Create a Share inside a Share with more Permissions

[Marv21]

Hello,
i migrated from Windows Server 2012R2. I read and watched many Tutorials about SMB sharing, but iam lost...

I have a User Folder "Pictures" which should be readable for every Local User (added in Truenas). The Folder Serien is inside a User Share:

[Marvin]\[D]\[Serien]
[Marvin] and his child Folders should only be accessible with the user {Marvin}
but the folder [Serien] should be readable and writeable with {Marvin}} and readable by {xbcm}.

I cant get this to work.

Thanks in Advance

 

[Nick2253]

Maybe it's getting lost in translation, but I'm extremely confused by your folder tree. It's very weird to me that you'd have a folder *inside* a user folder that you would want accessible to everyone.

Usually, I'd expect a tree that looks like:

• Main Share
  • User Folders
    • User 1
    • User 2
    • User 3
  • Public Folder (departments, etc)
    • Public 1
    • Public 2

Everyone would access via "Main Share" folder, and then permissions would get more restrictive as you go down. Instead, it sounds like you want:

• Marvin
  • Random Folder 1
    • Serien

And then everyone should be able to access Serien.

I suppose, in theory, you should be able to do what you want to do, however Samba quirks may not make it easy to figure out. It's definitely a non-standard use case from my experience.

 

[Marv21]

Maybe it's getting lost in translation, but I'm extremely confused by your folder tree. It's very weird to me that you'd have a folder *inside* a user folder that you would want accessible to everyone.

Usually, I'd expect a tree that looks like:

• Main Share
  • User Folders
    • User 1
    • User 2
    • User 3
  • Public Folder (departments, etc)
    • Public 1
    • Public 2

Everyone would access via "Main Share" folder, and then permissions would get more restrictive as you go down. Instead, it sounds like you want:

• Marvin
  • Random Folder 1
    • Serien

And then everyone should be able to access Serien.

I suppose, in theory, you should be able to do what you want to do, however Samba quirks may not make it easy to figure out. It's definitely a non-standard use case from my experience.

Thank you for your reply.
Yep i want

• Marvin
  • Random Folder 1
    • Serien

Me and my Family backup their Computer to this FreeNas in their own Folder. And there with the Letter of the Drive.

• Main Share
  • Marvin
    • D:
    • E:
    • F:
  • Mum
    • D:
    • E

So its just a copy from the local Computer.

In the Case of my Father and me we have our Pictures within our "documents" Folder.

• Marvin (share, with Permission for just for Marvin)
  • D:
  • E:
  • F:
    • Documents
      • Pictures (share with Permission for every known User)

With Windows Server 2012R2 I just created a Share for the "Picture Folder" which everyone could access, but the whole Tree before wasnt Accessible, because the share for "Marvin" was just accessible by me.


If i would use your recommendation it would mean :
A: I would need to copy the files twice. One time into the "privat" Share and one time into the "public" share.
B: Completely destroy the structure that is on the local Computer to get the files into the different Folders.

 

[Nick2253]

Ok, that's an interesting way to go about what you're doing.

So, you're kind of doing two different things at once with your directory tree, and while it's not strictly "wrong", it's not how I'd recommend setting it up.

First off, you have your backup files. Your file tree for those makes sense, and is roughly what I do using my backup software. Then, you have shared files. Usually, those files "live" on the NAS; if I want to share them, their home is on the network.

It might look something like:

• Main Share
  • Backups
    • Marvin
    • Mom
    • Dad
  • Public
    • Pictures
    • Documents
    • Files

Now, all files that you want to share are properly organized into the "Public" folder. They don't otherwise live on a particular computer.

If what you're trying to do is share a particular set of data (like a program configuration or game saves), you can also use the same system as suggested above. On Windows, you can "mount" a network location to a folder using a symbolic link (https://superuser.com/questions/244562/how-do-i-mount-a-network-drive-to-a-folder). This would allow you to share game saves, for example, across two different computers.

If you had a Windows Server, it would imply that you're using a domain? Is this the case? That could definitely help with user management, since you could just use the domain credentials to unify permissions across your network.

However, like I said, you should be able to do this with Samba. I'm guessing that you have some permission incorrect. Just to clarify, there are two sets of permissions: the "share" permissions (who can connect via Samba), and the file/folder permissions (who can access the actual files/folders). Usually, the share permissions are very permissive, and you restrict via the file/folder permissions.

 

[Marv21]

Thank you for your Input.
Now, after i thought about it, i did in fact set the File/Folder Permission always to @Everyone access and restricted just the share permission.
No, i never used an AD in my Home.

In my training I got Server2012 to learn.
And I found it cool to run such enterprise software at home ;)
In the end it was more trouble than fun, because many software didn't want to run under a server operating system without expensive licenses...

In fact I never implemented the concept of files "living" on the NAS. The NAS was always just a 1:1 copy.

I have in the meantime found a solution to do it again just as wrong as before <:

I again allow full access for everyone via ACL to the file system.
Unfortunately, the setting for sharing ACL on Freenas is really bad. Instead of entering the name you always have to search for the SID :(

But also for this there is an easier way. I added my local user to the administrator group. Now I can log in remotely to FreeNas with the Windows integrated computer management and simply manage the shares there.

Works really great. But the whole thing leaves a little taste that I'm doing something wrong :)

Except for possibly misconfiguring the share ACL, am I creating a security hole here?

 

[Marv21]

Thank you for your Input.
Now, after i thought about it, i did in fact set the File/Folder Permission always to @Everyone access and restricted just the share permission.
No, i never used an AD in my Home.

In my training I got Server2012 to learn.
And I found it cool to run such enterprise software at home ;)
In the end it was more trouble than fun, because many software didn't want to run under a server operating system without expensive licenses...

In fact I never implemented the concept of files "living" on the NAS. The NAS was always just a 1:1 copy.

I have in the meantime found a solution to do it again just as wrong as before <:

I again allow full access for everyone via ACL to the file system.
Unfortunately, the setting for sharing ACL on Freenas is really bad. Instead of entering the name you always have to search for the SID :(

But also for this there is an easier way. I added my local user to the administrator group. Now I can log in remotely to FreeNas with the Windows integrated computer management and simply manage the shares there.

Works really great. But the whole thing leaves a little taste that I'm doing something wrong :)

Except for possibly misconfiguring the share ACL, am I creating a security hole here?

Just an add:
With the webinterface and the Share ACL, if you take "TRUENAS" as Domain (maybe the Name of your Instance?) , you can use the Name of the user instead of the SID (it will automatically filled correctly).