*New 11.3 series Release:
2019-10-05: XigmaNAS 11.3.0.4.6928 - released, 11.2 series are soon unsupported!

*New 12.0 series Release:
2019-10-05: XigmaNAS 12.0.0.4.6928 - released!

*New 11.2 series Release:
2019-09-23: XigmaNAS 11.2.0.4.6881 - released!

We really need "Your" help on XigmaNAS https://translations.launchpad.net/xigmanas translations. Please help today!

Producing and hosting XigmaNAS costs money. Please consider donating for our project so that we can continue to offer you the best.
We need your support! eg: PAYPAL

Permissions are incorrectly ordered.

CIFS/SMB network sharing.
Forum rules
Set-Up GuideFAQsForum Rules
Post Reply
stovesy
NewUser
NewUser
Posts: 3
Joined: 30 Nov 2015 13:09
Status: Offline

Permissions are incorrectly ordered.

#1

Post by stovesy » 27 Apr 2018 12:21

N4F v. 11.1.0.4 - Atomics (revision 5403)
I'm experiencing an ACL permissions strangeness which results in a 'Permissions are incorrectly ordered' message when creating a new file in a cifs share.

I'm sharing a dataset with the owner and group set (user & wheel) with permissions at 0775 with ACL Inherit = restricted, and ACL Mode = passhtrough.
The default ACL on the share is:

Code: Select all

# file: /mnt/MainPool/CopperCards/
# owner: pete
# group: wheel
            owner@:rwxp--aARWcCos:-------:allow
            group@:rwxp--a-R-c--s:-------:allow
         everyone@:------a-R-c--s:-------:allow
I then change the ACL via the Advanced Security settings for the share: Setting the fd inherit flags (Windows Apply to: This folder, subfolders and files).
The resulting ACL on the share is:

Code: Select all

# file: /mnt/MainPool/CopperCards/
# owner: pete
# group: wheel
            owner@:rwxpDdaARWcCo-:fd-----:allow
            group@:rwxpD-a-R-c---:fd-----:allow
         everyone@:------a-R-c---:-------:allow
If I create a file (test.txt) is is created with the correct permissions, and this is verified by checking in the windows security settings dialog.

Code: Select all

getfacl /mnt/MainPool/CopperCards/test.txt
# file: /mnt/MainPool/CopperCards/test.txt
# owner: pete
# group: wheel
            owner@:rwxp--aARWcCos:-------:allow
            group@:rwxp--a-R-c--s:-------:allow
         everyone@:------a-R-c--s:-------:allow
I now go to the share and via the advanced security settings dialog, add a group (Our drawing office will have access): Checking Replace all child objects permissions with inheritable permissions from this object

Code: Select all

getfacl /mnt/MainPool/CopperCards/
# file: /mnt/MainPool/CopperCards/
# owner: pete
# group: wheel
group:DrawingOffice:r-x---a-R-c---:fd-----:allow
         everyone@:------a-R-c---:-------:allow
            group@:rwxpD-a-R-c---:fd-----:allow
            owner@:rwxpDdaARWcCo-:fd-----:allow
The permissions on the test file are changed as follows.

Code: Select all

getfacl /mnt/MainPool/CopperCards/test.txt
# file: /mnt/MainPool/CopperCards/test.txt
# owner: pete
# group: wheel
group:DrawingOffice:r-x---a-R-c---:------I:allow
            group@:rwxpD-a-R-c---:------I:allow
            owner@:rwxpDdaARWcCo-:------I:allow
And this is verified by checking in the windows file security properties dialog.
I now create another test file in the windows share.

Code: Select all

getfacl /mnt/MainPool/CopperCards/aftergroupadd.txt
# file: /mnt/MainPool/CopperCards/aftergroupadd.txt
# owner: pete
# group: wheel
group:DrawingOffice:r-x---a-R-c---:------I:allow
            owner@:rwxp--aARWcCos:-------:allow
            group@:rwxp--a-R-c--s:-------:allow
         everyone@:------a-R-c--s:-------:allow
Notice the everyone permission has appeared.
The windows security dialog now complains that The permissions on aftergroupadd.txt are incorrectly ordered, which may cause some entries to be ineffictive.
If I remove the group DrawingOffice permissions and re-create a test file. No complaint.

On the share I now set Store NTFS ACLs in Extended Attributes.
This will provide NTFS ACLs without ZFS ACL support such as UFS.

Clear the permissions setfacl -b /mnt/MainPool/CopperCards.
Then change the permissions on the share via the windows advanced security dialog, setting Apply To, This folder, subfolders etc etc, and replace all child object permissions etc etc.

I can create a test file with the correct permissions.
I now add the DrawingOffice group permission to the share.
I now re-create the test file and check the permissions via the windows properties - with no ordering complaint.

Code: Select all

getfacl /mnt/MainPool/CopperCards/test.txt
# file: /mnt/MainPool/CopperCards/test.txt
# owner: pete
# group: wheel
group:DrawingOffice:r-x---a-R-c---:-------:allow
            group@:rwxpD-a-R-c---:-------:allow
            owner@:rwxpD-aARWcCo-:-------:allow
Using NTFS ACLs in Extended Attributes, the everyone permission is not present, and no ordering complaint.

It seems that the underlying ACL from ZFS in not correctly working or compatible with samba ACL's.

Clearly the workaround is Store NTFS ACLs in Extended Attributes. but is anyone else experiencing this ?

stovesy
NewUser
NewUser
Posts: 3
Joined: 30 Nov 2015 13:09
Status: Offline

Re: Permissions are incorrectly ordered.

#2

Post by stovesy » 03 May 2018 16:43

This seems to help

Code: Select all

nt acl support = yes
inherit owner = yes
map acl inherit = yes

stovesy
NewUser
NewUser
Posts: 3
Joined: 30 Nov 2015 13:09
Status: Offline

Re: Permissions are incorrectly ordered.

#3

Post by stovesy » 03 May 2018 17:45

My solution is (I think, I've only done initial testing)

Create an Admin group and assign yourself to that group so you can administer the share permissions.

Your dataset needs...

Code: Select all

ACL inherit: Restricted - Inherit all but "write ACL" and "change owner"
ACL mode: Passthrough - Do not change ACL
Owner: nobody
Group: Admin
With permissions
Owner: rwx
Group: rwx
Then save that configuration.
We no need to give the Admin group full permissions on that dataset.
Go to the Tools Menu and choose Command
The command to enter is

Code: Select all

setfacl -m g:Admin:full_set:fd:allow /mnt/POOLNAME/DATASETNAME
Where Admin is your admin group name.

Next setup your CIFS/SMB share.
Make sure you've got
Inherit Permissions: Checked.
ZFS ACL: Checked.
Inherit ACL: Checked.
Then in additional parameter, add

Code: Select all

nt acl support = yes
inherit owner = yes
map acl inherit = yes
Save those changes and maybe click Save & Restart in the main samba settings - just to make sure the changes are read and applied.

Now on your windows client...
Right click on the share and choose Properties then the Security tab.
You can get rid of the Everyone, and the owner Nobody entries.
You should see your Admin entry has full permissions over the shares, and if you look in Advanced, it'll have This folder, subfolders and files set so permissions will cascade down through your share.
You can now assign permissions to any other groups you've defined in N4F.

Post Reply

Return to “CIFS/SMB (Samba)”