FreeNAS Windows SMB Share - Everyone group - deny access by default?

[FreeNasJoe]

Brand new FreeNAS user here. I just built my box in late November 2016 and have been trying to learn FreeNAS and configure my box as time has permitted. I normally figure things out eventually from this forum or youtube or other web resources but I am currently stumped on a windows share problem that I cannot seem to figure out on my own. Here is my question...

Using the FreeNAS web interface, how does one configure a new Windows (SMB) Share that doesn't include the "everyone" group? If this isn't possible, then, using the FreeNAS web interface, how does one configure a new Windows (SMB) Share such that the default (initial) permissions on this share deny access for the the "Everyone" group. Basically I am looking to end up with, by default, only the owner and the owning group having "Full control" and no access for any other users or groups. I can achieve this desired state for the owner and owning group but I cannot figure out how to prevent the "Everyone" group from being assigned to the share or limiting the access permissions of the "Everyone" group. I have tried to limit the permissions of the "Everyone" group on new shares by using the "File mask" field of the "SMB Settings" dialog but it seems that no matter what I set the "File mask" field to I always end up with the same result - i.e. "Everyone" having "Read & execute" and "Read" permissions by default.

Any guidance or help would be greatly appreciated.

 

[Ericloewe]

Using the FreeNAS web interface, how does one configure a new Windows (SMB) Share that doesn't include the "everyone" group?

You don't.

If this isn't possible, then, using the FreeNAS web interface, how does one configure a new Windows (SMB) Share such that the default (initial) permissions on this share deny access for the the "Everyone" group.

You don't.

Basically I am looking to end up with, by default, only the owner and the owning group having "Full control" and no access for any other users or groups.

You don't.

I can achieve this desired state for the owner and owning group but I cannot figure out how to prevent the "Everyone" group from being assigned to the share or limiting the access permissions of the "Everyone" group.

They're default permissions. They're not going to be perfect for everyone. The owner has to edit them to ensure they're as they need to be.
https://forums.freenas.org/index.php?resources/freenas-and-samba-smb-permissions-video.8/

 

[FreeNasJoe]

Thanks for the reply Eric. Your answers nail it pretty succinctly. I like that. I was afraid that your answers would be the case however. I was hoping that the default behavior of assigning the "Everyone" group to new SMB shares could be adjusted by a system administrator but I suppose that's not the case. Thanks for the link to the videos. I actually watched each of them before my initial posting, and although they were helpful, I don't feel they answered my questions. I do notice that at around 4:01 in the second video the author implemented what I was trying to achieve by default - i.e. he manually removed the "Everyone" group through the Windows interface. I had figured out how to do that but really wanted a configuration that didn't require this two-step approach of allowing "Everyone" and then manually removing the "Everyone" group from Windows after the share is created. My preference would be to have the default configuration only apply the user and group that is specified at the time the share is created in the FreeNAS web GUI. If the desired end state of a particular share is that "Everyone" have read access then that could be done as part of a second step in share creation through the Windows interface. Even better might be if an "Allow read & execute by Everyone" check box could be added to the "Add Widows (SMB) Share" dialog box of the FreeNAS GUI - similar to the "Allow Guest Access" checkbox that is already there. This way the creator of a Windows (SMB) Share has the option to include "Everyone" or not at the time the share is initially created.

I sort of thought that that's what the purpose of the "Apply Default Permissions" checkbox was for but I guess not. It isn't clear to me what this particular checkbox does do. Its tool tip reads "Recursively set sane default windows permissions on share." but after playing around with checking it and not checking it on a couple of newly sequentially created shares, it isn't apparent to me what is different between a share that was created with this checkbox checked on one created without this checkbox checked – in my experiment each folder had the exact same users, groups, and permission settings on the newly created shares.

What does the "Apply Default Permissions" checkbox on the "Add Windows (SMB) Share" dialog do?

 

[Ericloewe]

What does the "Apply Default Permissions" checkbox on the "Add Windows (SMB) Share" dialog do?

Exactly what it says. It sets the share's permissions to sane defaults. These are the ones you're familiar with.

