I am trying to set up user folder redirections under SBS 2011 to a freenas box. Fundamental to this is the use of 'creator owner' (which I will abbreviate to C/O) permissions, to correctly create directories only accessible to the specific user and defined others (EG domain admins).
The root folder has the following permissions (As per numerous MS documents)
Domain Admins - full, this folder & sub folders
Domain users - read, execute, traverse, create folder (THIS FOLDER ONLY)
Creater Owner - full, this folder and sub folders.
What should happen is that a folder is created as each user, they are the owner of that folder and so (under windows) are granted full rights to that folder as per the C/O permissions. This done by creating an EXPLICIT ACE for that user.
Under Samba/freenas this does not happen, the C/O full permission is propagated to the subfolder but the user DOES NOT have any access.
I think the most succinct explanation of C/O under windows is here:
http://networkadminkb.com/KB/a80/creator-owner-explained.aspx
How “Creator Owner” works
The “Creator Owner” group is unique because when applied to a folder the following permission changes happen.
1)The Owner (creator) of the object is “semi-statically” assigned the same permissions as the original “Creator Owner” group. These permissions are “semi-static” because if you remove the “Creator Owner” group the permissions for the user are removed as well.
2)If the owner of an object changes, the permissions on the object do not change to the new owner.
3)If the object created is a Folder, the “Creator Owner” group is re-applied to the newly created folder, along with the permission listed in Item 1.
There is a long discussion in the samba bug thread here
https://bugzilla.samba.org/show_bug.cgi?id=9467#
and I think they have made it complicated by asuming that the C/O right is somehow dynamic - it isn't it is a 'hint' to create a static ACE (point 1 above) when the folder is created, the only complication is that the ACE needs to be removed if the C/O ACE entry is removed.
I have attached a PDF showing various tests against a freenas box and a windows SBS 2011 box. Freenas is current version (FreeNAS-9.2.1.6-RELEASE-x64 (ddd1e39))
The root folder has the following permissions (As per numerous MS documents)
Domain Admins - full, this folder & sub folders
Domain users - read, execute, traverse, create folder (THIS FOLDER ONLY)
Creater Owner - full, this folder and sub folders.
What should happen is that a folder is created as each user, they are the owner of that folder and so (under windows) are granted full rights to that folder as per the C/O permissions. This done by creating an EXPLICIT ACE for that user.
Under Samba/freenas this does not happen, the C/O full permission is propagated to the subfolder but the user DOES NOT have any access.
I think the most succinct explanation of C/O under windows is here:
http://networkadminkb.com/KB/a80/creator-owner-explained.aspx
How “Creator Owner” works
The “Creator Owner” group is unique because when applied to a folder the following permission changes happen.
1)The Owner (creator) of the object is “semi-statically” assigned the same permissions as the original “Creator Owner” group. These permissions are “semi-static” because if you remove the “Creator Owner” group the permissions for the user are removed as well.
2)If the owner of an object changes, the permissions on the object do not change to the new owner.
3)If the object created is a Folder, the “Creator Owner” group is re-applied to the newly created folder, along with the permission listed in Item 1.
There is a long discussion in the samba bug thread here
https://bugzilla.samba.org/show_bug.cgi?id=9467#
and I think they have made it complicated by asuming that the C/O right is somehow dynamic - it isn't it is a 'hint' to create a static ACE (point 1 above) when the folder is created, the only complication is that the ACE needs to be removed if the C/O ACE entry is removed.
I have attached a PDF showing various tests against a freenas box and a windows SBS 2011 box. Freenas is current version (FreeNAS-9.2.1.6-RELEASE-x64 (ddd1e39))