Windows CIFS Share "Everyone" user

[Thousandbuckle]

Hello all, running FreeNas 9.3 and need some help to understand if I am doing something wrong or if this is by design and need to rethink how I should do this.

I have setup one windows data set and one CIFS share as shown below in the images. When logged in as bob on the local PC and browse to the share in Windows Network I can see the share and access it with no problem. I can then go in and manage the Windows ACL as I intended to. The problem I have is regarding share access for users who are not mapped in FreeNas Users/Groups.

What I want is for any generic user who is on the LAN/WLAN of the network to be able to browse to the share folder and then list the top level folders of the share, but not be able to traverse into the folders themselves. I would then set ACL's for the folders in the share with the users mapped in FreeNAS for them to access the shares as I have configured. This part works with no problem. I would also like to be able to give "everyone" read access to some folders and read/write to others, this part does not work. When I try to access the share from a PC logged in with a user id not mapped in FreeNAS users/groups I get the windows authentication pop up which is what I dont want to happen because this user needs to be able to see the share and the top level so they can access the folders set for everyone. I have enabled everyone user in the share to have List Folder Contents but this does not resolve the pop up issue for the main share itself.

Can some one help me understand if I am doing something wrong or if I am trying to make this work the way I want but was not designed to work.

Pop up I get when logged on as a user that does not have a user/group account in FreeNAS.

 

[m0nkey_]

I think what you're after is guest access: http://doc.freenas.org/9.10/freenas_sharing.html#configuring-unauthenticated-access

 

[Thousandbuckle]

I am aware of guest access but was not wanting to do that because it gives full access and I wanted to have more granular control plus I cant seem to get it to work either for some reason. Followed the documentation wizard and could see the share it creates and contents I put in under the data set owner but could not modify the public guest access share with the nobody access.

In the screen shot below I want to share data set "file_share" in CIFS which has 3 folders under it illustrated in the second image. I thought I could control access through Windows ACL's. On Folder 1 the Windows ACL's would have everyone Read-Write access enabled, Folder 2 would have Everyone Read access only and Users created in FreeNAS would have Read-Write access, then Folder 3 would have no Read access to everyone and only Read-Write to the users created in FreeNAS.

Is this kind of permission management not possible in FreeNAS? Seems like this should be easy enough to do but apparently not.

 

[anodos]

I am aware of guest access but was not wanting to do that because it gives full access and I wanted to have more granular control plus I cant seem to get it to work either for some reason. Followed the documentation wizard and could see the share it creates and contents I put in under the data set owner but could not modify the public guest access share with the nobody access.

In the screen shot below I want to share data set "file_share" in CIFS which has 3 folders under it illustrated in the second image. I thought I could control access through Windows ACL's. On Folder 1 the Windows ACL's would have everyone Read-Write access enabled, Folder 2 would have Everyone Read access only and Users created in FreeNAS would have Read-Write access, then Folder 3 would have no Read access to everyone and only Read-Write to the users created in FreeNAS.

Is this kind of permission management not possible in FreeNAS? Seems like this should be easy enough to do but apparently not.

View attachment 12819
View attachment 12820

Right. There are several ways to accomplish what you're wanting to do. I dislike using "nobody" as my samba guest user and eschew the wizard. Instead I do the following:

1. Create user "sambaguest" and set a password for it.
2. Under "services" -> "CIFS", change guest user from "nobody" to "sambaguest"
3. Change dataset so that it is owned by "<admin user>:<admin group>"
4. Create share and apply default permissions
5. Authenticate as <admin user>, then change permissions of the share in the following ways:

• • In the Explorer security tab, click "advanced" then select "everyone" and click "edit" and change "Applies to" to "This folder only".
  • Then on each subdirectory you want "everyone" to have access to, create a new access control entry with appropriate permissions.

 

[m0nkey_]

I created a second video for advanced Samba permissions. It may help you. You can find it here: https://forums.freenas.org/index.ph...d-samba-cifs-permissions-video-updated.41210/

 

[Thousandbuckle]

Hi anodos, thank you for your reply but I have a few questions for you on your method. I followed steps 1-2 with no problems, but on step 3 should one of the admin's be "sambaguest" or should I keep my normal admin user/group that I normally use? On step 4 should I check "Allow Guest Access"? It is not clear for me where the new user "sambaguest" gets applied for everyone access.

Also in your first bullet point when I select everyone what am I supposed to be editing about everyone? Remove it or Replace it with "sambaguest"?

 

[anodos]

Hi anodos, thank you for your reply but I have a few questions for you on your method. I followed steps 1-2 with no problems, but on step 3 should one of the admin's be "sambaguest" or should I keep my normal admin user/group that I normally use?

Keep the normal ones

On step 4 should I check "Allow Guest Access"? It is not clear for me where the new user "sambaguest" gets applied for everyone access.

Yes. Check "allow guest access". This will cause samba to dynamically map "bad users" to the "sambaguest" user.

Also in your first bullet point when I select everyone what am I supposed to be editing about everyone? Remove it or Replace it with "sambaguest"?

In windows explorer, navigate to \\<freenas>, right-click on your share, click properties, click on the security tab, click on the "advanced" button. Then modify the Access Control Entry (ACE) for "everyone" as I described above. You are basically changing the ACE so that it does not get inherited by subdirectories. This will grant Read access to the share itself. You will need to create separate aces for "Everyone" on the subdirectories to fine-tune permissions further.

You will fine-tune using "everyone" in this case and not "sambaguest" so that the permissions will be a sort of catch-all for your users.