[Solved] CIFS+AD on UFS

[john3voltas]

Greetings. Some will say that the filesystem has nothing to do with the sharing system.
Well in this case I am sorry to disagree but it does have a small difference. Nowadays most tutorials out there on the internet are all about ZFS, with settings that only ZFS has (ACL's being one of them).
So, I have an old ML350 HP server with 6 disks of 600GB(SCSI IIRC), Xeon 3GHz CPU and 768MB or RAM.
Strangely enough, the system status displays 500-and-some MB or RAM (less than 600MB IIRC). I guess that's the RAM drive for the config since this is an embedded install.
Anyway, since the RAM was on the veeeery low side, and since I couldn't find more ECC RAM (and I am not allowed to buy more) and since the damned hdd controller doesn't support JBOD (go figure...) I had to go for UFS filesystem.
Formatted the disks, created a mounting point, set up the AD connection to my DC, checked that the AD was properly set up (can see users and groups on the CLI) and then I set up the CIFS share and pointed it to the mounting point previously created.
For now, all I want is to have a single shared folder that everybody can access with read permissions and only the admin has write permissions.
Then inside that root folder I will add other folders with different permissions. Is that possible?
After I setup everything according to the above text, I ended up with a problem: my windows 7 clients logged on with administrator can read and write but all my other users can't even see the root of the share.
All help will be greatly appreciated.
Cheers

[raulfg3]

Disable Inherit permission, and do a new permission, this time should work.

This post perhaps helps you: viewtopic.php?f=18&t=1552

[john3voltas]

@raulfg3,
First of all let me thank you for your reply.
Next, let me tell you that although I am not an overall n00b I must admit that I am (and will possibly always be) a n00b when it comes to Linux/Solaris/*BSD.
Having said that, I did take a look at the link that you posted just to realize that I don't understand anything in there. It seems that the OP on that topic is looking to achieve higher security but I don't really understand half of what he is trying to explain.
It could also be a language barrier issue.
Right now I don't need anything too elaborate. All I need is a shared folder where only administrator or a user belonging to AD domain_admins has full access and all other users can only read. Then I will create 3 or 4 folders with different permissions that I intend to manage from a windows PC.
Isn't this possible and easy to setup?

[raulfg3]

All I need is a shared folder where only administrator or a user belonging to AD domain_admins has full access and all other users can only read. Then I will create 3 or 4 folders with different permissions that I intend to manage from a windows PC.
Isn't this possible and easy to setup?

YES It's possible, but NOT if you inherit permission, because, your new folder inherit parent permission that IS NOT what you want.

So your first step is disable inherit permision.

second step is create folders from shell or using WinSCP , and take apropiate user control ( chmod and chown ), once done, test it.

If you are more confortable using Linux, perhaps OMV is what you need , is based on DEBIAN and permission and User /mome is more easy to configure that in BSD.

[alexey123]

john3voltas, I see on your screenshot and see general fault.
You define path to share as path to your mount point. This way is wrong.
For build share your must define path as

Code: Select all

/mnt/<mnt_point_name>/<share>

where <mnt_point_name> is name defined on Disks|Mount Point|Management tab webgui or dataset path for zfs.
For your server path must be as

Code: Select all

/mnt/TA/share

or any another name
mnemonic: Path to share must have 3 folders distance from root.
You cannot give permissions for mount point simple , only over Disks|Mount Point|Edit tab
So, you need create any folder on your disk and give access to it.

[john3voltas]

john3voltas, I see on your screenshot and see general fault.
You define path to share as path to your mount point. This way is wrong.

Sorry about that. I didn't know. Now I have a mounting point named 'hraid5' and a folder inside that named 'TA'.
So my share path is now '/mnt/hraid5/TA' but the problem isn't solved yet. 'administrator' can still read/browse/write in that folder but other users can't.
What exactly would I need to do?
Use WinSCP to connect with the N4F, open '/mnt/hraid5/TA' and create other folders with different permissions?
Cheers

[john3voltas]

YES It's possible, but NOT if you inherit permission, because, your new folder inherit parent permission that IS NOT what you want.
So your first step is disable inherit permision.

I see. I have done that just now but I still can't access the folder.

second step is create folders from shell or using WinSCP , and take apropiate user control ( chmod and chown ), once done, test it.

I disabled the "inherit permission" option, opened the N4F with WinSCP, browsed to '/mnt/hraid5/', in there I created a new folder named 'ta' and set the permissions of that folder with 770. And I set the owner as 'administrator' and the group as 'domain_admins' (which i am a part of). For all this I used the UID and GID from 'getent passwd' and 'getent group' ran from the CLI of the N4F server.
So, now when I log on as 'administrator' I can access the share but when I login with my own user (member of 'domain_admins') I can't even see the share... :S

If you are more confortable using Linux, perhaps OMV is what you need , is based on DEBIAN and permission and User /mome is more easy to configure that in BSD.

No, I'm not more comfortable in Linux. To me is just the same, doesn't make any difference.
I once tried OMV (2 years ago) and I didn't like what I saw.
Will only give up on N4F (in favor of any other NAS software) as a last resource.
Thanks in advance.
Cheers

[john3voltas]

Status update:
This is surely a permissions' issue. I just don't get it why it doesn't work. My AD user is 'rds_correia'.
From the N4F CLI:
# getent passwd | grep 'rds_correia'
rds_correia:*:12613:10513:Rui Correia:/mnt:/bin/sh

If I understand this correctly this means that my UID is 12613 and that I belong to a group whose GID is 10513, right?
In such sense, I created a mounting point '/mnt/hraid5' with a share at '/mnt/hraid5/ta'.
I opened WinSCP, browsed to '/mnt/hraid5/ta' and set it's permissions to the UID and GID that I have seen with the getent command in the CLI.
And i still can't browse that folder...
But!...other users of 10513 (domain_users) can browse the share!

[john3voltas]

Guys, I'm going nuts.
I'm this share's owner and my user can't even read the share. But all other users that are in the same group (domain_users) can perfectly read/write to that share.
What could possibly wrong?
Really need a little tip/help from a more experienced user.
Cheers

[raulfg3]

sorry not experience on AD here, perhaps other user can help you.

[john3voltas]

Raul, since I have tested that the share works for some users, should I now assume that the issue is with my AD? If so, where should I ask for help now?
Because the setup is working. It's just not working for my AD user, that's all. Which by the way is the owner of the shared folder

[raulfg3]

Which by the way is the owner of the shared folder

normally root:wheel, but you can check it using ls -l

[john3voltas]

Raul, that wasn't a question. It was more like a statement.
You see, with root:wheel noone can even see the share. That's why I configured administrator: domain_users.
Where should I ask for help?
Cheers

[john3voltas]

Sorry to dig up my own post almost 2 months later.
I've found out my problem.
Most of my AD users have names with only letters and numbers in it (like admin12 or uSeR01). But some of them (like mine!) have and underscore sign '_'.
Apparently some time ago Samba had a problem with groups and users that had a space ' ' in it.
So they implemented an option to take all those names with spaces and adapt them to have an underscore instead of the space.
Like 'domain users' would become 'domain_users'.
That option is 'winbind normalize names = yes/no' and in case of a default N4F install it's smb.conf is set up with 'winbind normalize names = yes'. I just had to add 'winbind normalize names = no' to my configuration and my problem was solved.
Thank you all for your help and I hope this helps other users that in the future come to experience the same issue.
Cheers