Delete the Everyone share Permission SMB

[matis111]

Hello, I installed FreeNAS ver. 11. I have a problem with share permission in SMB. I am trying to remove group Everyone from the share permission in folder. When i will remove inheritable permission in the parent folder for Everyone group the group "everyone" dissapeared. But if i i will create a new sub folder in FreeNAS the folder will get Everyone Group Permission. Can someone explain why its not working? And tell me what should i do step by step to remove the Everyone Permission?

I know only that it will works only when i will change something in POSIX ACLs ( or maybe smb4.conf) in the server.

 

[anodos]

Hello, I installed FreeNAS ver. 11. I have a problem with share permission in SMB. I am trying to remove group Everyone from the share permission in folder. When i will remove inheritable permission in the parent folder for Everyone group the group "everyone" dissapeared. But if i i will create a new sub folder in FreeNAS the folder will get Everyone Group Permission. Can someone explain why its not working? And tell me what should i do step by step to remove the Everyone Permission?

I know only that it will works only when i will change something in POSIX ACLs ( or maybe smb4.conf) in the server.

Post the following:
- contents of /usr/local/etc/smb4.conf
- getfacl output for the root of your share getfacl /mnt/Tank/Share

 

[katit]

I'm not OP but I was about to ask the same question. I see group/user on Windows side properly just like I set it in FreeNAS, but Everyone also there.

Sorry for screenshots, not sure how to copy from terminal :(

 

[BigDave]

Sorry for screenshots, not sure how to copy from terminal

From a SSH terminal, you use your left mouse button to to hold and drag (highlighting the text), then release.
Go back to your browser window and find the "code" icon and click it and it will place the tags in the window,
then just right click your mouse and select paste from the drop down (this assumes you're using Windows).
You can play with this until you get the hang of it, just click on the "More Options" button and click Preview
to see how it will look before you post it. ;)

 

[anodos]

I'm not OP but I was about to ask the same question. I see group/user on Windows side properly just like I set it in FreeNAS, but Everyone also there.

Well, your server is showing the default ACL on your samba share, which includes everyone@:read_set:allow. Any new files / folders you create directly under the share will inherit this ACE. Post output of zfs get aclmode main-4TB-mirror/IDATTLC

 

[katit]

Just posted another topic on this: https://forums.freenas.org/index.php?threads/how-is-it-possible-that-win10-sees-those-files.55634/

I deleted this "Everyone" from list using Windows client and it doesn't show on FreeNAS anymore. Yet I can browse/modify..

Code:

root@HOME-NAS:~ # zfs get aclmode main-4TB-mirror/IDATTLC
NAME  PROPERTY  VALUE  SOURCE
main-4TB-mirror/IDATTLC  aclmode  restricted  local

Code:

root@HOME-NAS:~ # getfacl /mnt/main-4TB-mirror/IDATTLC/
# file: /mnt/main-4TB-mirror/IDATTLC/
# owner: nobody
# group: ditat
  group@:rwxpDdaARWcCo-:fd-----:allow
  owner@:rwxpDdaARWcCo-:fd-----:allow

 

[anodos]

Just posted another topic on this: https://forums.freenas.org/index.php?threads/how-is-it-possible-that-win10-sees-those-files.55634/

I deleted this "Everyone" from list using Windows client and it doesn't show on FreeNAS anymore. Yet I can browse/modify..

Code:

root@HOME-NAS:~ # zfs get aclmode main-4TB-mirror/IDATTLC
NAME  PROPERTY  VALUE  SOURCE
main-4TB-mirror/IDATTLC  aclmode  restricted  local

Code:

root@HOME-NAS:~ # getfacl /mnt/main-4TB-mirror/IDATTLC/
# file: /mnt/main-4TB-mirror/IDATTLC/
# owner: nobody
# group: ditat
  group@:rwxpDdaARWcCo-:fd-----:allow
  owner@:rwxpDdaARWcCo-:fd-----:allow

Post output of smbstatus while browsing.

