How to hide CIFS user folders from other users?

Status
Not open for further replies.
ChiknNutz

ChiknNutz

Patron
Joined
Nov 6, 2015
Messages
217
I am still trying to figure out the best way to do this, but here is what I have done so far and open to recommendations. Under my main volume I have created a dataset called "CIFS" and under that, another folder called "userset". Both are using Windows permissions. I then created user-specific folders directly on the Windows client for each user.

CIFS (owner: root, group: wheel)
userset (owner: "me", group: wheel)
userA
userB
etc
The issue is that when I go into the Security tab in Windows, there is an "Everyone" group or user (not sure which) that has Read & Execute, List Contents and Read permissions that are grayed out and unchangeable. What is the protocol to hide folders from users that don't have permission? I thought this was be really straightforward, but so far it doesn't seem to be.
 
anodos

anodos

Sambassador
iXsystems
Joined
Mar 6, 2014
Messages
9,554
ChiknNutz said:
I am still trying to figure out the best way to do this, but here is what I have done so far and open to recommendations. Under my main volume I have created a dataset called "CIFS" and under that, another folder called "userset". Both are using Windows permissions. I then created user-specific folders directly on the Windows client for each user.

CIFS (owner: root, group: wheel)
userset (owner: "me", group: wheel)
userA
userB
etc
The issue is that when I go into the Security tab in Windows, there is an "Everyone" group or user (not sure which) that has Read & Execute, List Contents and Read permissions that are grayed out and unchangeable. What is the protocol to hide folders from users that don't have permission? I thought this was be really straightforward, but so far it doesn't seem to be.
Click to expand...

I'm a bit confused about what you're doing, but it sounds like you need to set permissions correctly rather than hide folders. Post the following enclosed in [ code ] tags:
  • /etc/local/smb4.conf
  • output of "zfs list"
  • output of "getfacl /mnt/<your pool>/CIFS", "getfacl /mnt/<your pool>/CIFS/userset", "getfacl /mnt/<your pool/CIFS/userA", etc
  • output of "zfs get aclmode <your pool>/CIFS"
 
ChiknNutz

ChiknNutz

Patron
Joined
Nov 6, 2015
Messages
217
You are correct in that it is ultimately correct permissions that I am after. The "hidden" element will come as a result of that.

Code:
[root@AdcNAS] ~# /etc/local/smb4.conf
/etc/local/smb4.conf: Permission denied.
[root@AdcNAS] ~# zfs list
NAME                                                         USED  AVAIL  REFER                    MOUNTPOINT
Rivendell                                                   75.8G  10.4T   192K                    /mnt/Rivendell
Rivendell/.system                                           31.2M  10.4T   208K                    legacy
Rivendell/.system/configs-5ece5c906a8f4df886779fae5cade8a5   735K  10.4T   607K                    legacy
Rivendell/.system/cores                                     1.23M  10.4T  1.23M                    legacy
Rivendell/.system/rrd-5ece5c906a8f4df886779fae5cade8a5       192K  10.4T   192K                    legacy
Rivendell/.system/samba4                                    14.9M  10.4T  1023K                    legacy
Rivendell/.system/syslog-5ece5c906a8f4df886779fae5cade8a5   13.9M  10.4T  1.03M                    legacy
Rivendell/CIFS                                              12.1M  10.4T   192K                    /mnt/Rivendell/CIFS
Rivendell/CIFS/userset                                      11.9M  10.4T  10.4M                    /mnt/Rivendell/CIFS/userset
Rivendell/jails                                             2.68G  10.4T   256K                    /mnt/Rivendell/jails
Rivendell/jails/.warden-template-pluginjail                  576M  10.4T   576M                    /mnt/Rivendell/jails/.warden-template-pluginjail
Rivendell/jails/htpc-manager_1                               274M  10.4T   803M                    /mnt/Rivendell/jails/htpc-manager_1
Rivendell/jails/plexmediaserver_1                           1.85G  10.4T  2.25G                    /mnt/Rivendell/jails/plexmediaserver_1
Rivendell/mediaset                                          73.0G  10.4T  72.9G                    /mnt/Rivendell/mediaset
freenas-boot                                                1.20G  12.8G    31K                    none
freenas-boot/ROOT                                           1.18G  12.8G    25K                    none
freenas-boot/ROOT/FreeNAS-9.3-STABLE-201511040813           3.62M  12.8G   514M                    /
freenas-boot/ROOT/FreeNAS-9.3-STABLE-201511280648           1.17G  12.8G   517M                    /
freenas-boot/ROOT/Initial-Install                              1K  12.8G   510M                    legacy
freenas-boot/ROOT/Wizard-2015-11-23_22:13:13                   1K  12.8G   511M                    legacy
freenas-boot/ROOT/default                                   1.98M  12.8G   513M                    legacy
freenas-boot/grub                                           20.3M  12.8G  6.74M                    legacy


