SOLVED Best practices for Windows shares

Status
Not open for further replies.

rslocalhost

Dabbler
Joined
Jan 1, 2018
Messages
29
I need to setup a bunch of shared folders on a Freenas (11.1-U4) joined to an AD domain. Each of the shared folder will have different permissions set by [AD] groups. I have the first setup, and have a periodic snapshot to emulate previous versions from Windows. It works just fine.

I'm thinking it would be safer (and less work) to create a master share, then just use Windows to create subfolders and assign the appropriate group permissions to the subfolders rather that create individual datasets. However, I would like a user that could access the subfolder to be able to use the previous versions (really snapshots) to restore files from that subfolder they would have permission to access, but not a different subfolder they don't have permission to.

For example, master folder is called A, and contains two subfolders, b & c. User consoto\robert has access to c but not to b. I want consoto\robert to be able to use previous versions on c, but not b.

Which is the best way to set this up?
 

PhilipS

Contributor
Joined
May 10, 2016
Messages
179
I have folders set up this way and it just works. The Previous Versions tab is empty for folders they do not have permissions on. Also, to protect users from themselves I disabled the "Restore..." button in group policy to prevent users from restoring an entire folder of files - they have to click Open or Copy and get what they need - honestly, most of the time I need to help them with any of this - they have no idea how to use it.
 

rslocalhost

Dabbler
Joined
Jan 1, 2018
Messages
29
Thanks. I tested that and it works. The only caveat I would add from my testing is there is a small information leakage with the master folder method. Basically, anyone who needs access to any subfolder(s) must have at least list directories permission on the master folder. Otherwise they can't access the subfolders, even knowing the path.

The leakage comes in because the permissions are inherited, so anyone that can get to the master folder can see the directory names in the subfolders, including in the previous versions form. They can't see or touch files (even knowing their name and full path), nor create, but the all child folder names are visible.
 

PhilipS

Contributor
Joined
May 10, 2016
Messages
179

rslocalhost

Dabbler
Joined
Jan 1, 2018
Messages
29
I tried that. As soon as I hit apply, they come right back. I am trying to use Samba extended ACL's.

I also tried using an explicit deny, but that didn't work either as [I figured out afterwards] deny overrides allow. I have to allow list directories to pretty much everyone to the top level, and then if I deny everyone at the subfolder level, well, everyone includes the members of the group should have permissions, so they get denied too.
 

PhilipS

Contributor
Joined
May 10, 2016
Messages
179
Then something else is wrong - you should be able to disable inheritance. Not sure what it could be though.
 
Status
Not open for further replies.
Top