SMB shares show even if user doesn't have permission

I

icdadmin

Dabbler
Joined
Jun 7, 2018
Messages
28
I've created datasets in a pool that have permissions set only giving certain groups to each dataset. Then, I've created Windows shares that each have their path set to each dataset created.

When users connect to the NAS either in Windows or in MacOS, Windows Explorer / Mac Finder both show shares that the user doesn't have access to. When the user double-clicks to try to access them, they cannot and the system indicates they don't have permission, which of course is correct.

But, how can I get those shares (the ones that user's don't have access to) to not show up at all. I would like the user to only see a listing of shares that they should be able to connect to.
 
Yorick

Yorick

Wizard
Joined
Nov 4, 2018
Messages
1,912
I

icdadmin

Dabbler
Joined
Jun 7, 2018
Messages
28
Is there a place in the GUI (web GUI) where Samba configuration files are accessible for editing?
 
Basil Hendroff

Basil Hendroff

Wizard
Joined
Jan 4, 2014
Messages
1,644
icdadmin said:
But, how can I get those shares (the ones that user's don't have access to) to not show up at all. I would like the user to only see a listing of shares that they should be able to connect to.
Click to expand...
Refer to 'Access based share enumeration in SMB' in SMB Tips and Tricks
 
Basil Hendroff

Basil Hendroff

Wizard
Joined
Jan 4, 2014
Messages
1,644
I

icdadmin

Dabbler
Joined
Jun 7, 2018
Messages
28
I added "access based share enum=yes" to the SMB Service area so that it would be global to all shares, but they're still showing up. I'm not using AD or anything. Just straight file sharing with local (on FreeNAS) user accounts. I must be doing something wrong someplace.
 
Basil Hendroff

Basil Hendroff

Wizard
Joined
Jan 4, 2014
Messages
1,644
I

icdadmin

Dabbler
Joined
Jun 7, 2018
Messages
28
Still not working. Do you know if I would need to do the steps related to Windows "Computer Management" in the "Access based share enumeration in SMB" article you referenced if I'm not in an AD environment? I've added the "access based share enum=yes" line to each of my shares, but they all show up for users regardless of whether they have permission to view them or not.
 
Basil Hendroff

Basil Hendroff

Wizard
Joined
Jan 4, 2014
Messages
1,644
Follow all the steps. Get it working on one share first.
 
Yorick

Yorick

Wizard
Joined
Nov 4, 2018
Messages
1,912
S

seanm

Guru
Joined
Jun 11, 2018
Messages
570
The awesome 'SMB Tips and Tricks' @anodos wrote say "This how-to is for AD member servers, but the steps can be modified to accommodate standalone samba servers.". Unless I'm just not seeing it, there's no discussion for the latter case.

At step 2 I don't see my FreeNAS shares at all, despite being connected to one at the time.
 
anodos

anodos

Sambassador
iXsystems
Joined
Mar 6, 2014
Messages
9,554
seanm said:
The awesome 'SMB Tips and Tricks' @anodos wrote say "This how-to is for AD member servers, but the steps can be modified to accommodate standalone samba servers.". Unless I'm just not seeing it, there's no discussion for the latter case.

At step 2 I don't see my FreeNAS shares at all, despite being connected to one at the time.
Click to expand...

I guess I never really finished that how-to. This will be easier to set up in 11.2-U4 (we will add a dropdown for an SMB admin group that has the required privileges to manage a standalone server via Computer Management).
 
S

seanm

Guru
Joined
Jun 11, 2018
Messages
570
@icdadmin these two related threads may help you:

https://www.ixsystems.com/community/threads/restrict-access-to-one-share.44413/#post-297190
https://www.ixsystems.com/community/threads/methods-for-fine-tuning-samba-permissions.50739/

After reading all that, I think I got it to work. Let's say your share is named FooBar

1) add "access based share enum=yes" as an aux parameter on the FooBar share.
2) from the shell, use 'net usersidlist' or 'net groupmap list' to determine the SID of a local FreeNAS user or group ex: S-1-5-21-7567469271-2383756280-2683756379-1001
- add a 'share permission' for the SID (remember this sets maximum permissions) and remove the default one:

sharesec Test -a S-1-5-21-7567469271-2383756280-2683756379-1001:ALLOWED/0/FULL
sharesec Test -r S-1-1-0:ALLOWED/0x0/FULL

3) stop/start samba

As I understand it, you should still use Properties > Security (from Windows) to configure file permissions.
 
I

icdadmin

Dabbler
Joined
Jun 7, 2018
Messages
28
Thank you so much everyone! Between adding "access based share enum=yes" to each share's settings and then using sharesec using the steps @seanm suggested, it is now working perfectly. I really appreciate everyone's help and guidance.
 
S

seanm

Guru
Joined
Jun 11, 2018
Messages
570
anodos

anodos

Sambassador
iXsystems
Joined
Mar 6, 2014
Messages
9,554
seanm said:
@anodos I was going to file a bug, but searched first, and found that a checkbox was added for "access based share enum=yes":

https://redmine.ixsystems.com/issues/25936

but that's it's missing in the 'new ui':

https://redmine.ixsystems.com/issues/73650

So in 11.2U3, where the latter is fixed, does that checkbox only set "access based share enum=yes", or does it invoke 'sharesec' internally to limit the share visibility? If so, to who?
Click to expand...
It only sets the smb.conf parameter. You will need to use computer management MMC snapin to define who can see the share in the browse list.
 
You must log in or register to reply here.

Similar threads

I
SMB connection refused - "You do not have permission to access.."
Replies
6
Views
9K
Sasquatch
S
M
SMB share setup and help
Replies
5
Views
1K
mattathost
M
G
FreeNAS 11.1-U4, create SMB shares that cannot be accessed by others?
Replies
2
Views
965
DaveY
D
E
SOLVED SMB shares issues on 11.3
Replies
17
Views
10K
echelon5
E
ntsetso
  • Locked
SOLVED SMB Shares - Authenticated Access Without a DC
Replies
6
Views
6K
ntsetso
ntsetso
Top