CIFS Subfolder Permissions Errors

[danton.bryans]

Posted to the Freenas subreddit, but crossposting to here to see if anyone has ideas. TIA

FreeNAS-9.3-STABLE-201509022158 installed and running. Groups and users added. Five datasets, all CIFS browseable, and all set to Windows permissions. Wheel is owner group, and my administration account is in wheel. I've been able to add/remove permissions for each shared dataset just fine (adding the other groups, removing Everyone).

I want to configure specific subfolder permissions on the user shares CIFS share (where each user has personal space). I would rather not have to create individual datasets for each individual user. But, when I go to remove the inherited permissions from the subfolder, it throws all sorts of errors.

When I try to just remove all the inherited permissions, I get: "An error occurred while applying security information to: ... The parameter is incorrect." This happens on every file, so you can only cancel out of it.

When I try to Add the inherited as explicit local permissions, it appears to run through but the inheritance check remains and I still can't remove the other shares.

Additionally, if I try to add the explicit user or group (Add->type in object name (e.g., User1 or User1Group, both of which exist and I can map from the main share), I get: "An object (User, Group, or Built-in security principal) with the following name cannot be found: "User1". Check the selected object types and locations for accuracy and ensure that you have types the object name correctly, or remove the object from the selection." I've checked capitalization, spelling, etc. and restarted the server two just for giggles.

Thoughts?

 

[anodos]

Rather than removing inherited permissions try the following:

1) Apply default permissions
2) Modify the "everyone" ACE so that it applies to "this folder only" through "Advanced Security Settings" in Explorer.
3) Add an ACE for admin users to have full control over the dataset
4) Change owner of subdirectories so that it is owned by the user.

 

[danton.bryans]

Well, on the advice from a Redditor, I tried a new config with a build from March 2015. Unfortunately, that didn't fix the issue. Although now, with what is basically the same config (wheel as owner, admin acct in wheel, datasets and shares as Windows, reboot client and server to make sure clean connections, restart CIFS service just in case it was being a pain, etc.) I can't even get the shares themselves to add the new groups. I can delete the Everyone group (or modify it to have "This Folder Only" in advanced settings), but I can't add any other groups. I must be missing something, but I can't for the life of me figure out what that is.

 

[danton.bryans]

Rather than removing inherited permissions try the following:

1) Apply default permissions
2) Modify the "everyone" ACE so that it applies to "this folder only" through "Advanced Security Settings" in Explorer.
3) Add an ACE for admin users to have full control over the dataset
4) Change owner of subdirectories so that it is owned by the user.

So that worked, I think. Is there some reason why Freenas won't allow removing permissions from subdirectories? What I'm concerned about is that, when a user creates a new subdir C under the parent, it won't have the inheritance of the standard groups that would view C. Basically, subdir B is a Confidential folder that can only be visible to test2 group, and everything else [A,C,D,etc.] would normally be automatically full access to both test1 and test2 groups, but if I can't have inheritance from the parent it means each new folder would need to be manually set to allow both test1 and test2 groups, correct?

My ACL structure currently is:
Parent (userfile share)-[Everyone (this folder only),root(full),wheel(full)]
A subdir-[root(full),wheel(full),test1(full), test2(full)]
B subdir-[root(full),wheel(full),test2(full)]
new C subdir-[root(full),wheel(full)]

What I really need is something like:
Parent (userfile share)-[Everyone (this folder only),root(full),wheel(full)]
A subdir-[root(full),wheel(full),test1(full), test2(full)]
B subdir-[root(full),wheel(full),test2(full)]
new C subdir-[root(full),wheel(full),test1(full), test2(full)]

Thoughts?

 

[danton.bryans]

Anyone have any insight here?

 

[anodos]

Anyone have any insight here?

Samba with nfsv4 ACLs should support the same permissions and inheritance configurations that are possible on a Windows server. You can disable inheritance for ACE's.

In practice, I avoid setting permissions the way that you are trying to do it. These sorts of irregular permissions are often difficult to document and maintain.

Instead, wherever possible I try to define permissions at a share level. If there is a set of confidential documents to which only members of Group A should have access, I create a new dataset and share. If I'm feeling particularly paranoid, I'll set NT ACLs as well as NTFS ACLS, and enable access-based enumeration for the share.

 

[danton.bryans]

Samba with nfsv4 ACLs should support the same permissions and inheritance configurations that are possible on a Windows server. You can disable inheritance for ACE's.

In practice, I avoid setting permissions the way that you are trying to do it. These sorts of irregular permissions are often difficult to document and maintain.

Instead, wherever possible I try to define permissions at a share level. If there is a set of confidential documents to which only members of Group A should have access, I create a new dataset and share. If I'm feeling particularly paranoid, I'll set NT ACLs as well as NTFS ACLS, and enable access-based enumeration for the share.

Sorry, it's hard to show subsets and permissions without using brackets and parens.

What I started doing is creating a hidden share for the confidential data only accessible by the test2 authorized group. That seems to be the best way to do this, as something clearly doesn't want me to do more advanced config with the security lists. Which is fine, I just wish I knew that before spending the couple dozen or so hours trying to figure out what I was doing wrong.

Thanks for the help anodos.