How to setup CIFS Share for Windows Permission Access

[Thousandbuckle]

Hello all, I am having some issues, either technical or my own stupidity regarding permissions for accessing shares through CIFS. If I can explain what I am trying to do I hope that someone can tell me where I am going wrong in my logic. Running FreenNAS 9.10

I have one data set called DataPool that has 10 folders as part of the data set. The dataset permissions are set to Windows with my user ID "admin" as the owner and the group ID "Group" I have created a CIFS share to DataPool and I am able to see CIFS share in Windows. The PC I am logged onto is using the user ID and password matching the user ID created in FreeNAS so when I touch the share I have instant access to the share. I know how to modify windows permissions but here is where my problem begins.

I have that I want to either Block access to, Read, and Read/Write access to on various folders in the CIFS share. In theory when a user hits the share it will promt them to provide credentials to allow them access to the folders they have rights to below. The problem I have today is when

By default FreeNAS creates the everyone, owner, and group ID from FreeNAS. I have been removing the everyone as I dont want everyone to have access. So what I am left with is the owner and group owner from FreeNAS. This works great for the owner ID as I am logged in using the same ID but if any one else tries to authenticate to the share to access folder they have rights to in the CIFS share it wont connect. Get permission denied message.

So here is the million dollar question:

Question 1: What should the permissions be on the root of the CIFS Share.
Question 2: Why wont my users be able to access folders they have permissions to?

I am hoping this is something I am not doing properly that this community can help me fix.

 

[Mirfster]

So easy a @m0nkey_ can do it ;) - "[How-to] FreeNAS and Samba (CIFS) permissions (Video) [UPDATED!]"

 

[Thousandbuckle]

I have watched the video you linked to and it gives good information but for some reason permissions are not working for me like they should in my mind.

Example....I have a group in FreeNAS called "staff". I have given "staff" read/write access to various folders in the dataset that is shared in CIFS. When I try to map to share I get permission errors even though the folders have permissions for "staff" to access.

Can someone tell me what users/groups should be mapped at the root of the CIFS folder or does it matter?

 

[philhu]

whatever group owns the share.

It the example video he uses shared. I built sharecifs

I have not been able to get other groups mapped to work, or even change permissions from a root shell, only from windows boxes. Fro a root shell, when I try a chmod, I get 'operation not permitted', which is probably right as it would blow away cifs/acl if it allowed the change from root like that

I did get users to be able to do this based upon monkey's work, but not groups other than the share owner

 

[Thousandbuckle]

So the only users/groups that can access the cifs share and subsequent folders are the ones that have permissions at the cifs root folder? That sounds really strange if that is correct.

In the example below if admin and wheel are the user and owner given permissions at the cifs share root folder is it not possible to give users 1-5 separate permissions to access sub folders?

CIFS Share - DataPool – (admin and wheel user and owner)

• Folder1 – (User1 access only with Read/Write)

• Folder2 – ( User1, User2 access only with Read/Write)

• Folder3 – (User1, User2, User3 access only with Read/Write)

• Folder4 – (User1, User2, User3, User4 access only with Read/Write)

• Folder5 – (User1, User2, User3, User4, User5 access only with Read/Write)

Users
· Admin
· User1
· User2
· User3
· User4
· User5

 

[Mirfster]

It is totally possible to do that. Can easily make User Groups and add the Users to those groups. Then from within Windows Explorer (while connected with appropriate credentials) simply edit the Security and add the desired Group(s); grant desired permissions and you are done.

Example that I did in the past: "Help - Permissions don't seem to be working as intended". I have done a few other ones as well, just search and you should find them.

 

[philhu]

I think mine is a bug. I need to start bldg the cifs share from scratch

 

[Stux]

I found using a group called "users" caused it to not work in the Windows permissions dialogs.

Renaming users->allusers solved the problem.

 

[Thousandbuckle]

I dont want to create nested groups but call out specifically users and groups when it is appropriate. I ended up making a video to show the issue I am having here at the youtube link below. Hope you can take a look and see what my issue might be.

FreeNAS Windows Permissions Issue

 

[Mirfster]

I dont want to create nested groups but call out specifically users and groups when it is appropriate.

You can do that as well. As/If the User base grows though it will become a PITA to Administer.

That is a lot of individual Shares you have setup there. Looks to me (hard to read though) like most of them are under "data_pool"? If so, then all you need to do is create one DataSet and Share for this. Then create the Folders you want in there (from Windows Explorer). For each folder, you would then set the Rights via Windows Explorer.

Lets do this, give us an example of the structure you have in mind. Not everything, but like three Folder Names and three Users with desired rights to said folders. I can then post how I would do that structure.

/Edit, just saw the description you posted earlier... I will toss up some instructions later today using that example. If you want me to just use the generic account names (User1, User2, etc.) that is fine otherwise if you want more detailed ones just let me know.

 

[Thousandbuckle]

Hi Mirfster, I orginally had one share which was to the "data_pool" level. When I was logged in with local account "btotel" which is also the data set owner I can access all the shares just fine. When I went to Windows to modify the security permissions I would add certain users or groups to the folders inside the share but could never access them. Always got permission denied messages. In my youtube example I broke the individual folders into separate shares thinking that might make a difference but it doesnt. As you can see in the video example "gbcsecurity" has read/write access to the folder "Security - Directory" but when I try to access the share as that user it fails to authenticate.

My original plan was to have one share and when any one on the local network hit the nas box "storageserver" from windows network that it would then take them in and show them the various shares and if their login matched the user/group assigned to the share it would let them in. Or if their login/password is not the same as the FreeNAS user created that they could map the drive using the FreeNAS user/group that has access to the share.