Windows ACLs for new subfolders

[Gudeen]

Hi,
I can't figure out how to properly use windows ACLs to allow access to some folders and subfolders only for certain users. For example the top level folder has ACEs to allow write access for userA and userB (and group "domain admins", owner is root).
When userA creates a subfolder, he is the owner so his ACE is replaced by the special owner@ ace.

root@freenas:/mnt/data/share/Public # getfacl test-1/
# file: test-1/
# owner: AD-DOMAIN\UserA
# group: AD-DOMAIN\domain admins
group@:rwxpDdaARWcCo-:fd----I:allow
group:AD-DOMAIN\UserB:rwxpDdaARWc---:fd----I:allow
owner@:rwxpDdaARWc---:fd----I:allow

Both users can still write to the subfolder. But if userB adds another subfolder, he inherits the owner@ ACE and userA disappeared from the ACL, having no access to the new folder.

root@freenas:/mnt/data/share/Public # getfacl test-1/test-2/
# file: test-1/test-2/
# owner: AD-DOMAIN\UserB
# group: AD-DOMAIN\domain admins
group@:rwxpDdaARWcCo-:fd----I:allow
group:AD-DOMAIN\UserB:rwxpDdaARWc---:fd----I:allow
owner@:rwxpDdaARWc---:fd----I:allow

Probably this is expected behaviour with the hardcoded nfs4:mode=special in smb4.conf, but I have no idea how to do it right...
The only way I found so far, is using only groups instead of individual users for each folder, adding all users that should have access into the group. But then I would have to constantly add new groups... so what is the recommended way to better handle this problem?

 

[Mirfster]

Once the share is created, are you not setting rights from within Windows Explorer? Assuming that you are using Windows Clients...

 

[Gudeen]

I used windows exporer and icacls to set the permission. Only used getfacl on freenas to check the resulting ACLs after noticing that the inherited acls were different from what I expected.

 

[Mirfster]

By chance, can you provide a screenshot of the Advanced Security for one of the folders?

Here is an example: https://imgur.com/a/l381w

 

[Gudeen]

I tried on another folder and could only replicate the issue again when using icacls to reset the permission after the first folder was created.
So the process was:
1. Create folder "Public", set permission for two users with windows explorer
2. UserA create subfolder Public\test-1
3. icacls \\freenas\Public\* /RESET /T (to reset the permission of subfolders to inherited ACLs only)
4. UserB create subfolder Public\test-1\test-2
->UserA has no permission for Public\test-1\test-2, UserB has two ACEs: owner@ and AD-Domain\UserB

background is that I migrated a lot of data from a non-freenas system and had to adjust all the permissions, so I set the permissions with windows explorer on the root folder and then used icacls to recursivly reset permission on all subfolders. After that the problem occured on new subfolders.

 

[Mirfster]

1. What exact permissions are you setting for the two users to "Public"?
2. AFAIK "icacls" does not modify existing ownership (you would need to leverage "takeown" for that)
3. My point is if the topmost folder has proper permissions set, then any files/folders below will inherit said perms (unless you are explicitly disabling inheritance)
4. In my example "Authenticated Users" only have "Modify Rights" and any folders/subfolders created by different users will still be accessible under the folder "WriteableByAll" by others

 

[Gudeen]

on the top folder both users have "Modify Rights" and Domain Admin Group has "Full Control". The ownership is not modified, every subfolder is owned by the creating user.

The inherited zfs acl is not the same (group:AD-Domain\userA:...) but owner@:... if the subfolder was created by userA.
In windows it shows as the same, but on the next subfoldercauses the problem because the explicit group:AD-Domain\userA is missing.

It also happens when using the "Replace all child object permission entries with inheritable permission entries from this object" option in the advanced permissions tab instead of icacls and then creating new subfolders.

 

[Gudeen]

I did some further testing, it is actually the "Replace all child object permission entries with inheritable permission entries from this object" or "icacls /RESET" that replaces the user ACE with the owner@ ace.
I thought the result should be the same as the inherited ACLs.

*Edit*: to sum it up, the inheritance when creating new folder after permission is set works as expected, but when inheritable permissions are applied recursively to existing folders from a windows PC, the user ACEs are replaced by the special "owner@" ACE if the file is owned by the user

*Edit2*: I filed this as a bug https://redmine.ixsystems.com/issues/31062 because I think the ACLs applied by resetting to inheritable ACLs should be exactly the same as the originally inherited ACLs. Although I'm not sure whether this is the fault of freenas/samba or the windows tools applying the ACLs...