Best practice for NFS+CIFS permissions?

[eroji]

I am looking for some guidance on what the best practice should be for managing permissions for shares and files over NFS and CIFS while the FreeNAS is AD connected.

The FreeNAS is AD connected so I can leverage AD user/group, but currently the shares are set as 777 root:wheel. They are also made available over NFS, for Linux servers to access. The applications that I want to be able to have writes to them are for instance Syncthing, Deluge, Plex etc. Each is set up and running as its own user on the respective Linux VMs.

How exactly can I set the permissions for them so that

• Each of the applications can read/write to all the share contents
• Granular control of share access for CIFS users

 

[whitey]

I think I can help here, let me grab some screenshots and post back later tonight, recently had to tackle this problem myself.

 

[voodooFX]

curious to see the answer from whitey
as for me I decided to not deal with this, so my "solution" is

single share: CIFS = RW access / NFS = RO access
or
two separate shares

 

[whitey]

My bad guys, got sidetracked, I thought I had this whipped but my testing is unfinished but I have a buddy who swears this is possible w/out too much effort. I am pulling the 'two seperate shares' trick now as well even if I top level have say /mnt/hgst1.5tb-r6/iso I can share that via CIFS then create a /mnt/hgst1.5tb-r6/iso/isos that I can then share w/ NFS. Then I can access iso files via Windows via domain permissions and NFS root/wheel access to vSphere. Kinda a PITA so we need to crack this nut. Sure it's something simple.

Previous to this I was trying to share CIFS and NFS and somehow had the permissions stepping on each others toes, I tried to load a ubuntu VM and encountered issues reading from media.

 

[eroji]

This is how I did it so far. FreeNAS, NFSv4, map all users as "root" and restrict the authorized IP/host to the servers I want to mount the shares on. That way, when I mount them on the server, anything I write will belong to root, but the group will inherit the group of the share directory, which is "domain users". This way, when I open the same share as CIFS from a Windows machine as a domain user, I am able to read/write and that is still accessible on the NFS end.

 

[whitey]

OK, not sure I FULLY follow your comment about 'map all users as root'? Do you simply mean ensure that on the ZFS dataset to ensure that the owner is root but the group set to AD domainname\domain users? Here is how i am setup currently, sure would be nice to take the nested BS outta it.

 

[eroji]

I'll take some screenshots when I get home.

Sent from my HTC 10 using Tapatalk

 

[voodooFX]

This is how I did it so far. FreeNAS, NFSv4, map all users as "root" and restrict the authorized IP/host to the servers I want to mount the shares on. That way, when I mount them on the server, anything I write will belong to root, but the group will inherit the group of the share directory, which is "domain users". This way, when I open the same share as CIFS from a Windows machine as a domain user, I am able to read/write and that is still accessible on the NFS end.

OK you are using a common group to handle the cross protocol, sounds good
Question: if you are editing a file from one protocol, is the other one dealing correctly with the lock?

 

[eroji]

So this is how I have my FreeNAS configured.

 

[whitey]

OK, so I see that's the NFS side of the house, does CIFS share behave properly there as well, what does your cifs share look like under Sharing -> 'Windows (CIFS)'? Basic setup/no guest access but using a Domain User acct? I will test here in a bit.

 

[eroji]

CIFS works as intended for me. I don't have guest access turned on for the shares but I suppose I could do a read-only share. Files created from NFS end I can read and modify as a "domain users" member from Windows. Nothing fancy for the actual share config but here it is.