Ok, making test as clean as possible this time..
1. Setup group "secret"
2. User "ivan" has primary group "secret" and no other groups
3. Data set owner(user) = "ivan", owner(group) = "secret"
4. getfacl. How come "everyone" came out again after I adjusted permissions??
Code:
root@HOME-NAS:~ # getfacl /mnt/main-4TB-mirror/IDATTLC/
# file: /mnt/main-4TB-mirror/IDATTLC/
# owner: ivan
# group: secret
owner@:rwxpDdaARWcCos:fd-----:allow
group@:rwxpDdaARWcCos:fd-----:allow
everyone@:r-x---a-R-c---:fd-----:allow
5. samba.conf [global] and [IDATTLC] shares
Code:
[global]
server max protocol = SMB2
encrypt passwords = yes
dns proxy = no
strict locking = no
oplocks = yes
deadtime = 15
max log size = 51200
max open files = 469568
logging = file
load printers = no
printing = bsd
printcap name = /dev/null
disable spoolss = yes
getwd cache = yes
guest account = nobody
map to guest = Bad User
obey pam restrictions = yes
ntlm auth = no
directory name cache size = 0
kernel change notify = no
panic action = /usr/local/libexec/samba/samba-backtrace
nsupdate command = /usr/local/bin/samba-nsupdate -g
server string = FreeNAS Server
ea support = yes
store dos attributes = yes
lm announce = yes
acl allow execute always = true
dos filemode = yes
multicast dns register = yes
domain logons = no
local master = no
idmap config *: backend = tdb
idmap config *: range = 90000001-100000000
server role = standalone
netbios name = HOME-NAS
workgroup = WORKGROUP
security = user
pid directory = /var/run/samba
create mask = 0666
directory mask = 0777
client ntlmv2 auth = yes
dos charset = CP437
unix charset = UTF-8
log level = 1
[IDATTLC]
path = "/mnt/main-4TB-mirror/IDATTLC"
printable = no
veto files = /.snapshot/.windows/.mac/.zfs/
writeable = yes
browseable = yes
vfs objects = zfs_space zfsacl streams_xattr aio_pthread
hide dot files = yes
guest ok = no
nfs4:mode = special
nfs4:acedup = merge
nfs4:chown = true
zfsacl:acesort = dontcare
6. Browse into IDATT LC folder,
Code:
root@HOME-NAS:~ # smbstatus
Samba version 4.6.4-GIT-3909b46
PID Username Group Machine Protocol Version Encryption Signing
----------------------------------------------------------------------------------------------------------------------------------------
55657 ivan secret 192.168.33.90 (ipv4:192.168.33.90:59151) SMB2_10 - partial(HMAC-SHA256)
Service pid Machine Connected at Encryption Signing
---------------------------------------------------------------------------------------------
IDATTLC 55657 192.168.33.90 Fri Jun 23 15:24:56 2017 CDT - -
Locked files:
Pid Uid DenyMode Access R/W Oplock SharePath Name Time
--------------------------------------------------------------------------------------------------
55657 1001 DENY_NONE 0x100081 RDONLY NONE /mnt/main-4TB-mirror/IDATTLC . Fri Jun 23 15:33:02 2017
55657 1001 DENY_NONE 0x100081 RDONLY NONE /mnt/main-4TB-mirror/IDATTLC . Fri Jun 23 15:42:07 2017
7. Windows security property, now it can't lookup group for some reason
View attachment 19095
Any ideas why it still let's me browse/edit? And why it keeps setting "Everyone" permission? And also this permission only "Read" - it allows editing.