Code:
[root@AdcNAS] ~# getfacl /mnt/Rivendell/CIFS
# file: /mnt/Rivendell/CIFS
# owner: root
# group: wheel
            owner@:rwxpDdaARWcCos:fd----:allow
            group@:rwxpDdaARWcCos:fd----:allow
         everyone@:r-x---a-R-c---:fd----:allow


Code:
[root@AdcNAS] ~# getfacl /mnt/Rivendell/CIFS/userset
# file: /mnt/Rivendell/CIFS/userset
# owner: cadcock
# group: wheel
            owner@:rwxpDdaARWcCos:fd----:allow
            group@:rwxpDdaARWcCos:fd----:allow
         everyone@:r-x---a-R-c---:fd----:allow


Code:
[root@AdcNAS] ~# getfacl /mnt/Rivendell/CIFS/userset/Chris
# file: /mnt/Rivendell/CIFS/userset/Chris
# owner: cadcock
# group: wheel
            owner@:rwxpDdaARWcCos:fd----:allow
            group@:rwxpDdaARWcCos:fd----:allow
         everyone@:r-x---a-R-c---:fd----:allow


Code:
[root@AdcNAS] ~# getfacl /mnt/Rivendell/CIFS/userset/Dalton
# file: /mnt/Rivendell/CIFS/userset/Dalton
# owner: cadcock
# group: wheel
      user:dadcock:rwxpDdaARWcCo-:fd----:allow
            owner@:rwxpDdaARWcCo-:fd----:allow
            group@:rwxpDdaARWcCo-:fd----:allow
         everyone@:r-x---a-R-c---:fd----:allow


Code:
[root@AdcNAS] ~# zfs get aclmode /mnt/Rivendell/CIFS
NAME            PROPERTY  VALUE        SOURCE
Rivendell/CIFS  aclmode   restricted   local
 
anodos

anodos

Sambassador
iXsystems
Joined
Mar 6, 2014
Messages
9,554
ChiknNutz said:
You are correct in that it is ultimately correct permissions that I am after. The "hidden" element will come as a result of that.

Code:
[root@AdcNAS] ~# /etc/local/smb4.conf
/etc/local/smb4.conf: Permission denied.
[root@AdcNAS] ~# zfs list
NAME                                                         USED  AVAIL  REFER                    MOUNTPOINT
Rivendell                                                   75.8G  10.4T   192K                    /mnt/Rivendell
Rivendell/.system                                           31.2M  10.4T   208K                    legacy
Rivendell/.system/configs-5ece5c906a8f4df886779fae5cade8a5   735K  10.4T   607K                    legacy
Rivendell/.system/cores                                     1.23M  10.4T  1.23M                    legacy
Rivendell/.system/rrd-5ece5c906a8f4df886779fae5cade8a5       192K  10.4T   192K                    legacy
Rivendell/.system/samba4                                    14.9M  10.4T  1023K                    legacy
Rivendell/.system/syslog-5ece5c906a8f4df8••••••••86779fae5cade8a5   13.9M  10.4T  1.03M                    legacy
Rivendell/CIFS                                              12.1M  10.4T   192K                    /mnt/Rivendell/CIFS
Rivendell/CIFS/userset                                      11.9M  10.4T  10.4M                    /mnt/Rivendell/CIFS/userset
Rivendell/jails                                             2.68G  10.4T   256K                    /mnt/Rivendell/jails
Rivendell/jails/.warden-template-pluginjail                  576M  10.4T   576M                    /mnt/Rivendell/jails/.warden-template-pluginjail
Rivendell/jails/htpc-manager_1                               274M  10.4T   803M                    /mnt/Rivendell/jails/htpc-manager_1
Rivendell/jails/plexmediaserver_1                           1.85G  10.4T  2.25G                    /mnt/Rivendell/jails/plexmediaserver_1
Rivendell/mediaset                                          73.0G  10.4T  72.9G                    /mnt/Rivendell/mediaset
freenas-boot                                                1.20G  12.8G    31K                    none
freenas-boot/ROOT                                           1.18G  12.8G    25K                    none
freenas-boot/ROOT/FreeNAS-9.3-STABLE-201511040813           3.62M  12.8G   514M                    /
freenas-boot/ROOT/FreeNAS-9.3-STABLE-201511280648           1.17G  12.8G   517M                    /
freenas-boot/ROOT/Initial-Install                              1K  12.8G   510M                    legacy
freenas-boot/ROOT/Wizard-2015-11-23_22:13:13                   1K  12.8G   511M                    legacy
freenas-boot/ROOT/default                                   1.98M  12.8G   513M                    legacy
freenas-boot/grub                                           20.3M  12.8G  6.74M                    legacy


