SOLVED Help - Permissions don't seem to be working as intended

[ddrawer]

Hello everyone,

TLDR: What is the proper way to set up two shares, one wide open, one with specified permissions to a windows user? The way's I have tried aren't working.

After starting from scratch several times last night and working on this for hours, I got frustrated and had to create an account here hoping for help.

My goal is to have two simple windows shares on my home network. One share should be completely open to anyone on the LAN. I'm just storing movies in it so I want anyone to be able to connect and view whenever they need to without any hassle. I think I have accomplished that. My current configuration for that is: One volume (named "Volume") with the owner user as root, owner group as wheel, Unix permission type with RWE for owner and RE for Group and Other. In that volume I have a dataset (named "Dataset") with owner user as root, owner group as wheel, Unix permission type with RWE for owner, group, and other. I then created a CIFS share in that dataset called "Media" with Apply default permissions and Allow guest access checked. Doing this seems to give me a share on my network that I can access without credentials and create folders in.

The second share I want to be accessible only by my personal windows PC, or with only my known credentials. If possible I'd like it only to be visible to me as well. The problem is I can't seem to get any access to any combination of permissions I try except the above listed permission.

I've tried creating a user which matches the credentials of my windows workgroup user account. Created a dataset which the owner is that specified user. Created a windows dataset with a cifs share with default permission on it. As long as I add the specified user, I can see the share with guest access disabled. If I do or don't allow guest access, when I attempt to access it I am prompted for credentials to which nothing gives me access [nasname]\root, [nasname]\specified workgroup user, [pcname]\root, [workgroup]\specified user, etc. And if I right click > properties to change the permissions via windows on that share it says I only have read only permissions.

What am I doing wrong?

 

[dlavigne]

Were you able to figure this out?

 

[ddrawer]

No I was just waiting on a reply from here.

 

[Mirfster]

Here are some threads to help you out:
9.3 Manual Section on Sharing: http://doc.freenas.org/9.3/freenas_sharing.html?highlight=sharing
Checkout @m0nkey_ 's thread: [How-to] FreeNAS and Samba (CIFS) permissions (Video)
See my comment in the page 2 of: FreeNAS Can't Handle Basic Use Case

 

[ddrawer]

Excellent! Thank you Mirfster, following that video from m0nkey_ did the trick. I think that my issue was that I was not mapping the share and connecting with different credentials. The only other thing I did differently was setting the user owner of the dataset as root or as my created user instead of nobody so that could also be the issue.

My only other question would be if there is a way to make the share invisible to everyone except the permitted user? Currently other users can see the share, but are prompted for credentials when trying to access it.

Edit: I found another issue. I want the same user (user1) to have access to two shares ("Backups" and "User1").

1. I created a group ("Backups").
2. Then create a user ("user1") with the primary group set to "Backups", no home directory, and added "Backups" to the auxiliary groups.
3. I created a dataset ("Backups") with Owner user as nobody, and owner group as "Backups". Windows permission type.
4. Finally I created a share ("Backups") in the "backups" dataset and applied default permissions.

I was able to log into the share using user1 and everything works great. On to the second share.

1. I created a group ("User1Only").
2. Added "User1Only" to the auxiliary groups in the "User1" user account.
3. I created a dataset ("User1") with Owner user as nobody, and owner group as "User1Only". Windows permission type.
4. Finally I created a share ("User1") in the "User1" dataset and applied default permissions.

I can log into the share using user1, but cannot create or modify files.

Any idea of why that is?

Edit 2: In case anyone else runs into the same thing I posted in edit 1, the issue is that the user (user1) had the primary group set to "backups". I followed m0nkey_'s advice and created a users group to set as the primary group for every user.

 

[Mirfster]

My only other question would be if there is a way to make the share invisible to everyone except the permitted user? Currently other users can see the share, but are prompted for credentials when trying to access it.

Are you taking about the entire share or certain folders within the share?

If you are talking about folders in the Share, simply map a drive to it (using appropriate credentials); Right-Mouse click on the folder and set desired permissions.

Here is a quick example:

For folder "ShouldNotSeeMe", I edited the permissions (from Windows) an simply removed everyone except for my Group ("ServerAdmins"). Now if any User connects to my share (called "Data") then they would only see one folder called "ShouldSeeMe".

 

[ddrawer]

I am talking about the entire share.

 

[Mirfster]

I am talking about the entire share.

Edit: I found another issue. I want the same user (user1) to have access to two shares ("Backups" and "User1").

1. I created a group ("Backups").
2. Then create a user ("user1") with the primary group set to "Backups", no home directory, and added "Backups" to the auxiliary groups.
3. I created a dataset ("Backups") with Owner user as nobody, and owner group as "Backups". Windows permission type.
4. Finally I created a share ("Backups") in the "backups" dataset and applied default permissions.

I was able to log into the share using user1 and everything works great. On to the second share.

1. I created a group ("User1Only").
2. Added "User1Only" to the auxiliary groups in the "User1" user account.
3. I created a dataset ("User1") with Owner user as nobody, and owner group as "User1Only". Windows permission type.
4. Finally I created a share ("User1") in the "User1" dataset and applied default permissions.

I think you are over complicating things with wanting to create multiple shares. This will lead to a lot of "Administrative Overhead". Easiest way to do all of this is to make one share then connect to that share with admin rights. Within that make your folder(s) and set the rights on the folder(s).