 

[katit]

I did in other thread, let's move to single thread. Sorry for the mess :)

 

[matis111]

Code:

  GNU nano 2.7.0			File: /usr/local/etc/smb4.conf			Modified
[global]
	server max protocol = SMB3
	encrypt passwords = yes
	dns proxy = no
	strict locking = no
	oplocks = yes
	deadtime = 15
	max log size = 51200
	max open files = 125372
	logging = file
	load printers = no
	printing = bsd
	printcap name = /dev/null
	disable spoolss = yes
	getwd cache = yes
	guest account = jkowalski1
	map to guest = Bad User
	obey pam restrictions = yes
	ntlm auth = no
directory name cache size = 0
	kernel change notify = no
	panic action = /usr/local/libexec/samba/samba-backtrace
	nsupdate command = /usr/local/bin/samba-nsupdate -g
	server string = FreeNAS Server
	ea support = yes
	store dos attributes = yes
	lm announce = yes
	hostname lookups = yes
	time server = yes
acl allow execute always = true
	dos filemode = yes
	multicast dns register = yes
	domain logons = no
	local master = yes
	idmap config *: backend = tdb
	idmap config *: range = 90000001-100000000
	server role = standalone
	netbios name = FREENAS
	workgroup = WORKGROUP
 security = user
	pid directory = /var/run/samba
	create mask = 0660
	directory mask = 0770
	client ntlmv2 auth = yes
	dos charset = CP437
	unix charset = UTF-8
	log level = 1
[test]
	path = "/mnt/A"
	printable = no
	veto files = /.snapshot/.windows/.mac/.zfs/
	writeable = yes
	browseable = yes
	vfs objects = zfsacl acl_xattr posix_eadb streams_xattr aio_pthread
	hide dot files = yes
	guest ok = no
	nfs4:mode = special
	nfs4:acedup = merge
	nfs4:chown = true
	zfsacl:acesort = dontcare

Code:

root@freenas:/ # getfacl /mnt/A
# file: /mnt/A
# owner: jkowalski
# group: jkowalski
			group@:rwxpDdaARWcCo-:fd-----:allow
			owner@:rwxpDdaARWcCo-:fd-----:allow

 

[matis111]

There is no group Everyone in /mnt/A because i deleted it from windows explorer. But when i create a new subfolder the folder will get permission for everyone Group

 

[matis111]

And this is the post with smbstatus while browsing

Code:

root@freenas:/ # smbstatus

Samba version 4.6.4-GIT-3909b46
PID	 Username	 Group		Machine								   Protocol Version  Encryption		   Signing
----------------------------------------------------------------------------------------------------------------------------------------
5610	jkowalski	jkowalski	192.168.30.1 (ipv4:192.168.30.1:56103)	SMB3_02		   -					partial(AES-128-CMAC)
5852	jkowalski1   jkowalski1   192.168.30.1 (ipv4:192.168.30.1:56164)	SMB3_02		   -					-
5898	jkowalski1   jkowalski1   mateusz (ipv4:192.168.30.1:56167)		 NT1			   -					-
5852	jkowalski	jkowalski	192.168.30.1 (ipv4:192.168.30.1:56164)	SMB3_02		   -					partial(AES-128-CMAC)

Service	  pid	 Machine	   Connected at					 Encryption   Signing
---------------------------------------------------------------------------------------------
test		 5852	192.168.30.1  Sat Jun 24 12:01:54 2017 CEST	-			-
IPC$		 5852	192.168.30.1  Sat Jun 24 12:03:33 2017 CEST	-			-
IPC$		 5852	192.168.30.1  Sat Jun 24 12:01:53 2017 CEST	-			-
IPC$		 5898	mateusz	   Sat Jun 24 12:03:34 2017 CEST	-			-
IPC$		 5610	192.168.30.1  Sat Jun 24 11:58:08 2017 CEST	-			-

Locked files:
Pid		  Uid		DenyMode   Access	  R/W		Oplock		   SharePath   Name   Time
--------------------------------------------------------------------------------------------------
5852		 1001	   DENY_NONE  0x100081	RDONLY	 NONE			 /mnt/A   .   Sat Jun 24 12:01:54 2017
5852		 1001	   DENY_NONE  0x100081	RDONLY	 NONE			 /mnt/A   .   Sat Jun 24 12:01:54 2017

 

[zoomzoom]

This is being way over-thought, and is a situation where doing this for currently established shares via CLI is more time consuming that doing so directly on the client PC

• Provided the share has a relatively small number of files, i.e <1k, else recursively changing permissions to 0660 [files] / 0770 [directories] in CLI would likely be more efficient.

1. If Windows, go the the root of the server via \\<FreeNAS Hostname>
2. Right click on the share which needs Everyone removed, select: Properties -> Security -> Advanced
3. Highlight Everyone -> Remove
4. Tick the the box to "Replace all child..."
5. OK

For new shares, the permissions for the root directory or dataset need to be 0 for others (for example, 0770 for directories).

