Hi,
I can't figure out how to properly use windows ACLs to allow access to some folders and subfolders only for certain users. For example the top level folder has ACEs to allow write access for userA and userB (and group "domain admins", owner is root).
When userA creates a subfolder, he is the owner so his ACE is replaced by the special owner@ ace.
Both users can still write to the subfolder. But if userB adds another subfolder, he inherits the owner@ ACE and userA disappeared from the ACL, having no access to the new folder.
Probably this is expected behaviour with the hardcoded nfs4:mode=special in smb4.conf, but I have no idea how to do it right...
The only way I found so far, is using only groups instead of individual users for each folder, adding all users that should have access into the group. But then I would have to constantly add new groups... so what is the recommended way to better handle this problem?
I can't figure out how to properly use windows ACLs to allow access to some folders and subfolders only for certain users. For example the top level folder has ACEs to allow write access for userA and userB (and group "domain admins", owner is root).
When userA creates a subfolder, he is the owner so his ACE is replaced by the special owner@ ace.
root@freenas:/mnt/data/share/Public # getfacl test-1/
# file: test-1/
# owner: AD-DOMAIN\UserA
# group: AD-DOMAIN\domain admins
group@:rwxpDdaARWcCo-:fd----I:allow
group:AD-DOMAIN\UserB:rwxpDdaARWc---:fd----I:allow
owner@:rwxpDdaARWc---:fd----I:allow
Both users can still write to the subfolder. But if userB adds another subfolder, he inherits the owner@ ACE and userA disappeared from the ACL, having no access to the new folder.
root@freenas:/mnt/data/share/Public # getfacl test-1/test-2/
# file: test-1/test-2/
# owner: AD-DOMAIN\UserB
# group: AD-DOMAIN\domain admins
group@:rwxpDdaARWcCo-:fd----I:allow
group:AD-DOMAIN\UserB:rwxpDdaARWc---:fd----I:allow
owner@:rwxpDdaARWc---:fd----I:allow
Probably this is expected behaviour with the hardcoded nfs4:mode=special in smb4.conf, but I have no idea how to do it right...
The only way I found so far, is using only groups instead of individual users for each folder, adding all users that should have access into the group. But then I would have to constantly add new groups... so what is the recommended way to better handle this problem?