For example, I have one CIFS Share called "Data"; here is what the rights within FreeNas (on the DataSet) look like:

If I wanted to have a folder called "Backups" that only members of the group "Backups" could see/access I would simply create a folder on "Data" called "Backups". Then from within Windows Explorer I would set the "Security" so that only "Backups" have rights (remove all other Users/Groups... Well I would leave my "ServerAdmins" group in there too...). Later if I hire someone new and want them to get access to "Backups" I would simply create the account in FreeNas and add them to the "Backups" Group. *** Just only give them "Modify" and not "Full"... Don't want them to be able to change permissions or take Ownership... ;)

So from simplistic point of view everyone knows to either browse or map to "\\%ServerName%\Data" and they only see/use what folders they have rights to. No complications like having to know to map to different Shares, etc. Makes this all a "one stop shop".

 

[anodos]

My only other question would be if there is a way to make the share invisible to everyone except the permitted user?

Enable "access based enumeration" for the share. See here - https://forums.freenas.org/index.php?threads/cifs-tips-and-tricks.34995/

Enjoy the comic sans.

 

[ddrawer]

I think you are over complicating things with wanting to create multiple shares. This will lead to a lot of "Administrative Overhead". Easiest way to do all of this is to make one share then connect to that share with admin rights. Within that make your folder(s) and set the rights on the folder(s).

For example, I have one CIFS Share called "Data"; here is what the rights within FreeNas (on the DataSet) look like:
View attachment 11754

If I wanted to have a folder called "Backups" that only members of the group "Backups" could see/access I would simply create a folder on "Data" called "Backups". Then from within Windows Explorer I would set the "Security" so that only "Backups" have rights (remove all other Users/Groups... Well I would leave my "ServerAdmins" group in there too...). Later if I hire someone new and want them to get access to "Backups" I would simply create the account in FreeNas and add them to the "Backups" Group. *** Just only give them "Modify" and not "Full"... Don't want them to be able to change permissions or take Ownership... ;)

So from simplistic point of view everyone knows to either browse or map to "\\%ServerName%\Data" and they only see/use what folders they have rights to. No complications like having to know to map to different Shares, etc. Makes this all a "one stop shop".

You know what, you are totally right. I don't know why my brain was stuck on having multiple shares. Thanks for bringing me back to earth. I'm glad we were able to figure it out both ways though haha, at least know I know.

 

[anodos]

You know what, you are totally right. I don't know why my brain was stuck on having multiple shares. Thanks for bringing me back to earth. I'm glad we were able to figure it out both ways though haha, at least know I know.

Having everything on a single share has the added benefit of allowing samba to server-side-copy when you're moving around files.

 

[Mirfster]

You know what, you are totally right. I don't know why my brain was stuck on having multiple shares. Thanks for bringing me back to earth. I'm glad we were able to figure it out both ways though haha, at least know I know.

Understood, been there and had those kinda days myself. :)

Just a side note, I personally never try to set explicit rights/permissions more than two levels deep (usually I would be hard pressed to even go that deep). Otherwise things get really confusing. I have seen Admins have rights all over the joint and when some one requests rights to a folder it becomes a scramble to "discover" where the rights were set to that folder 8 levels deep...

 

[anodos]

Understood, been there and had those kinda days myself. :)

Just a side note, I personally never try to set explicit rights/permissions more than two levels deep (usually I would be hard pressed to even go that deep). Otherwise things get really confusing. I have seen Admins have rights all over the joint and when some one requests rights to a folder it becomes a scramble to "discover" where the rights were set to that folder 8 levels deep...

Yeah, this is the reason why I prefer to create multiple shares and define permissions at the share root. When necessary, I use access-based enumeration to hide shares from unauthorized users.

 

[ddrawer]

@Mirfster So if you are mapping the single share with Admin credentials what is to stop the users from changing the security permissions of the folder within the share?

 

[Mirfster]

Yep

 

[Mirfster]

@Mirfster So if you are mapping the single share with Admin credentials what is to stop the users from changing the security permissions of the folder within the share?

They only have modify rights

 

[ddrawer]

I must be missing something. Do you allow guest access on the share? I can't open the share unless I put in the credentials of the dataset owner. If I use those credentials than I can make changes to the security.

 

[anodos]

I must be missing something. Do you allow guest access on the share? I can't open the share unless I put in the credentials of the dataset owner. If I use those credentials than I can make changes to the security.

You shouldn't allow guest access to shares on which you plan to configure access controls. What I'd do to achieve what mirfster is talking about is:
1) leave the dataset owned by your "ServerAdmins" group
2) Navigate to \\freenas
3) right-click on your share, click properties, then 'security'. Modify the scope of the "everyone" access control entry so that it applies to "this folder only".
4) create sub-directories. Modify permissions according to procedure in (3) and add your other groups granting them "read, write, modify" permissions.

 

[ddrawer]

1. Created group "ServerAdmins"
2. Created Dataset "Users", Windows permissions
3. Added group "ServerAdmins" to User1 auxiliary group
4. Set permissions of "Users" dataset to owner user: nobody, owner group: ServerAdmins
5. Created cifs share "Users" in the users dataset, default permissions
6. Navigate to \\nas
7. Modified "everyone" applies to: "This folder only"
8. When I try to open the share \\nas\users, I am prompted for network credentials. What do I put in here?

 

[anodos]

1. Created group "ServerAdmins"
2. Created Dataset "Users", Windows permissions
3. Added group "ServerAdmins" to User1 auxiliary group
4. Set permissions of "Users" dataset to owner user: nobody, owner group: ServerAdmins
5. Created cifs share "Users" in the users dataset, default permissions
6. Navigate to \\nas
7. Modified "everyone" applies to: "This folder only"
8. When I try to open the share \\nas\users, I am prompted for network credentials. What do I put in here?

As the admin, you'd enter the admin credentials. Other users will use credentials you set up for them in the webgui.