Resource icon

SMB Tips and Tricks

I've decided to consolidate various tips, tricks, and random config info into a thread. Hopefully someone will find it useful.

The original thread can be found here:
https://forums.freenas.org/index.php?threads/cifs-smb-samba-tips-and-tricks.34995/

Please discuss this Resource in the linked thread.

Access based share enumeration in SMB
If you configure your share as I highlight below, then the share will only be visible to users who have read or write access to the share during share enumeration (for example net view \\freenas). This how-to is for AD member servers, but the steps can be modified to accommodate standalone samba servers.


Step 1:
In windows, right-click "Computer Management" and click "Run as Administrator". Enter admin credentials, then right-click on your computer in the left pane and click "Connect to another computer". Enter the address of your FreeNAS server.


Step 2:
In Computer Management, expand "System" -> "Shared Folders" -> "Shares" and right click on the share for which you want to configure Access Based Share Enumeration, and click on Properties.


Step 3:
In the Properties window, click on "Share Permissions". Add the groups that need access to the share and remove the "Everyone" entry. Click "Apply" then "OK". Close computer management.


ABE1.JPG


Step 4:
Open the FreeNAS web GUI and add the following auxiliary parameter to your SMB share: "access based share enum=yes"


ABE2.jpg


Done.

Steps (1) - (3) can be achieved locally on a FreeNAS server through the "sharesec" command-line utility. Its manpage can be found here: https://www.samba.org/samba/docs/man/manpages/sharesec.1.html. Using it requires knowing the SIDs of groups that you want to add / modify.

Note: Steps (1)-(3) edit Windows NT ACLs, which are stored in samba's share_info.tdb, which is not affected by your choice of "Unix" or "Windows permissions type".


Hide a share from all users
Method 1:
Uncheck the box "Browsable to Network Clients" in your share's configuration.


Method 2:
Append a "$" to the your share's name.


Hidden Share.JPG


Note: I have found Method 2 to be somewhat more reliable.

Finding out who has a file open and then closing it
Periodically, someone will approach me and say "someone has file x" open. There are several methods to view open files.


Method 1 - Computer Management in Windows Client.
Step 1 - In windows, right-click "Computer Management" and click "Run as Administrator". Enter admin credentials, then right-click on your computer in the left pane and click "Connect to another computer". Enter the address of your FreeNAS server.
Step 2 - In Computer Management, expand "System Tools" -> "Shared Folders" -> "Open Files"
Step 3 - Find the file you want to close, right-click on it, and click "Close Open File"


Method 2 - Locally in FreeNAS
Step 1 - Type smbstatus -L in CLI of FreeNAS
Step 2 - Note the Pid of the samba session that has the file open.
Step 3 - Type pkill <Pid> in FreeNAS CLI.


Note: Method 2 will kill the entire samba session of the user who has the file open, which may end up making you very unpopular.

Adjust NT Share Permissions through "sharesec" in the CLI
Permissions set on shared directories are called share permissions, and they determine who can use shared directories over the network, and in what manner. These are the only access control method available for shared directories on FAT volumes on Windows servers, and in the Windows world are generally recommended only for shares on filesystems that lack ACL support.

In Samba, Share Permissions are handled through the share_info.tdb file and function independently of file system permissions. The share-level permissions as defined here only represent the maximum level of access a user or group has in a share. These can provide a relatively simple and intuitive way to manage access control in situations where managing access control through NTFS / ZFS ACLs is impractical or undesirable. In the absence of specific restrictions, the default setting in Samba is to allow the global user Everyone - Full Control (full control, change and read).

Share Permissions can be modified locally on the FreeNAS server by using the command line utility sharesec, which is a part of the Samba Suite. An administrator will need to view the idmap entries on the local FreeNAS servers to determine the appropriate SID value for the user / group to which he or she wishes to grant access. A sample command to add full access for SID S-1-5-21-1866488690-1365729215-3963860297-17724 on the share "test" is as follows: sharesec test -a S-1-5-21-1866488690-1365729215-3963860297-17724:ALLOWED/0/FULL.

The Share-level ACL can be viewed locally from the command line on a FreeNAS server by entering the command sharesec share -v. For instance, if a FreeNAS server has the share test, the ACL on test can be viewed through the command sharesec test -v. Sample output from this command is as follows:
Code:
[root@rivendell] ~#sharesec test -v
REVISION:1
CONTROL:SR|DP
OWNER:
GROUP:
ACL:S-1-1-0:ALLOWED/0x0/FULL


Alternatively, you can view all ACLs by typing the command sharesec --view-all

Samba 4.7+ (FreeNAS 11.1)
add auxiliary parameter mangled names = illegal


Advice regarding directories with lots of files is based on information provided by JRA here: http://marc.info/?l=samba&m=139336252926228&w=2
Author
anodos
Views
23,555
First release
Last update
Rating
0.00 star(s) 0 ratings

Latest updates

  1. Initial Revision

    This is is the initial revision of this Resource, written and maintained by @anodos and ported...
Top