SOLVED Help - Permissions don't seem to be working as intended

[ddrawer]

Okay, so I enter the User1 credentials and I am able to do everything I need. That's fine. Are you saying for the other users I create new users in the freenas webgui? If I create a new user ("User2") and add him to the "users" group rather than the "serveradmins" group, when I put in User2's credentials after trying to access \\nas\users I get an access denied error.

 

[Mirfster]

Okay, so can you kinda tell me what you envision?

Is it kind of like this?

• "\\%ServerName%\%ShareName%"
  • Will use "\\FNServer\Data" as an example
    
  • A Single Share that everyone can get to without needing a PW
  • Users can only see or access those folder(s) you want them to
• Other Folder(s) in that structure
  • Example: "\\FNServer\Data\Backups"
  • Only members of certain Groups; like "BackupOperators" and "ServerAdmins" should have access to
• User Home Directories within that structure
  • Example: "\\FNServer\Data\Users\%UserName%" as an example
    
  • Only want the User to be able to see their "Home Directory" and not others
  • Should also allow Group "ServerAdmins" to have "Full Rights" there as well...

 

[ddrawer]

Okay, so can you kinda tell me what you envision?

Is it kind of like this?

• "\\%ServerName%\%ShareName%"
  • Will use "\\FNServer\Data" as an example
    
  • A Single Share that everyone can get to without needing a PW
  • Users can only see or access those folder(s) you want them to
• Other Folder(s) in that structure
  • Example: "\\FNServer\Data\Backups"
  • Only members of certain Groups; like "BackupOperators" and "ServerAdmins" should have access to
• User Home Directories within that structure
  • Example: "\\FNServer\Data\Users\%UserName%" as an example
    
  • Only want the User to be able to see their "Home Directory" and not others
  • Should also allow Group "ServerAdmins" to have "Full Rights" there as well...

That's what I envision.

 

[Mirfster]

That's what I envision.

Okay, give me a few minutes and I will type up. Any particular Folder, User or Share names you have in mind?

 

[ddrawer]

Okay, give me a few minutes and I will type up. Any particular Folder, User or Share names you have in mind?

Example names will be fine, hopefully I can at least figure that out... Sorry, I must be overlooking something while creating these shares because I can only get 1 user (the owner) to connect.

 

[Mirfster]

K, this is how I would do it (might not be how everyone should...):

1. Create Groups called "ServerAdmins", "ServerUsers" and "BackupOperators"
2. Create yourself an "Admin" User Account
   • Example Name: SuperAdminDude
   • Create a new primary group for the user: UnChecked
   • Primary Group: ServerAdmins
   • Create Home Directory In: /nonexistent
   • Rest as desired or as default
3. Create Account(s) to be added to Group ServerUsers
   • Example Name: UserA
   • Create a new primary group for the user: UnChecked
     
   • Primary Group: ServerUsers
     
   • Create Home Directory In: /nonexistent
     • We will be making User's Home Directories Manually; since I think there is a flaw
     • See #2 in https://forums.freenas.org/index.php?threads/couple-possible-bugs-issues.43375/#post-285438
     • I may be wrong on it though...
   • Rest as desired or as default
4. Create a DataSet called "Data"
   • Apply Owner (user): Checked
   • Owner (user): root
   • Apply Owner (group): Checked
   • Owner (grooup): ServerAdmins
5. Create a Windows (CIFS) Share
   • Path: Up to you to fill out
     
   • Use as home share: UnChecked
   • Name: Data
   • Apply Default Permissions: UnChecked
   • Export Read Only: UnChecked
   • Browsable to Network Clients: Checked
     
   • Export Recycle Bin: UnChecked
     
     • Really up to you though
   • Show Hidden Files: UnChecked
     
   • Allow Guest Access: Checked
     
     • This addresses the "A Single Share that everyone can get to without needing a PW" requirement
   • Only Allow Guest Access: UnChecked
     