This would make an interesting feature request for FreeNAS 10, so I'd suggest you file one.

 

[FreeNasJoe]

Done. Feature #19959 requests that consideration be given to implementing (in FreeNAS 10) an option to include (or not) the "Everyone" group with "Read & execute" permissions on newly created SMB shares.

 

[yggdras1l]

FreeNasJoe, were you ever able to disable the Everyone group from having read/execute permissions?

 

[FreeNasJoe]

FreeNasJoe, were you ever able to disable the Everyone group from having read/execute permissions?

No, not when creating a share. Yes, by doing so through the windows explorer "security" tab of a folder's "properties" dialog box.

 

[appliance]

I'm on 11.3beta1 and can't get rid of Everyone. Tried every possible setting, file masks, passthrough/restricted, nfs4:mode, inherit permissions, vfs objects, and succesfully set permissions from UI and Windows... and my ihneriting permissions via getfacl look good until i copy a file via samba, and then Everyone is attached.

 

[MikeyG]

@appliance You may have run into the same issue I did: https://www.ixsystems.com/community/threads/acl-manager-in-11-3-beta-1.80057/#post-555916

Supposed to be fixed in beta 2.

 

[appliance]

@appliance You may have run into the same issue I did: https://www.ixsystems.com/community/threads/acl-manager-in-11-3-beta-1.80057/#post-555916

Supposed to be fixed in beta 2.

true, i watch this thread of all threads! ;) also in my case only some windows tools could give read permissions to Everyone and the currently available fixes didn't work.

 

[anodos]

true, i watch this thread of all threads! ;) also in my case only some windows tools could give read permissions to Everyone and the currently available fixes didn't work.

This means you're probably not testing correctly. You need to [1] set aclmode=restricted on the dataset [2] disable the ixnas behavior in question [3] restart samba.

 

[appliance]

This means you're probably not testing correctly. You need to [1] set aclmode=restricted on the dataset [2] disable the ixnas behavior in question [3] restart samba.

yes i do, and i am getting Everyone read permission, like i said, for touch command. So i wonder what this cygwin tool can do and if some other tools can do the same magic!
whereis touch touch: /usr/bin/touch.exe /cygdrive/c/Windows/touch /usr/share/man/man1/touch.1.gz
actually [1],[2],[3] help inheritance. can't wait for beta2 to have ixnas included.

this is a nice command to set mode for more datasets:
zfs set aclmode=passthrough $(zfs list -o name | grep [Parent]Dataset)

 

[anodos]

yes i do, and i am getting Everyone read permission, like i said, for touch command. So i wonder what this cygwin tool can do and if some other tools can do the same magic!
whereis touch touch: /usr/bin/touch.exe /cygdrive/c/Windows/touch /usr/share/man/man1/touch.1.gz
actually [1],[2],[3] help inheritance. can't wait for beta2 to have ixnas included.

this is a nice command to set mode for more datasets:
zfs set aclmode=passthrough $(zfs list -o name | grep [Parent]Dataset)

Are you using cygwin for this testing? This may be impact the resulting ACL. The owner can always overwrite the ACL on a file. You can use sharesec CLI utility to alter the ACL for S-1-1-0 to switch to "modify". This will prevent owner from being able to edit the ACL.

 

[appliance]

Are you using cygwin for this testing? This may be impact the resulting ACL. The owner can always overwrite the ACL on a file. You can use sharesec CLI utility to alter the ACL for S-1-1-0 to switch to "modify". This will prevent owner from being able to edit the ACL.

yes i was just using touch to create test files. Sharesec helps (can't find out how to restart samba without UI, only -R works):
sharesec share -m S-1-1-0:ALLOWED/0x0/CHANGE; rm /var/db/system/samba4/winbindd_cache.tdb; net cache flush; service samba_server restart; service -R; sharesec share -v

REVISION:1 CONTROL:SR|DP OWNER: GROUP: ACL:S-1-1-0:ALLOWED/0x0/[B]CHANGE[/B]

touch 1
getfacl 1
other ---