*

[TinTIn]

Hi All,

So I'm looking for some advice based on experience of managing windows permissions on FreeNAS. So Im going to create some datasets which will be exclusively windows shares and in thinking about permissions. Am I best to setup the windows shares and permissions and leave them as default so owner root, group wheel and then make any permission changes to the ACLs via a windows machine or should I try to manage with adding an owner and or group where possible on FreeNAS and only jumping to windows should I have to add a special attribute?

Hope that makes sense.

Would really appreciate any advice.

Many thanks as always.


Sent from my iPhone using Tapatalk

 

[Ericloewe]

Depends on your goal. Do you want to give users the power to edit their stuff's permissions or not?

You'll almost certainly have to edit them either way, since FreeNAS defaults to Read permissions for non-owner users.

 

[TinTIn]

I'd like to manage it myself.


Sent from my iPhone using Tapatalk

 

[Ericloewe]

In that case, assign yourself as the owner (maybe root works, too) and edit the permissions from your (or the root, in the latter case) account.

 

[TinTIn]

Anything wrong with having the owner as admin (me) and group as primary user group?


Sent from my iPhone using Tapatalk

 

[Ericloewe]

Everyone belonging to the group will have ownership rights, which can get messy. It's possible, but rarely what you want.

 

[anodos]

Root: wheel works fine. In AD environment I use root:domain admins for ownership. I almost never give a regular user 'full control'. If they get too creative they'll make folders disappear by removing 'read' ACEs

 

[TinTIn]

Thanks both. So root as owner and admin as group sounds a good idea. Good point about disappearing folders. What would your standard permissions look like for a user to have basic RW access? I need to create home folders for users which there manager wants RW access too. Also shared areas for all.

Also what permissions do you give to the Everyone group?


Sent from my iPhone using Tapatalk

 

[anodos]

Thanks both. So root as owner and admin as group sounds a good idea. Good point about disappearing folders. What would your standard permissions look like for a user to have basic RW access? I need to create home folders for users which there manager wants RW access too. Also shared areas for all.

Also what permissions do you give to the Everyone group?


Sent from my iPhone using Tapatalk

Default permissions for read and write are as follows:

Is this a standalone server or an AD member server? If an AD member server I have made a home directory how-to here: https://forums.freenas.org/index.php?threads/cifs-home-directories-in-ad-environment.27132/
If it's a standalone server, then you can do something similar to what I did in the AD tutorial, but you will need to manually change the owner of the user directories (probably chown would work fine). Once you change the owner of the user's directory then your ACEs will automatically change as well.
For instance:
[Home share]
/mnt/Tank/Users (root:admins)
/mnt/Tank/Users/jdoe (jdoe:admins)
/mnt//Tank/Users/rnixon (rnixon:admins)

The user's access will be defined in the above case by the "@OWNER" entry.

Once you set appropriate permissions via chown, you can add an ACE for managers for /mnt/Tank/Users with the permissions in above screenshot.

I delete the "everyone" ACE because I don't think information should be free.

 

[TinTIn]

Any idea on how to stop users become owner of files and folders they create?

 

[anodos]

Any idea on how to stop users become owner of files and folders they create?

I believe you can try using the setuid bit per chmod man page here: http://linux.die.net/man/1/chmod

Code:

chmod u+s `directory_name'

This sort of problem usually appears when dealing with docs created in MS office. Per samba documentation here: https://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/AccessControls.html#id2615334
a more proper solution may be to use the setgid bit

Code:

chmod g+s `directory_name'

Of course, you break it - you get to keep the pieces. :D