   • The rest as defaults

End of this part - Will continue in another post

 

[Mirfster]

Sanity Check to see if we can truly get to the share as a Guest; but not be able to do anything:

Check to ensure we don't have anything currently mapped to our Share

1. Disconnect any mapped drives you may already have to the "\\%ServerName%\Data" Share
   
2. Open a CMD Prompt as you; NOT with "Run as Administrator"
3. Execute Command: Net Use
   • Should see "There are no entries in the list." or at least none to the FreeNas Server
   • If so we are good to test otherwise delete cached entries
     • Execute Command: Net Use /Delete \\%ServerName%\Data or Net Use /Delete * (this will delete all connections)

Check to ensure a Guest can't do anything except see the Share

1. Now in [Run] or Windows Explorer type in \\%ServerName%\Data
   • Or just \\%ServerName% and double-click the "Data" folder
2. Try to make a folder, file or copy something there...
   • Should get "Access Denied"

If all is well, then we are down to creating our Folders and Setting Rights

 

[Mirfster]

Folder(s) Time!

*** Disclosure, I don't make my User folders normally, there are other files that automatically get added to a User's folder when created via the GUI. I am not sure what they are pertaining to and have not really read up on it (maybe someone will come by and slap me for this.. ;)). So, this will get you setup in a round-about way...

1. Manually map a drive to \\%ServerName%\Data
   • Reconnect at login: UnChecked
     
   • Connect using different credentials: Checked
   • When prompted, authenticate with %ServerName%\SuperAdminDude
     • Or any account that you have which is a member of the Group ServerAdmins
2. Create a Folder called "Users";
   • Right-Mouse Click on the Folder and Select "Properties"
   • "Users Properties" dialog will appear; Select [Security] Tab; then [Advanced] Button
   • "Advanced Security Settings for Users Properties" dialog will appear; Click [Change Permissions]
   • Select/Highlight "Everyone"; Click [Edit]
   • "Permission Entry for Users"dialog will appear; Configure Settings as:
     • Apply to: This folder only
     • Permissions: Only have the following Checked under the Allow column (normally already set)
       • Traverse Folder / Execute File
       • List Folder / Read Data
       • Read Attributes
       • Read Extended Attributes
       • Read Permissions
     • Click [OK]; "Advanced Security Settings for Users Properties" dialog will close
   • Back in "Advanced Security Settings for Users Properties" dialog; Select/Highlight "ServerAdmins"; Click [Edit]
   • "Permission Entry for Users"dialog will appear; Ensure Settings are Configured as (should already be, but just double checking):
     • Apply to: This folder, subfolder and files
     • Permissions: Should have everything Checked under the Allow column (normally already set)
     • Click [OK]; "Advanced Security Settings for Users Properties" dialog will close
   • Back in "Advanced Security Settings for Users Properties" dialog;
     • For any other accounts; Select/Highlight them and Click [Remove]
       • Yes, the SuperAdminDude account may be listed and you are safe to Remove it since it is a member of Group "ServerAdmins"
     • Should look like this:
     • 
       
       
     • Click [Apply]; Then [OK]; "Advanced Security Settings for Users Properties" dialog will close
     • Click [OK] for any remaining opened dialogs to close them

Now you have created the desired structure/permissions for the main Users folder. Next we will create the Home Directory for "UserA"...

 

[Mirfster]

So off we go to give "UserA" a Home Directory...

*** You should still be mapped to \\%ServerName%\Data with your SuperAdminDude account; if not do step #1 from the previous post...

