Tiered Permissions with CIFS

[Intropy]

I'm having a real hard time figuring out how to get my permissions set up right for multiple users with multiple shares.

I have one volume /mnt/storage
Under that volume I have a couple of datasets:
/mnt/storage/shared
/mnt/storage/Home

shared has a few child datasets:
/mnt/storage/shared/documents
/mnt/storage/shared/photos

as does Home:
/mnt/storage/Home/Foo
/mnt/storage/Home/Bar
/mnt/storage/Home/Baz

I have these CIFS shares (all with Browsable checked but nothing else):
documents -> /mnt/storage/shared/documents
photos -> /mnt/storage/shared/photos
home -> /mnt/storage/Home

My client machines are all Windows for now. They are all in WORKGROUP and the CIFS service is also set to WORKGROUP.

I have three users on my Windows machines: Foo, Bar, and Baz.
I have those same three users (set up with the same passwords as they use in Windows) as users in FreeNAS and each has a corresponding primary group.

What I want is for Foo, Bar, and Baz each to have read and execute permissions on documents and photos and for Foo to have read, execute, and write permissions.

I also want Foo to have rwx permissions to Home/Foo but no permissions at all to Home/Bar or Home/Baz and have the same setup for Bar and Baz having all permissions to their dirs with nobody else having any. These three would be top level directories within the dataset Home but not be full datasets.

Here's the config I'm currently sitting at:

I have groups:
SharedOwners with member Foo
HomeOwners with members Foo, Bar, and Baz

storage has rwxrwxrwx permissions with owner nobody and group nogroup
shared, documents, and photos are rwxrwxr-x with owner nobody and group SharedOwners
Home is rwxr-x--- with owner nobody and group HomeOwners
Foo, Bar, and Baz are rwxrwx--- with Owner and Group Foo, Bar, and Baz respectively.

The CIFS service has
Authentication Model: Local User
Guest Account: nobody
and had checked: dos attributes, allow empty password, unix extensions, zeroconf, and hostnames lookups

The current behavior I witness is that user Foo can read and write to the shares documents and photos. Everyone else can see that the shares exist but cannot browse into them. Likewise Foo can see that Home is a share but cannot browse into it.

 

[Intropy]

Thinking on this some more, I guess I don't really need a tiered scheme as long as I get these features for the shared type of data:

1. People not on the list can't see/read the data in the shares. This is to protect me from snooping from the outside and so that I can let guests on my lan without automatically giving them nas access.
2. People on the list can see and read the data in the shares but cannot write or delete. This is to protect against accidental deletion or moving.
3. I have some way of getting new data onto the shares. This could mean I log into the nas console login to a client machine and pull over CIFS. Or it could mean I use something else entirely, like scp to push the files across.

I thought I had the right setup to do this with all the shared datasets set to be readable and executable by "Other", the CIFS share not allowing guest access, and CIFS service set to "Local User." But what I get is that only the user Foo, who is in the SharedOwners group can read from it. Nobody else gets past the "Enter Network Password" prompt in Windows.

Guest access is distinct from "other" permissions, right? I mean guest access is a CIFS feature that relates to whether the user is a user of the server while "other" permissions is a posix filesystem feature that details what particular users can do with particular files. It should be fine to have a non guest user accessing files via being an "other" user, right?

 

[Intropy]

Getting closer. Rebooting is a magical thing - for FreeNAS as well as all my clients.

Users now require log on to get into the CIFS share, and that log on is automatic since they have the same user/pw in Windows. Users can read all the shared stuff and not other users home directories, which is also good. The only thing that's still off is that all users who can get into the CIFS share are able to write to the directories despite those datasets being rwxrwxr-x and not all users being in the SharedOwners group.