Code:
[root@AdcNAS] ~# getfacl /mnt/Rivendell/CIFS
# file: /mnt/Rivendell/CIFS
# owner: root
# group: wheel
            owner@:rwxpDdaARWcCos:fd----:allow
            group@:rwxpDdaARWcCos:fd----:allow
         everyone@:r-x---a-R-c---:fd----:allow


Code:
[root@AdcNAS] ~# getfacl /mnt/Rivendell/CIFS/userset
# file: /mnt/Rivendell/CIFS/userset
# owner: cadcock
# group: wheel
            owner@:rwxpDdaARWcCos:fd----:allow
            group@:rwxpDdaARWcCos:fd----:allow
         everyone@:r-x---a-R-c---:fd----:allow


Code:
[root@AdcNAS] ~# getfacl /mnt/Rivendell/CI
3a) modify "everyone" ACE so that it applies "to this folder only".

3b) add "cadcock" with "full control"
FS/userset/Chris
# file: /mnt/Rivendell/CIFS/userset/Chris
# owner: cadcock
# group: wheel
            owner@:rwxpDdaARWcCos:fd----:allow
            group@:rwxpDdaARWcCos:fd----:allow
         everyone@:r-x---a-R-c---:fd----:allow


Code:
[root@AdcNAS] ~# getfacl /mnt/Rivendell/CIFS/userset/Dalton
# file: /mnt/Rivendell/CIFS/userset/Dalton
# owner: cadcock
# group: wheel
      user:dadcock:rwxpDdaARWcCo-:fd----:allow
            owner@:rwxpDdaARWcCo-:fd----:allow
            group@:rwxpDdaARWcCo-:fd----:allow
         everyone@:r-x---a-R-c---:fd----:allow


Code:
[root@AdcNAS] ~# zfs get aclmode /mnt/Rivendell/CIFS
NAME            PROPERTY  VALUE        SOURCE
Rivendell/CIFS  aclmode   restricted   local
Click to expand...
To capture the contents of /etc/local/smb4.conf, type "cat /etc/local/smb4.conf". Once you do that, post contents here.

Without seeing the contents of your smb4.conf file, I would probably start by using the freenas webgui to recursively set permissions for CIFS/userset to root:wheel. Then I would do the following:
1) unmap network drives and clear cached credentials (using credentials manager) in windows
2) authenticate to samba server \\rivendell with root credentials
3) using the security tab in File Explorer, modify the ACLS for \\rivendell\userset as follows:
3a) modify "everyone" ACE so that it applies "to this folder only".
3b) add "cadcock" with "full control"​
4) in the CLI use the "chown" command to change the owner of the user folders. ie "chown dadcock /mnt/Rivendell/CIFS/userset/Dalton"

What this accomplishes:
a) all users can access CIFS share (using the special everyone@ ACE)
b) every user can see and access their own user share, but no others. (using the special owner@ ACE)
c) user cadcock can see and access all user shares.
 