1. Under the "Users" Folder; create a new folder and call it "UserA"
2. Right-Mouse Click on the Folder and Select "Properties"
   • Should notice that only the Group ServerAdmins has rights... That is the way we want it so any folders we create at the root of "Users" is not natively accessible or can be seen by anyone else; until we let them /evil laugh....
3. "UserA Properties" dialog will appear; Select [Security] Tab; then [Edit] Button
   • *** Not the [Advanced] button like in the last set of steps...
4. "Permissions for UserA" dialog will appear; Select [Add]
5. "Select Users or Groups" dialog will appear;
   • Make sure the "From this location" states your Server Name
     • It should; otherwise you will have to Click [Locations] and set it..
   • In the "Enter the object names to select (examples):" Input-box; Enter "UserA"; then Click [Check Names]
     • It should discover the correct name and change it to %ServerName%\UserA (as well as underline it)
     • Click [OK]; "Select Users or Groups" dialog" dialog will close
6. Back in "Permissions for UserA" dialog;
   • Select/Highlight "UserA"; Tick/Check the Box for "Modify" under the "Allow" column
     • We only want the User to be able to Create/Delete/Modify stuff; but not be able to Set Rights
     • This allows the "ServerAdmins" to have the ability to always be able to get to their stuff and be the "Uber Leet Rulers"... ;)
   • Click [Apply]; Then [OK]; "Permissions for UserA" dialog will close
7. Back in "UserA Properties" dialog; Click [OK]; dialog will close

Now you can test by disconnecting the mapped drive; then mapping it as "UserA". You will be able to access "Users\UserA" and do/create stuff there, but no where else.... yet...

 

[Mirfster]

Okay, by now I would think that while it may appear confusing at first... the logic may start to seep in and it will get easier after you do it a few times...

So, I have to leave for dinner soon; but as far as the "Backups" folder and permissions I will let you try that out. But it is very similar to the "Users" folder except we should not have to set any rights for sub folders once the main "Backups" folder is created and permissions are properly configured.

Hint: I would only have:

• "ServerAdmins" = "Full" Rights to This folder, subfolder and files
• "BackupOperators" = "Modify" Rights to This folder, subfolder and files

/Might just be my "God" complex, but the only personnel that would need "Full" Rights to anything are the "ServerAdmins"...

Best of luck, I will try to check back in later on tonight.

 

[ddrawer]

Awesome, just awesome. Thank you for going well beyond expectations to help me out. Everything is working exactly how I wanted it to now. Some of the take aways:

1. I wasn't allowing guest access to the cifs shares
2. I was applying Default permissions to the cifs shares

 

[Mirfster]

Not a problem. Glad everything is as desired. If possible, please mark this a "Solved".

Welcome to FreeNas! :)

 

[kavermeer]

I'm having trouble with finding the users on the server. When I look at the permissions on my Windows system, I get the owner and group that correspond to what was set for the share at the FreeNAS server, plus 'everybody'. But I cannot locate any other users from the FreeNAS box. The location is set correctly.

In the "Enter the object names to select (examples):" Input-box; Enter "UserA"; then Click [Check Names]

Note that even when I enter the name of the owner, Windows still claims it cannot find the user.

Do I need to enable some directory service? Note that my Windows system is part of an AD, but my FreeNAS box is not.

Thanks for any help!

 

[Mirfster]

Use "Domain\User" instead of just "User"

Example, my FreeNas server is named "ASC-FN01", so in there I would put "ASC-FN01\UserA". Give that a whirl.

 

[kavermeer]

Doesn't seem to solve anything, I get exactly the same error. Note that the server name is not the domain name, so I did not do 'domain\user', but rather 'hostname'user'.

When going to the advanced dialog box and trying to search for objects, it doesn't return anything for groups or users.

 

[Mirfster]

Try the IP instead. I am assuming that you do not have a DNS entry for your FreeNas Server (Can you resolve it just by hostname instead of IP address?) or are using DHCP for FreeNas?

