Problem with permissions, multiple shares & multiple users

Status
Not open for further replies.

killhefferc

Cadet
Joined
Mar 22, 2018
Messages
3
I apologize in advance if I'm posting in the wrong topic, and I've been searching for a solution for this for a while without any luck.
I'm new to FreeNAS (and any server OS software in fact) and posting in forums, so go easy on me.

I'm setting up a server for a non-profit organization and I'm having some problems with user permissions.

What I'm trying to accomplish:
10 SMB shares on the FreeNAS server, and 8 users who only have access to specific shares.

What I have done so far:
Using the wizard I created the 10 SMB shares. In the owner section for each share, I left the owner as root and created a group with a name that matches the share name. I checked read, write, and execute for owner and group. I unchecked read, write, and execute for other.

I created all 8 of the users on the server as well and selected the groups for the shares that I wanted each user to have access to.

The problem:
Once any of the users' inputs their credentials, they have read, and execute permissions to every share regardless of whether they are in the share group or not. The strange part is that the write permissions work as intended.

I need users to be completely denied access to shares that they weren't added to.

I read up on how to do this in the guide built into FreeNAS and I don't know what I'm doing wrong.

Any suggestions would be greatly appreciated, thanks!
 

killhefferc

Cadet
Joined
Mar 22, 2018
Messages
3
Windows or non windows clients?
Hello! All Windows clients. The client computer that I was testing the permissions on was running Windows 7, but they will be getting all new computers with W10 on them soon.
 

garm

Wizard
Joined
Aug 19, 2017
Messages
1,555
From what info you have I have no clue about the root cause of your issue, but I do know that following @m0nkeys guide you shouldn’t have the same issues
 

Dreded

Explorer
Joined
Nov 12, 2013
Messages
65
Oh I see, but how do I make it so users that aren't in the group can't open the share?

I appreciate your help.

watch that video posted above it covers pretty much everything... it doesn't cover windows specific permission management... so first I would have you think long and hard about whether you want 10 different shares or one share with 10 folders that users have different access levels to.


What I do here..
I have one main group called Staff that every single user I create is a part of... then I also created a group called SecureStaff

The Datasets are owned by user nobody and group wheel.. think of the wheel group as IT Admin they will have access to change any file/folder permissions so its generally a bad idea to give this sort of access to the boss as they tend to muck things up.

I have two datasets/shares Corporate and Main.. all staff has access to Main and all SecureStaff has access to Corporate. my main reasons for dividing things up is backup planning.

Ok all of that the video recommended above covers better... here is the part it doesnt cover...

lets say I have a share with guest access allowed, but I only want marlene to be able to access a specific folder(in this case named MARLENE) in that share and nobody else

I would right click that folder I want to change access to and go to properties
then on the security tab I would hit advanced
Advanced.png


as you can see currently it has inherited permissions from the main share(P: = Main) in order to change this so only marlene has access I would need to remove access by Everyone but since its inherited from the Main share I first need to click "Disable Inheritance" then select "Convert inherited permissions into explicit permissions on this object." this keeps everything as is but removes control over the permissions from the parent directory(so if I changed the parent dir permissions these ones would no longer change)

I then highlight the Everyone row.. and hit Remove
removed everyone.png


then I hit "Add" and and in the window that pops up I hit "Select a Principal"....
add marlenet.png


in my case the user(that already exists as a freenas user) is MarleneT so I then type that into the box(seen above) and hit OK
Then I can either give Marlene "Modify" control(almost never give "Full Control") so she can do whatever she wishes to the contents of that folder(but not change its permissions) or read only access so that she can look at everything but not delete/move it.(i often use this for user backup or user specific installers so they have access but cant delete things by accident)

to make this simpler without mistakes you could hit "Clear All" then select either "Modify" or "Read & Execute" which will select everything appropriately(it defaults to read permissions so you could also leave it at that or just check modify)

if you want to know what "Only apply these permissions to objects and/or containers within this container" means look here... https://docs.microsoft.com/en-us/pr.../it-pro/windows-server-2003/cc776140(v=ws.10)
Generally leave it unchecked.

marlene modifty.png


so we gave her access to modify(make her the owner so she can create/rename/delete etc but not change the permissions) then hit OK

which takes us back to the below image...
I always check the "Replace all child object permission entries with inheritable...."

done.png


So check the box and hit OK

If the warning that pops up scares you then be careful as you could easily undo work you just did if you did the children before the parents.. I always do parents first hence why I always click "Replace all child object permissions"

Yes.. we want to continue.

Then hit OK again... DONE!
now only marlene can open this folder everyone else will be told they cannot.

if we wanted to do staff instead of marlene we would have typed in "Staff" instead of marlene or we could add "Staff" and "MarleneT" and set different permissions for both like...

staff.png


once you disable inheritance you may find it easier to use the "Edit" button instead of Advanced on the security tab
 
Status
Not open for further replies.
Top