One Volume, Multiple Folders, CIFS username/passwords for each share. That's all I want. How?

[JTheNASBuilder]

I've been pouring over the forums for the last few hours and trying out a variety of solutions to no avail. I really hope I'm just overlooking the solution I need.

My storage situation is pretty simple compared to some of the builds I read about here. My needs are pretty simple too. I don't need sophisticated security setups, disk quotas, or anything. All I really want is a big file storage pool with shared folders... and those folders restricted via username/password combinations.

With my old Windows Home Server setup, I simply created a user account and password and then gave that user account permission to access the folders. For example, I had four folders: TV Shows, Movies, Kids Shows, and Kids Movies. The adult login had access to all four, the kid login had access restricted to the Kids Shows and Kids Movies categories.

I'm trying to create this exact same setup on my FreeNAS but I'm having zero luck. My initial setup was to simply create one giant volume (/mnt/Volume1/) and then create folders inside there according to my storage needs (e.g. /mnt/Volume1/TV Shows/). I created a user group and user that I want to give access to this group (for the sake of example, let's call this group "adults" and the password is "adults!")

I have the user group. I have the folder in /Volume1/ but when I create the CIFS share... I have no option to restrict that share to any group or username. If I enable guest access I can access the share but that's not what I want.

I thought maybe the problem was that I *needed* to use a ZFS dataset (because I *can* set permissions in the dataset settings) but I tried that and changed the user/group to the user/group I had created and I still had no luck.

I really don't need anything sophisticated at all here folks. I just want a dead simple login/password required so I can restrict all the share files on all my media center and desktop computers such that the kids in the house don't end up watching Terminator II or American Horror Story when the adults aren't looking.

What do I need to do to make this happen?

(By the way, for whatever trouble shooting help it's worth... I can log into any share I create using the root login and password... but I don't want to use the root for my media center boxes and it doesn't help me because I can't restrict the root to keep the kids out.)

 

[anodos]

I've been pouring over the forums for the last few hours and trying out a variety of solutions to no avail. I really hope I'm just overlooking the solution I need.

My storage situation is pretty simple compared to some of the builds I read about here. My needs are pretty simple too. I don't need sophisticated security setups, disk quotas, or anything. All I really want is a big file storage pool with shared folders... and those folders restricted via username/password combinations.

With my old Windows Home Server setup, I simply created a user account and password and then gave that user account permission to access the folders. For example, I had four folders: TV Shows, Movies, Kids Shows, and Kids Movies. The adult login had access to all four, the kid login had access restricted to the Kids Shows and Kids Movies categories.

I'm trying to create this exact same setup on my FreeNAS but I'm having zero luck. My initial setup was to simply create one giant volume (/mnt/Volume1/) and then create folders inside there according to my storage needs (e.g. /mnt/Volume1/TV Shows/). I created a user group and user that I want to give access to this group (for the sake of example, let's call this group "adults" and the password is "adults!")

I have the user group. I have the folder in /Volume1/ but when I create the CIFS share... I have no option to restrict that share to any group or username. If I enable guest access I can access the share but that's not what I want.

I thought maybe the problem was that I *needed* to use a ZFS dataset (because I *can* set permissions in the dataset settings) but I tried that and changed the user/group to the user/group I had created and I still had no luck.

I really don't need anything sophisticated at all here folks. I just want a dead simple login/password required so I can restrict all the share files on all my media center and desktop computers such that the kids in the house don't end up watching Terminator II or American Horror Story when the adults aren't looking.

What do I need to do to make this happen?

(By the way, for whatever trouble shooting help it's worth... I can log into any share I create using the root login and password... but I don't want to use the root for my media center boxes and it doesn't help me because I can't restrict the root to keep the kids out.)

Navigate to your server via windows explorer (the file manager in Windows). You can do this by typing the path to your server as "\\ipaddress". Authenticate as owner of the share (in the example above - adults). Right-click on the share then click --> properties --> security, and set the permissions how you want them.

Alternatively, you can use the "valid users" parameter in your CIFS share config.
[KIDS SHARE]
valid users = @adults @kids
write list = @adults

[ADULTS SHARE]
valid users = @adults
write list = @adults

 

[JTheNASBuilder]

The "valid users" trick is *exactly* the trick I needed. Just a simple "kids get this, adults get this" restriction. Brilliant. Thank you so much!

 

[anodos]

The "valid users" trick is *exactly* the trick I needed. Just a simple "kids get this, adults get this" restriction. Brilliant. Thank you so much!

I'm glad it works for you. I forgot to mention that if you're using share definition access controls, you will want to export the share as read-only to set up a "default deny" permissions schema (assuming you don't want your kids to be able to delete things or write to the share). The "write list" parameter will then define who has write privileges.

This method of controlling permissions is pretty easy, quick to set up, and quick to audit. It does in some circumstances create erratic behavior in large multi-user environments like an office. Specifically, files created inside a program (like microsoft office) and saved directly into the share will end up with incorrect permissions (only the file owner will be able to write and modify the file). There are two ways I know of to get around this (1) use "force user" parameter or (2) configure ACLs via the first method I mentioned above.

 

[JTheNASBuilder]

Thanks for the clarification; now that I've got the basics up and running I'll look at fine tuning it. =)

 

[Ricardo Cortes]

Hi anodos..
I have the same problem, Can you help me ?

In the GUI where I can find the valid users config ?
Thanks in advanced.

Ricardo

 

[anodos]

Hi anodos..
I have the same problem, Can you help me ?

In the GUI where I can find the valid users config ?
Thanks in advanced.

Ricardo

Share definition access controls are not exposed through the GUI (for the most part). You have to add them though the auxiliary parameters field. Look up the smb.conf manpage for the proper syntax. That being said, using NTFS permissions (as configured through windows explorer) is an overall superior method of configuring permissions to configuring them through share definitions.

 

[Ricardo Cortes]

Hi, thank you for the time you expend writing to me .
I don't have FreeNAS knowledge.. I now about LINUX, but I don't have enough knowledge to resolve this in FreeNAS.

What do you think it's the best way to achieve what I want ?
HAving multiple shares, and choosing the right users to access that share ? In some cases, some users can read/write, others have read , and the rest nothing ?

Thank you for your time.

Ricardo

 

[anodos]

This isn't a Linux vs FreeNAS thing. Samba is samba. As to how to configure permissions - that is actually a difficult question to answer. How many users? Is authentication against local Unix accounts or some sort of directory server? What type of clients?
The short answer is to create datasets to be shared. Set acl type to 'windows'. Create shares. Navigate to the server via windows explorer '\\ip.address' then right-click on the share. Click on properties then select the 'security' tab. Set permissions how you desire them to be.

 

[Ricardo Cortes]

Hi anodos,

Right now, about 20 users. the users, are created in FreeNas only.
For example 2 Datasets : area 1, area2
inside area2, exists 30 directories. Some of them I need that some users can read/write, some only read, and some nothing at all.
Creating 1 Dataset for each directory is a complex work to maintain, right ?

Sorry for the trouble.

 

[anodos]

Hi anodos,

Right now, about 20 users. the users, are created in FreeNas only.
For example 2 Datasets : area 1, area2
inside area2, exists 30 directories. Some of them I need that some users can read/write, some only read, and some nothing at all.
Creating 1 Dataset for each directory is a complex work to maintain, right ?

Sorry for the trouble.

Personally at about 20+ users I look seriously at creating an AD domain and have FreeNAS configured as an AD member server. Note that although samba4 can act as a DC as well as a file server you should separate these roles between two servers.
As far as datasets and shares go, you may be better off creating multiple datasets and shares / restructuring your file tree. It makes managing shares and permissions easier. Nesting datasets within a share adds unnecessary complexity.
As far as configuring permissions goes, my previous response in this thread contains enough info to get you started. Configure permissions exactly as you would under windows.