 

[anodos]

post following enclosed in [ code ] tags:

• contents of /usr/local/etc/smb4.conf
• output of "net getlocalsid"
• output of "net getdomainsid"
• output of "net usersidlist"
• output of "net groupmap list"
• output of "pdbedit -L -v"

 

[Wallybanger]

Code:

[global]
  server max protocol = SMB3
  encrypt passwords = yes
  dns proxy = no
  strict locking = no
  oplocks = yes
  deadtime = 15
  max log size = 51200
  max open files = 937730
  logging = file
  load printers = no
  printing = bsd
  printcap name = /dev/null
  disable spoolss = yes
  getwd cache = yes
  guest account = nobody
  map to guest = Bad User
  obey pam restrictions = yes
  directory name cache size = 0
  kernel change notify = no
  panic action = /usr/local/libexec/samba/samba-backtrace
  nsupdate command = /usr/local/bin/samba-nsupdate -g
  server string = FreeNAS Server
  ea support = yes
  store dos attributes = yes
  lm announce = yes
  hostname lookups = yes
  time server = yes
  acl allow execute always = true
  dos filemode = yes
  multicast dns register = yes
  domain logons = no
  local master = yes
  idmap config *: backend = tdb
  idmap config *: range = 90000001-100000000
  server role = standalone
  netbios name = NASSY
  workgroup = WORKGROUP
  security = user
  pid directory = /var/run/samba
  create mask = 0666
  directory mask = 0777
  client ntlmv2 auth = yes
  dos charset = CP437
  unix charset = UTF-8
  log level = 1

[Movies]
  path = /mnt/DirtyData/Movies
  printable = no
  veto files = /.snapshot/.windows/.mac/.zfs/
  writeable = yes
  browseable = yes
  vfs objects = zfs_space zfsacl aio_pthread streams_xattr
  hide dot files = yes
  guest ok = no
  nfs4:mode = special
  nfs4:acedup = merge
  nfs4:chown = true
  zfsacl:acesort = dontcare


[Shared]
  path = /mnt/DirtyData/Shared
  printable = no
  veto files = /.snapshot/.windows/.mac/.zfs/
  writeable = yes
  browseable = yes
  vfs objects = zfs_space zfsacl aio_pthread streams_xattr
  hide dot files = yes
  guest ok = no
  nfs4:mode = special
  nfs4:acedup = merge
  nfs4:chown = true
  zfsacl:acesort = dontcare


[Stuff]
  path = /mnt/DirtyData/Stuff
  printable = no
  veto files = /.snapshot/.windows/.mac/.zfs/
  writeable = yes
  browseable = no
  vfs objects = zfs_space zfsacl aio_pthread streams_xattr
  hide dot files = yes
  guest ok = no
  nfs4:mode = special
  nfs4:acedup = merge
  nfs4:chown = true
  zfsacl:acesort = dontcare

Code:

[root@Nassy] /usr/local/etc# net getlocalsid
SID for domain NASSY is: S-1-5-21-2865249077-746301568-3381525297

[root@Nassy] /usr/local/etc# net getdomainsid
SID for local machine NASSY is: S-1-5-21-2865249077-746301568-3381525297
Could not fetch domain SID

[root@Nassy] /usr/local/etc# net usersidlist
NASSY\root
 S-1-5-21-2865249077-746301568-3381525297-1000
 S-1-1-0
 S-1-5-2
 S-1-5-11
NASSY\guest
 S-1-5-21-2865249077-746301568-3381525297-1002
 S-1-1-0
 S-1-5-2
 S-1-5-11
 S-1-5-21-2865249077-746301568-3381525297-1001
NASSY\leaveittocleaver
 S-1-5-21-2865249077-746301568-3381525297-1004
 S-1-1-0
 S-1-5-2
 S-1-5-11
 S-1-5-21-2865249077-746301568-3381525297-1001
 S-1-5-21-2865249077-746301568-3381525297-1003
NASSY\primo
 S-1-5-21-2865249077-746301568-3381525297-3002
 S-1-1-0
 S-1-5-2
 S-1-5-11
 S-1-5-21-2865249077-746301568-3381525297-1001

