SOLVED Single share with different folder views depending on the user

[learnsomemore]

Hello, I imagine this question has been asked before but I haven't figure out what the search term is to find the post. This seems like such a common use case that I must be missing a term/name for this. I'm trying to do this without being forced to have a windows server for ACL

Can FreeNAS be setup in a way where there is a single SMB share with different folder views depending on the users permissions?

Example of two users with different permissions mounting Share1:

Share1 (user with admin group permissions)
----A
----B
----C

Share1 (user with something related to B group permissions)
-----B

I'm managing a FreeNAS 11 setup in a enterprise environment and I'm trying to figure out the best way to easily control who can see what folders in a single share. This is to avoid having 20 different shares and users that have access to all of them having to mount 20 different shares. It would be much easier if a user could mount one share and if they don't have permissions for one of the folders, they just don't see it listed.

 

[anodos]

Hello, I imagine this question has been asked before but I haven't figure out what the search term is to find the post. This seems like such a common use case that I must be missing a term/name for this. I'm trying to do this without being forced to have a windows server for ACL

Can FreeNAS be setup in a way where there is a single SMB share with different folder views depending on the users permissions?

Example of two users with different permissions mounting Share1:

Share1 (user with admin group permissions)
----A
----B
----C

Share1 (user with something related to B group permissions)
-----B

I'm managing a FreeNAS 11 setup in a enterprise environment and I'm trying to figure out the best way to easily control who can see what folders in a single share. This is to avoid having 20 different shares and users that have access to all of them having to mount 20 different shares. It would be much easier if a user could mount one share and if they don't have permissions for one of the folders, they just don't see it listed.

Access Based Enumeration is the default. If the user lacks "read attributes" for a file / folder, it will not be visible.

 

[learnsomemore]

Access Based Enumeration is the default. If the user lacks "read attributes" for a file / folder, it will not be visible.

The issue I'm running into with that method is after setting the following:
Apply Owner(user): check
Owner(user): nobody
Apply Owner(group): check
Owner(group): superadmin
Apply mode: check

Mode:
Owner: rwx
Group: rwx
Other: ---

Permission Type: Unix

(note: i also tried Owner: --- incase "nobody" user was the reason the folder still got the read attribute)

And then connecting to the share as a user that is not part of the superadmin group, the user can see the folder (if they click it they get a permissions error, but can still see the folder exist).
The user I'm testing this on is only part of one group (a group that has access to the share that shows the different folders). The user gets the appropriate permissions for all the other folders in the share.

I also tried creating a dummy user with login disabled and no rwx on user group or other, and set that user and the Owner(user) for the directory and got the same results. User can't do anything with the directory, but can still see it. Is there a reference for "user lacks "read attributes" for a file / folder, it will not be visible" in the docs?

From the settings i listed, it seems the user does lack the "read attributes" for the file. Should one of the settings above be different?

 

[anodos]

The issue I'm running into with that method is after setting the following:
Apply Owner(user): check
Owner(user): nobody
Apply Owner(group): check
Owner(group): superadmin
Apply mode: check

Mode:
Owner: rwx
Group: rwx
Other: ---

Permission Type: Unix

(note: i also tried Owner: --- in case "nobody" user was the reason the folder still got the read attribute)

And then connecting to the share as a user that is not part of the superadmin group, the user can see the folder (if they click it they get a permissions error, but can still see the folder exist).
The user I'm testing this on is only part of one group (a group that has access to the share that shows the different folders). The user gets the appropriate permissions for all the other folders in the share.

I also tried creating a dummy user with login disabled and no rwx on user group or other, and set that user and the Owner(user) for the directory and got the same results. User can't do anything with the directory, but can still see it. Is there a reference for "user lacks "read attributes" for a file / folder, it will not be visible" in the docs?

From the settings i listed, it seems the user does lack the "read attributes" for the file. Should one of the settings above be different?

You should be using "Windows" permissions type with SMB shares, and you should use a Windows client to set permissions via File Explorer's permissions editor. The permissions you quoted above has the following ACL: owner@:rwx---aARWcCos:-------:allow group@:rwx---a-R-c--s:-------:allow everyone@:------a-R-c--s:-------:allow. Everyone@ maintains "read attributes" (a), and therefore the directory is visible.

 

[learnsomemore]

You should be using "Windows" permissions type with SMB shares, and you should use a Windows client to set permissions via File Explorer's permissions editor.

The benefit to setting the permissions to "Unix" is that it allows us to manage permissions for access from the same device that users are accessing instead of some settings being managed by FreeNAS and others being manged by Windows. Most systems in this office are Windows but not all the same version, and some are Linux and Mac. Based on the note in the docs we didn't setup different access methods on the same vol for each OS type. We just stuck with SMB for all of them. With the folders set to Unix, even Windows computers get permissions errors as expected when they try to read or write to a folder/file they don't have access to. I'm assuming this is because FreeNAS is honoring the rwx setting and checking them when users attempt access. Is this something that is working as a flaw? Is FreeNAS not suppose to have the ability to control access at the folder level and everybody is suppose to manage folder level stuff with a companion windows machine?

Everyone@ maintains "read attributes" (a), and therefore the directory is visible.

Thanks. That explains why no matter what i change, users without expected permissions can still see the folder.

 

[anodos]

The benefit to setting the permissions to "Unix" is that it allows us to manage permissions for access from the same device that users are accessing instead of some settings being managed by FreeNAS and others being manged by Windows. Most systems in this office are Windows but not all the same version, and some are Linux and Mac.

The only difference between "Windows" and "Unix" permissions type is the aclmode and default permissions that are set by the UI when you create the dataset. The correct tool to manipulate ACLs server-side is `setfacl` not `chmod`. If you use it correctly, there's no difference between managing permissions server-side or through File Explorer. As an admin, I actually try to avoid having users manage permissions at all.

Is FreeNAS not suppose to have the ability to control access at the folder level and everybody is suppose to manage folder level stuff with a companion windows machine?

The methods of managing ACLs from the FreeNAS UI are currently limited to just changing the owner / group. The best options are either `setfacl` or File Explorer.

 

[learnsomemore]

The methods of managing ACLs from the FreeNAS UI are currently limited to just changing the owner / group. The best options are either `setfacl` or File Explorer.

I found your thread here talking about the setfacl method for managing ACL from the command line.

So I made a test dataset with a permission type of windows so i can play with setfacl. Is setting setfacl for a freenas system typically done on the command line in the freenas box through ssh? I'm going to start playing with managing permissions via the terminal. Are there any other docs you can recommend I should look at for managing with setfacl other than the freeBSD 11 docs here?

 

[learnsomemore]

setfacl info super helpful. i just proceeded with the man pages. permissions working good and managing via terminal.