Current SCALE version: TrueNAS-SCALE-22.02.3
So I am testing setting up SMB shares from AD and want to make sure I am doing the permissions correctly (not missing anything important).
The goal is to setup a single main share directory (dataset) with sub directories (datasets) for each department. The user should only see the shares they have access too.
Note that there are no users configured in TrueNAS server, aside from root. All other accounts are AD users with appropriate department security groups.
Under Storage:
data (pool root dataset)
+shares (dataset) [sharetype smb] [this is the actual share setup below]
++department1 (dataset) [sharetype smb]
++department2 (dataset) [sharetype smb]
++department3 (dataset) [sharetype smb]
For the permissions on the Shares dataset:
owner@ - root Allow | Full Control
group@ - root Allow | Modify
Group - builtin_users | Allow Read (modify or read works, traverse breaks being able to view any shares. )
Group - builtin_administrators | Allow Full Control
Group - AD\Domain Users | Allow Read (modify or read works, traverse breaks.)
Group - AD\Domain Admins | Allow Full Control
Group - AD\deparment... | Allow Traverse (each department group set to traverse. This works unlike above. Possibly because of the read setting.)
For the permission on the department sub data sets:
owner@ - root Allow | Full Control
group@ - root Allow | Modify
Group - builtin_administrators | Allow Full Control
Group - AD\Domain Admins | Allow Full Control
Group - AD\deparment... | Allow Modify
Do you need builtin_users or domain users here? (The department group already grants access to the people that should have access.)
I could see setting builtin_users and domain users to read if you want read only access to all users, but modify only for a specific department.
Under shares -> Windows SMB Shares
Path: /mnt/data/shares
Name: shares
default share parameters
auxiliary parameters: hide unreadable=yes
So far I can login as a user and it only shows me the files for there group as expected. I think I got everything setup correctly.
Also, hopefully this post can help anyone else trying to this.
So I am testing setting up SMB shares from AD and want to make sure I am doing the permissions correctly (not missing anything important).
The goal is to setup a single main share directory (dataset) with sub directories (datasets) for each department. The user should only see the shares they have access too.
Note that there are no users configured in TrueNAS server, aside from root. All other accounts are AD users with appropriate department security groups.
Under Storage:
data (pool root dataset)
+shares (dataset) [sharetype smb] [this is the actual share setup below]
++department1 (dataset) [sharetype smb]
++department2 (dataset) [sharetype smb]
++department3 (dataset) [sharetype smb]
For the permissions on the Shares dataset:
owner@ - root Allow | Full Control
group@ - root Allow | Modify
Group - builtin_users | Allow Read (modify or read works, traverse breaks being able to view any shares. )
Group - builtin_administrators | Allow Full Control
Group - AD\Domain Users | Allow Read (modify or read works, traverse breaks.)
Group - AD\Domain Admins | Allow Full Control
Group - AD\deparment... | Allow Traverse (each department group set to traverse. This works unlike above. Possibly because of the read setting.)
For the permission on the department sub data sets:
owner@ - root Allow | Full Control
group@ - root Allow | Modify
Group - builtin_administrators | Allow Full Control
Group - AD\Domain Admins | Allow Full Control
Group - AD\deparment... | Allow Modify
Do you need builtin_users or domain users here? (The department group already grants access to the people that should have access.)
I could see setting builtin_users and domain users to read if you want read only access to all users, but modify only for a specific department.
Under shares -> Windows SMB Shares
Path: /mnt/data/shares
Name: shares
default share parameters
auxiliary parameters: hide unreadable=yes
So far I can login as a user and it only shows me the files for there group as expected. I think I got everything setup correctly.
Also, hopefully this post can help anyone else trying to this.