 

[anodos]

Code:

  GNU nano 2.7.0			File: /usr/local/etc/smb4.conf			Modified
[global]
	server max protocol = SMB3
	encrypt passwords = yes
	dns proxy = no
	strict locking = no
	oplocks = yes
	deadtime = 15
	max log size = 51200
	max open files = 125372
	logging = file
	load printers = no
	printing = bsd
	printcap name = /dev/null
	disable spoolss = yes
	getwd cache = yes
	guest account = jkowalski1
	map to guest = Bad User
	obey pam restrictions = yes
	ntlm auth = no
directory name cache size = 0
	kernel change notify = no
	panic action = /usr/local/libexec/samba/samba-backtrace
	nsupdate command = /usr/local/bin/samba-nsupdate -g
	server string = FreeNAS Server
	ea support = yes
	store dos attributes = yes
	lm announce = yes
	hostname lookups = yes
	time server = yes
acl allow execute always = true
	dos filemode = yes
	multicast dns register = yes
	domain logons = no
	local master = yes
	idmap config *: backend = tdb
	idmap config *: range = 90000001-100000000
	server role = standalone
	netbios name = FREENAS
	workgroup = WORKGROUP
security = user
	pid directory = /var/run/samba
	create mask = 0660
	directory mask = 0770
	client ntlmv2 auth = yes
	dos charset = CP437
	unix charset = UTF-8
	log level = 1
[test]
	path = "/mnt/A"
	printable = no
	veto files = /.snapshot/.windows/.mac/.zfs/
	writeable = yes
	browseable = yes
	vfs objects = zfsacl acl_xattr posix_eadb streams_xattr aio_pthread
	hide dot files = yes
	guest ok = no
	nfs4:mode = special
	nfs4:acedup = merge
	nfs4:chown = true
	zfsacl:acesort = dontcare

Code:

root@freenas:/ # getfacl /mnt/A
# file: /mnt/A
# owner: jkowalski
# group: jkowalski
			group@:rwxpDdaARWcCo-:fd-----:allow
			owner@:rwxpDdaARWcCo-:fd-----:allow

Remove acl_xattr posix_eadb. vfs_acl_xattr is almost certain to cause problems. You shouldn't mix up multiple methods of storing ACLs on a Samba server. Choose either (1)ZFS ACLs or (2) XATTR-based ACLs. (1) is preferable.

While you're at it, post the output of the following command zfs get aclmode <pool>/<dataset>. This is assuming that you're sharing a dataset you created specifically for the share (which you should do).

 

[matis111]

Code:

root@freenas:/ # zfs get aclmode /mnt/A
NAME  PROPERTY  VALUE		SOURCE
A	 aclmode   restricted   local

 

[matis111]

Remove acl_xattr posix_eadb. vfs_acl_xattr is almost certain to cause problems. You shouldn't mix up multiple methods of storing ACLs on a Samba server. Choose either (1)ZFS ACLs or (2) XATTR-based ACLs. (1) is preferable.

While you're at it, post the output of the following command zfs get aclmode <pool>/<dataset>. This is assuming that you're sharing a dataset you created specifically for the share (which you should do).

I removed 2 VFS Objects

 

[anodos]

I removed 2 VFS Objects

Okay. Now restart the SMB service, connect to the share, create a folder (i.e. foo), then provide the following output:
getfacl /mnt/A
getfacl /mnt/A/foo

 

[matis111]

Still got the same problem even if i changed the properties

 

[matis111]

When i will create a new folder in windows explorer its fine but if i will create New Data Set in FreeNas got still same problem (everyone got permission)

Code:

root@freenas:/ # getfacl mnt/A
# file: mnt/A
# owner: jkowalski
# group: jkowalski
			owner@:rwxpDdaARWcCo-:fd-----:allow
			group@:rwxpDdaARWcCo-:fd-----:allow

Code:

root@freenas:/ # getfacl /mnt/A/foo
# file: /mnt/A/foo
# owner: jkowalski
# group: jkowalski
			owner@:rwxpDdaARWcCos:fd-----:allow
			group@:rwxpDdaARWcCos:fd-----:allow
		 everyone@:r-x---a-R-c---:fd-----:allow

 

[matis111]

This is being way over-thought, and is a situation where doing this for currently established shares via CLI is more time consuming that doing so directly on the client PC

• Provided the share has a relatively small number of files, i.e <1k, else recursively changing permissions to 0660 [files] / 0770 [directories] in CLI would likely be more efficient.

1. If Windows, go the the root of the server via \\<FreeNAS Hostname>
2. Right click on the share which needs Everyone removed, select: Properties -> Security -> Advanced
3. Highlight Everyone -> Remove
4. Tick the the box to "Replace all child..."
5. OK

For new shares, the permissions for the root directory or dataset need to be 0 for others (for example, 0770 for directories).

I made it but when i will create new Data Set in storage it will get Everyone permission

 

[matis111]

Its bugged? Its other way to configure FreeNAS to remove Everyone permission for new DataSet?