permissions management.

I don't use a domain server, I don't see the use of that with so little users. Also I have no problem with discovery of my shares. The only problem was not finding the user wen i want to change permissions from windows. But the suggestion from @Ericloewe "Restarting Samba is necessary, at the very least. Worked for me just the other day." seem to work, I have to see at long term how that is working out, but I expect no problems.

At the moment I am a happy man and I like to thank @anodos and @Ericloewe for all the help. Also I hope my solution can help others with the same problem :)

 

[cyberjock]

You know, I have known about that behavior for a while (it's already documented in my unreleased and unfinished permissions guide) and I not only know how Windows works, but I know how it is different on FreeNAS. But for some stupid reason I've never actually thought to mention that change anywhere until you just mentioned it.

I feel like a fool for not at least posting some note, sticky, or something on this very important behavioral change.

 

[AndreStarTrek]

Did the great cyberjock you just compliment me(FreeNAS noob)? You make me blush ;)

I like to personally thank you to cyberjock for all your fantastic guides. Because of those guides I was be able to make a good FreeNAS build and not a system that is a lost of money. Can't wait to read you permission guide.

 

[cyberjock]

You did get a compliment. It was an epiphany that I realized I knew about that (obviously) different behavior but really don't think about it much. I just take it for granted.

You are welcome for the guides. Glad they were useful for you. :)

 

[anodos]

It's kind of funny. I just read this samba mailing list post yesterday and apparently couldn't put two and two together: https://marc.info/?l=samba&m=143173626904754&w=2

It just goes to show there's always more to learn, and the best way to learn is by breaking stuff. :D

Well done!