Help with UNC file group

I have MCEBuddy setup to convert TV recording from emby on a network store using UNC paths. The conversions are working well. However, upon completion the group access settings are incomplet. The incoming file as full access permission for a user called “admin” and group “wheel” and “admin” (yes “admin” is both a user and a group). The converted file has full access permissions for user “admin” and group “wheel”. Access permissions for group “admin” are missing. How do add these automatically after processing please?

MCEBuddy tells Windows to inherit the permissions for the destination file from the source file. If the destination folder doesn’t have the same inheritance permissions as the source then it may not be carried over by Windows.

In my case, the destination folder is the same as the source folder, and the folder has the same permissions as the file, i.e., it includes both the “wheel” and “admin” groups with full access permissions. Yet the converted file is missing the “admin” group permissions. It sounds like this deviates from how it is supposed to work, but maybe I am missing something.

You need the containing directory to apply inherited group permissions, not just owner permissions.

In a Unix/Linux O/S (this sounds like BSD, with a “wheel” group), you would need the containing directory to have the setgid permissions bit set, not just the setuid bit. Review the help for the chmod command and the setgid permission.

The share is set up on a FreeNAS Server using the samba service. I set ACL permissions for the dataset within FreeNAS for group “admin” to “Full Control” and flags to “inherit”. It is my understanding that once ACL permissions are set, I should not be messing with chmod.

EDIT: Doesn’t the fact that the .ts recorded file have all permissions indicate that the group inherit works just fine on the windows side. It is only after MCEBuddy processes the file and copies it back to the source directory that the permissions are incorrect. I am not saying that I am not doing something wrong but I am certainly not understanding. I am also hesitant being too generous with the command line because I am worried about messing up the server.

Ah. Might be that MCEBuddy performs a “move” or “rename” operation from the temp processing directory, and so the file would have the defaults from that directory when the “move” happens.

That would be different than if MCEBuddy is performing a “copy”, and thus requiring double the space for what may be very large files.

Maybe check the perms on your temp folders where MCEBuddy is processing the temp files.

What you propose makes sense. However, I am failing to add permissions to the temp processing folder for the “admin” group on the FreeNAS server because the server is not recognized as a valid windows network machine. In other words, it does not show up as a computer under “network” in Windows Explorer. And when I try do add security permissions for the group, I cannot select the server under “Locations” of the file properties -> security -> add pane.

So after ditching Windows Server for FreeNAS, I no longer use Active Directory and it seems that this is the reason why I can no longer add permissions for network users. For workgroups, the approach seems to be to recreate the groups and users on the local machine. Here I failed because Windows does not let me create a group “admin” with the same name as the user “admin”. Maybe this is what is causing the issue. If this is the case I hit a limitation of the Windows OS and I may have to live with the incorrect permissions.

Did you ever get your FreeNAS visible as a server on your network after AD was removed?

There may be all sorts of AD group policies in place in your Windows clients that you no longer can access (because AD is gone and there is no PDC) even though they’ve falled back to SMBv2.

Also, I host a similar Samba/NAS AD-free newtwork with Windows Home clients using my ASUS router and it doesn’t support SMBv2. So I have to turn on SMBv1 in each client for it to “see” the router. Could that be something similar?

Your NAS now has to also run a PDC if you’re going to try to use it like a drop-in replacement for AD, but I don’t think they can completely replace AD, since AD also manages a lot more on the clients than just filesharing permissions.

You might want to grab the GPedit and ACL tools from your Windows Server (just the executables) and see if they can help you see how much AD stuff was left behind, and possibly interfering with things. I know I had issues when they got rid of HomeGroups (sort of an AD-lite for Windows Home) and went back to the basic Workgroup model because all sorts of permissions and features disappeared, but their ACLs and registry entries didn’t.

Because in Microsoft’s world, there is nothing to migrate an alternative or AD replacement, since that doesn’t exist. Therefore, there is no need to write code to perform a smooth migration or transition to some other, non-Microsoft product. Or to write anything that cleans up after you remove a Microsoft Server from your network since that is not a valid use case requirement for them (in Microsoft’s world).

The FreeNAS server was never connected to AD. I replaced a Windows Server 2012 Essentials by removing the clients from the domain and adding the FreeNAS server to the network. So I no longer use domains and AD. Instead, I simply use the same usernames and passwords on different machines including the FreeNAS server and have no issues connecting to the server. This all seems to work fine with SMB v2.

The issues seems to be that although the usernames/passwords match, they are local definitions and I cannot add permissions for remote users on a local machine. It seems that this would be the advantage of a domain, so maybe this is a limitation that I have to live with.

I have not run into issues with my setup other than the limitation reported here. I thought there may be a workaround, but maybe there isn’t.

Ah, I think I understand. Have you tried prefixing the permissions with the remote machine name (like a domain)? e.g. To add User1 on Host1 to Host2, you would grant share permissions to “Host1\User1”. You might have to escape things on the NAS since the backslash is likely a special character, like “Host1\\User1”.