On FreeNas when creating a new dataset, I am presented with an option for Share Type
Later, in a different dialog, when editing permissions of the dataset, I am presented with an option for Permission Type
what is the difference between the "Permission Type" and the "Share Type" setting?
I have looked for the same and the information was very limited.
So I did my own experiments and found that all this comes down to permissions applied to the root of the dataset.
If you set the share type to UNIX, nothing special happens. A new dataset is created and it is mounted where you expect it to be, with the typical 755 permission set for directories.
[root@freenas] /mnt/data1/unix# ll
total 3
drwxr-xr-x 2 root wheel 2 Oct 27 08:06 ./
drwxr-xr-x 8 root wheel 8 Oct 27 08:06 ../
[root@freenas] /mnt/data1/unix# getfacl .
# file: .
# owner: root
# group: wheel
owner@:rwxp--aARWcCos:------:allow
group@:r-x---a-R-c--s:------:allow
everyone@:r-x---a-R-c--s:------:allow
But if you select Windows, a few things will happen:
.windows file is created at the root of the dataset. I'm just guessing this is just to help FreeNAS GUI track what kind of permission scheme was set here. Below you'll find how the permissions were applied to a Windows dataset.
[root@freenas] /mnt/data1/windows# ll
total 3
drwxrwxr-x+ 2 root wheel 3 Oct 27 08:06 ./
drwxr-xr-x 8 root wheel 8 Oct 27 08:06 ../
-rw-r--r-- 1 root wheel 0 Oct 27 08:06 .windows
Noticed that little + sign for the . directory? It means that ACLs are set for particular resource...
[root@freenas] /mnt/data1/windows# getfacl .
# file: .
# owner: root
# group: wheel
owner@:rwxpDdaARWcCos:fd----:allow
group@:rwxpDdaARWcCos:fd----:allow
everyone@:r-x---a-R-c---:fd----:allow
And that's all. In both places in the UI the meaning is the same.
However, once the permissions are set, FreeNAS GUI does not work perfectly when you'd like to change the type of the permissions (exp. it won't execute setfacl -b when changing from Windows to UNIX scheme) etc.
So it all depends what you want to achieve. But I personally like the NFSv4 ACL and recommend setting the Windows type at all times. It is a really sane by default, will use inheritance and works well through CIFS and from local shell. I haven't tested how it behaves when accessing using NFS mount.
When you set the Permission Type "Windows", the buttons for Read, Write, Execute and Owner Group Other become disable, so it seems like you lose some control over setting these permissions if you for go with Windows in the storage data set.
So, with "Windows" Permission Type, how would you save, give the Owner read/write, and the Group read, but then give no access to the Other so as to prevent any given user on the network from accessing the share?
I've just stumbled upon the same confusing issue:
If the "permission type" of a dataset is configured as "Windows", you're supposed to fine-tune the permissions afterwards, e.g. utilizing a Windows client (security tab of folder properties). Otherwise the permissions default to:
selected user = full access
selected group = full access
everyone else = read only access
At first I thought, that only the user and group will be able to access the share. But the default permissions of a share with "permission type" eq "Windows" will give read access to any other authorized account. In terms of unix permissions that would be owner:group:other = rwxrwxr-x.
I'd say these default permissions are quite risky. Maybe some admins falsely assume, that only the configured user and group will have access. I'd prefer the default permissions would default to full access for user and group only, i.e. in unix terms rwxrwx---.