[root@Nassy] /usr/local/etc# net groupmap list
BasicBitches (S-1-5-21-2865249077-746301568-3381525297-1003) -> BasicBitches
Users (S-1-5-21-2865249077-746301568-3381525297-1001) -> Users

Code:

[root@Nassy] /usr/local/etc# pdbedit -L -v
---------------
Unix username:  root
NT username:
Account Flags:  [U  ]
User SID:  S-1-5-21-2865249077-746301568-3381525297-1000
Primary Group SID:  S-1-5-21-2865249077-746301568-3381525297-513
Full Name:  root
Home Directory:  \\nassy\root
HomeDir Drive:
Logon Script:
Profile Path:  \\nassy\root\profile
Domain:  NASSY
Account desc:
Workstations:
Munged dial:
Logon time:  0
Logoff time:  Sun, 04 Dec 219250468 07:30:07 PST
Kickoff time:  Sun, 04 Dec 219250468 07:30:07 PST
Password last set:  Mon, 22 Aug 2016 16:10:30 PDT
Password can change:  Mon, 22 Aug 2016 16:10:30 PDT
Password must change: never
Last bad password  : 0
Bad password count  : 0
Logon hours  : FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
---------------
Unix username:  Guest
NT username:
Account Flags:  [U  ]
User SID:  S-1-5-21-2865249077-746301568-3381525297-1002
Primary Group SID:  S-1-5-21-2865249077-746301568-3381525297-513
Full Name:  Guest
Home Directory:  \\nassy\guest
HomeDir Drive:
Logon Script:
Profile Path:  \\nassy\guest\profile
Domain:  NASSY
Account desc:
Workstations:
Munged dial:
Logon time:  0
Logoff time:  Sun, 04 Dec 219250468 07:30:07 PST
Kickoff time:  Sun, 04 Dec 219250468 07:30:07 PST
Password last set:  Tue, 13 Sep 2016 15:54:14 PDT
Password can change:  Tue, 13 Sep 2016 15:54:14 PDT
Password must change: never
Last bad password  : 0
Bad password count  : 0
Logon hours  : FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
---------------
Unix username:  LeaveItToCleaver
NT username:
Account Flags:  [U  ]
User SID:  S-1-5-21-2865249077-746301568-3381525297-1004
Primary Group SID:  S-1-5-21-2865249077-746301568-3381525297-513
Full Name:  Brenden Cleaver
Home Directory:  \\nassy\leaveittocleaver
HomeDir Drive:
Logon Script:
Profile Path:  \\nassy\leaveittocleaver\profile
Domain:  NASSY
Account desc:
Workstations:
Munged dial:
Logon time:  0
Logoff time:  Sun, 04 Dec 219250468 07:30:07 PST
Kickoff time:  Sun, 04 Dec 219250468 07:30:07 PST
Password last set:  Tue, 13 Sep 2016 16:26:50 PDT
Password can change:  Tue, 13 Sep 2016 16:26:50 PDT
Password must change: never
Last bad password  : 0
Bad password count  : 0
Logon hours  : FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
---------------
Unix username:  Primo
NT username:
Account Flags:  [U  ]
User SID:  S-1-5-21-2865249077-746301568-3381525297-3002
Primary Group SID:  S-1-5-21-2865249077-746301568-3381525297-513
Full Name:  Mike
Home Directory:  \\nassy\primo
HomeDir Drive:
Logon Script:
Profile Path:  \\nassy\primo\profile
Domain:  NASSY
Account desc:
Workstations:
Munged dial:
Logon time:  0
Logoff time:  Sun, 04 Dec 219250468 07:30:07 PST
Kickoff time:  Sun, 04 Dec 219250468 07:30:07 PST
Password last set:  Tue, 13 Sep 2016 14:49:04 PDT
Password can change:  Tue, 13 Sep 2016 14:49:04 PDT
Password must change: never
Last bad password  : 0
Bad password count  : 0
Logon hours  : FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF