Permissions scenario for other users can't read access other user's files and directories

[GuntOn]

Hi,

I'm trying to configure CIFS and read https://forums.freenas.org/index.php?threads/cifs-windows-sharing-guide.20948/. This guide is good and the third scenario (authenticated users only) is close to my needs. Is it possible to correct that scenario so other users can't read access to other user's files and directories?

I'm running FreeNAS 9.2.1.8 x64 version.

Thanks!

 

[anodos]

How many users / shares? Are you using home shares? What clients (windows, mac, linux, etc)? Is this an AD environment?

Note that the guide you linked contains some settingsthat may cause permissions headaches. It's better to keep changes to the default config to a minimum.

 

[GuntOn]

About ten users (each their own share) + two extra shares for some of these ten users. All client machines are windows 7 pro and some old windows xp pro. All machines working without AD.

I already have one working ghetto "NAS" which running on Fedora 9 with one 1TB drive :D but it's not reliable and storage capacity is too small but Samba is configured exactly as I need.

By the way here is the configuration file maybe it will make my wishes more precisely:

Code:

[global]

    client code page = 775
    character set = 775
    workgroup = 2ndoffice
    server string = linux files server
    log file = /var/log/samba/%m.log
    max log size = 1500
    encrypt passwords = yes
    smb passwd file = /etc/samba/smbpasswd
    unix password sync = Yes
    passwd program = /usr/bin/passwd %u
    passwd chat = *New*password* %n\n *Retype*new*password* %n\n *passwd:*all*authentication*tokens*updated*successfully*
    pam password change = yes
    obey pam restrictions = yes
    socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
    os level = 255
    username map = /etc/samba/smbusers
    dns proxy = no

[homes]
    comment = Home Directories
    browseable = no
    writeable = yes
    valid users = %S
    create mode = 0664
    directory mode = 0775

[spainis]
    comment = spainis
    path = /home/spainis
    writeable = yes
    guest ok = yes
    browseable = yes
    create mode = 777
    force create mode = 777
    directory mode = 777
    force directory mode = 777
    write list = root, user, kristine
    admin user = root, user, kristine
    force user = root
    force group = root

[zeme]
    comment = zeme
    path = /home/zeme
    writeable = yes
    guest ok = no
    browseable = no
    create mode = 777
    force create mode = 777
    directory mode = 777
    force directory mode = 777
    write list = boss, lasma, daira, ingars, gunta, kristine, maris
    admin user = boss, lasma, daira, ingars, gunta, kristine, maris
    force user = root
    force group = root

[boss]
    comment = super adminst tipo...
    path = /home
    writeable = yes
    valid users = root, boss
    creat mode = 777
    browseable = no
    force create mode = 777
    directory mode = 777
    force directory mode = 777
    admin user = root, vilnis
    force user = root, vilnis
    force group = root, vilnis

[user]
    comment = user
    path = /home/user
    writeable = yes
    valid users = user, root
    browseable = no

[vilnis]
    comment = vilis
    path = /home/vilis
    writeable = yes
    valid users = vilnis, root
    browseable = no

[gunta]
    comment = gunta
    path = /home/gunta
    writeable = yes
    valid users = gunta, root
    browseable = no

[ingars]
    comment = ingars
    path = /home/ingars
    writeable = yes
    valid users = ingars, root
    browseable = no

[lasma]
    comment = lasma
    path = /home/lasma
    writeable = yes
    valid users = lasma, root
    browseable = no

[daira]
    comment = daira
    path = /home/daira
    writeable = yes
    valid users = daira, root
    browseable = no

[kristine]
    comment = kristine
    path = /home/kristine
    writeable = yes
    valid users = kristine, root
    browseable = no
  
[maris]
    comment = maris
    path = /home/maris
    writeable = yes
    valid users = maris, root
    browseable = no

 

[anodos]

TCP_NODELAY is a bit of deprecated samba voodoo for operating systems without a proper kernel. Note that statement does not imply that TCP_NODELAY is unnecessary under Fedora. :)

FreeNAS has ZFS, which supports nfsv4 ACLs. This means that permissions work almost exactly as they should under windows. No need to mess with "valid users" parameters. No need to jump through hoops using 'force user' parameters, setting groupmasks, etc. Just right-click on the share and edit NTFS permissions like you would any share on a Windows server. It's pretty awesome.

That being said, you should not mess with "create mask" or "directory mask". Leave them as defaults (0666 and 0777 respectively). The smb4. conf parameter "nt acl support" is enabled by default and when combined with the zfsacl VFS module can cause bad things to happen if you start doing "chmod" operations willy-nilly.

With Samba4 you can set up your server as an AD DC, but it is best practice to not have the same Samba4 instance running as a DC and a file server. If needed you could probably run the DC instance in a jail on your FreeNAS install. Recreating your 'homes' directories under an AD domain can be achieved by following most of the steps here: https://wiki.samba.org/index.php/Setting_up_a_home_share with the caveat that you should use the FreeNAS webgui tools to create the shares and not edit your share access controls through the "share permissions" tab in compmgmt.msc.

BTW, it is best practice to create groups and use them with the "valid users" and "write list" parameters if you decide to go that route.

e.g.

valid users = @PeopleIHate @PeopleILike
write list = @PeopleILike

 

[marian78]

Hi, today i playing with valid users and write list (i want control permissions on server, not from client PC and because i dont want that someone on network that have access to share can make changes to ACLs from your windows). Problem is, that if i configured all well (dataset permissions - windows acl, windows shares), freenas have for me many bugs (like deadlock SID problem - https://bugs.freenas.org/issues/6192 , that make CIFS unusable - cant login to share etc....). For example, a have dataset with owner "administrator" and group "worker_xxx". To make it work, i must RENAME (not delete and create again) group to "workerxxx" and after that i can login to share.... I have intel supermicro server with 24G ram and freenas 9.2.1.8 x64 and i recently upgrade to 9.2.1.9 BETA (because of deadlock and i was hoping, that this version have this bug solved, but no success).

I thing that teory is very nice, but for me, is most stable and more usable version freenas 9.2.0 (because CIFS do what i setup and no other things). But i have scared downgrade to that version, because i have already upgraded ZFS version.

 

[anodos]

Users can only edit permissions for share if you have granted their user/group "full control". You can use "valid users" and "write list" in addition to your ACLs (to provide an extra safety net), but leaving them unset will potentially cause issues with MS Office files because of the way Office saves documents.

If you choose to use posix acls, you may need to run chmod g+s "directory_name" for shares that will contain office files.

You can try the script in post #3 here: https://forums.freenas.org/index.php?threads/smb-sharing-issue-on-fresh-install.23760/ I haven't tried it myself yet and so there may be dragons. :)

 

[marian78]

Hi thx, i try that script before upgrade to v9.2.1.9 BETA with no luck, deadlock persist.