Last edited:
ChiknNutz

ChiknNutz

Patron
Joined
Nov 6, 2015
Messages
217
What you mentioned sounds precisely what I am hoping to acheive.

Here is the SMB4.conf info:

Code:
[root@AdcNAS] ~# cat /etc/local/smb4.conf
[global]
    username map = /usr/local/etc/smbusers
    server max protocol = SMB2
    encrypt passwords = yes
    dns proxy = no
    strict locking = no
    oplocks = yes
    deadtime = 15
    max log size = 51200
    max open files = 469946
    load printers = no
    printing = bsd
    printcap name = /dev/null
    disable spoolss = yes
    getwd cache = yes
    guest account = nobody
    map to guest = Bad User
    obey pam restrictions = yes
    directory name cache size = 0
    kernel change notify = no
    panic action = /usr/local/libexec/samba/samba-backtrace
    nsupdate command = /usr/local/bin/samba-nsupdate -g
    server string = FreeNAS Server
    ea support = yes
    store dos attributes = yes
    lm announce = yes
    time server = yes
    acl allow execute always = true
    acl check permissions = true
    dos filemode = yes
    multicast dns register = yes
    domain logons = no
    local master = yes
    idmap config *: backend = tdb
    idmap config *: range = 90000001-100000000
    server role = standalone
    netbios name = ADCNAS
    workgroup = GX
    security = user
    pid directory = /var/run/samba
    create mask = 0666
    directory mask = 0777
    client ntlmv2 auth = yes
    dos charset = CP437
    unix charset = UTF-8
    log level = 1


[Backup]
    path = /mnt/Rivendell/CIFS/backupset
    printable = no
    veto files = /.snapshot/.windows/.mac/.zfs/
    writeable = yes
    browseable = yes
    shadow:snapdir = .zfs/snapshot
    shadow:sort = desc
    shadow:localtime = yes
    shadow:format = auto-%Y%m%d.%H%M-1m
    shadow:snapdirseverywhere = yes
    vfs objects = shadow_copy2 zfs_space zfsacl aio_pthread streams_xattr
    hide dot files = yes
    guest ok = yes
    nfs4:mode = special
    nfs4:acedup = merge
    nfs4:chown = true
    zfsacl:acesort = dontcare


[Media]
    path = /mnt/Rivendell/mediaset
    printable = no
    veto files = /.snapshot/.windows/.mac/.zfs/
    writeable = yes
    browseable = yes
    shadow:snapdir = .zfs/snapshot
    shadow:sort = desc
    shadow:localtime = yes
    shadow:format = auto-%Y%m%d.%H%M-1m
    shadow:snapdirseverywhere = yes
    vfs objects = shadow_copy2 zfs_space zfsacl aio_pthread streams_xattr
    hide dot files = yes
    guest ok = yes
    nfs4:mode = special
    nfs4:acedup = merge
    nfs4:chown = true
    zfsacl:acesort = dontcare


[Users]
    path = /mnt/Rivendell/CIFS/userset
    printable = no
    veto files = /.snapshot/.windows/.mac/.zfs/
    writeable = yes
    browseable = yes
    shadow:snapdir = .zfs/snapshot
    shadow:sort = desc
    shadow:localtime = yes
    shadow:format = auto-%Y%m%d.%H%M-1m
    shadow:snapdirseverywhere = yes
    vfs objects = shadow_copy2 zfs_space zfsacl aio_pthread streams_xattr
    hide dot files = yes
    guest ok = no
    nfs4:mode = special
    nfs4:acedup = merge
    nfs4:chown = true
    zfsacl:acesort = dontcare
 
Status
Not open for further replies.

Similar threads

P
  • Locked
Home Directory Help
Replies
9
Views
4K
pete_c20
P
C
  • Locked
Permissions Issue - Not Sure What To Do
Replies
1
Views
1K
chipmunkofdoom2
C
M
  • Locked
CIFS SHARING, USER PERMISSIONS DON'T WORK CORRECTLY
Replies
6
Views
4K
Mike77
M
pcmofo
  • Locked
Are my Public/Private CIFS shares setup correctly?
Replies
5
Views
2K
pcmofo
pcmofo
A
  • Locked
Preventing other users from seeing directory listings
Replies
3
Views
3K
anodos
anodos
Top