SMB domain users permissions best practices/recommendations

[Michael Hanna]

I'm a new user to FreeNAS... I've been tinkering around about a week now. I've been reading through the manual as well as following the links in the manual for Samba permissions fine tuning and general Samba setup. My environment at home is a Windows domain with domain users that I would like to use ACL's to control access to the SMB shares. I've been able to do this and it seems to work great using File Explorer in Windows. I'd like to get some input on the creation of the datasets before I get to far into moving my data around. The way that I initially setup the datasets was to set the owner as my domain users and the group to domain admins (which my users is a member of) and then using file explorer to setup the rest of the permissions as needed. A lot of the examples and videos I've seen so far have setup the datasets with the owner and group with a local FreeNAS user and group and then adding the domain users and group later using file explorer. I guess my question is what is best... domain user as owner and domain group as owner group or local user? I don't want to get to far into moving data around and find out I should have done it another way.

 

[dlavigne]

Did you decide upon a method?

 

[Michael Hanna]

Yes. I created a local user and group on the FreeNAS server that has r/w permissions on my shares. Then I used windows file explorer to add my domain users and groups to have appropriate permissions.

 

[anodos]

Yes. I created a local user and group on the FreeNAS server that has r/w permissions on my shares. Then I used windows file explorer to add my domain users and groups to have appropriate permissions.

That method works fine. One thing to remember about the user / group you add through the WebUI is that Samba sort of lies about what they do. They are actually roughly the equivalent of "CREATOR-OWNER" and "CREATOR-OWNER-GROUP", but appear as a regular user / group through Windows File Explorer. This means that your ACL will appear to change as users create files / folders. It's nothing to worry about, but can appear a bit odd the first time you notice it's happening.

 

[Michael Hanna]

That method works fine. One thing to remember about the user / group you add through the WebUI is that Samba sort of lies about what they do. They are actually roughly the equivalent of "CREATOR-OWNER" and "CREATOR-OWNER-GROUP", but appear as a regular user / group through Windows File Explorer. This means that your ACL will appear to change as users create files / folders. It's nothing to worry about, but can appear a bit odd the first time you notice it's happening.

Thanks for the info... I'll keep that in mind. So far the setup seems to be working great... no real permissions issues to speak of. On pain is having to add/change permissions with Windows Explorer after the datasets are populated. With sizable folder structures and files it take some time to apply or change permissions that applied to all folder and subfolders and files. Best to make sure you get it right first. I did this by making sure I groups instead of users so that I could just add users to the proper group to give permissions and not have to change the permissions.

 

[anodos]

Thanks for the info... I'll keep that in mind. So far the setup seems to be working great... no real permissions issues to speak of. On pain is having to add/change permissions with Windows Explorer after the datasets are populated. With sizable folder structures and files it take some time to apply or change permissions that applied to all folder and subfolders and files. Best to make sure you get it right first. I did this by making sure I groups instead of users so that I could just add users to the proper group to give permissions and not have to change the permissions.

I feel your pain. I have a dataset that takes over an hour to change permissions on. :) There are ways to manipulate ACLs from the CLI, but you're much better off doing it the way that you are doing it. I hope one day an iX dev will decide to expand the capabilities of winacl to cover this need.