napp-it execute smb share

mad1993max

New Member
Jan 27, 2016
17
0
1
30
hi i am new to napp-it and face some problems which i cant solve. I have setup napp-it-to-go and joined my domain (worked perfectly in comparison to freenas) and shared a test folder via smb with guest enabled and configured the smb share permission via the windows computer management console.
The first problem is that i cant modify the permission and security only the share permission.
The second problem is that i cant use a share as a docker volume via nfs because the programm cant change permission on the volume
 

gea

Well-Known Member
Dec 31, 2010
2,535
856
113
DE
When you share a filesystem with the guest=ok option you practically disable the option to restrict permissions based on a user. If you want to set permissions based on a user, you must login as a user (guest access disabled)
You can use the same user/PW on Solarish as on Windows to allow a connect without the need to enter creditentials in a workgroup. On a Domain, your local AD account from Windows is used so you do not need to login when the napp-it server is an AD member as well. The user can then modify the permissions for files that she/he creates. You can use the user root if you need full permissions on files via SMB (or via an idmapping Winuser:administrator => Unixuser: root).

NFS3 is a beast regarding permissions as it does not offer authorisation nor authentication beside some basic restrictions based on client ip. The next problem is that some clients use the uid of the connecting service for NFS, others nobody.

I do:
- set the filesystem to fully open ex with an ACL of everyone@=modify with inheritance to files and folders, optionally restrict with ip or firewall
- optionally disable the possibility to modify Unix permissions via NFS with the ZFS property aclmode=restricted
 

mad1993max

New Member
Jan 27, 2016
17
0
1
30
ok so best practice would be to allow everything on the root folder via omnios cli and configure the share access restrictions via windows?
If i use a share as datastore should i allow change of unix permissions via nfs?
 

gea

Well-Known Member
Dec 31, 2010
2,535
856
113
DE
Setting filebased permission restrictions for NFS3 is quite senseless as the only possible restriction for access is the ip and the uid. Both is only a setting on any machine so this is highly unsecure.

That said, you can allow chmod via NFS3 but only if you do not share the same filesystem via SMB as this will screw up Windows alike SMB permissions.

If you need to separate NFS traffic use a a separate ip range/nic or firewall and restrict there.