Able to access all shares after login?

[beltz02]

Hell Community -

I have a problem with permissions and I'm unable to figure it out. I'm hopeful this is something really easy that someone can point out for me.

Problem Statement:
If I log in (windows) as "testfinance" I can go into my finance share and create/edit/delete. However, I can also go into the other shares and open files/copy them/as well as delete. But I can not create.

Based on the way I think I have it setup that user "testfinance" shouldn't be able to even access those other shares. Any assistance would save a lot of head banging on the wall.

Volume Setup:
Volume (Owner User: Nobody / Owner Group: nogroup)
- WindowsDataSet (Owner User: Nobody / Owner Group: nogroup)
-Common (Owner User: root / Owner Group: ALL_EMPLOYEES)
-Finance (Owner User: root / Owner Group: Corp_Finance)
-Marketing (Owner User: root / Owner Group: Corp_Marketing)

Share Setup:
(3) Shares each pointing to their respective path
The following items are checked on each share:
- Browsable to Network Clients
- Inherit Owner
- Inherit Permissions
- Inherit ACL's


User Setup:
testuser (Group: ALL_EMPLOYEES,Corp_Finance)
testfinance (Group: Corp_Finance)
testmarketing(Group: Corp_Marketing)

 

[anodos]

You need to set access control entries (ACEs) for the shares. Make sure permissions type is set to "windows". Then using a windows client and authenticated as a user with appropriate privileges:

• Navigate to \\<server hostname or IP>
• Right-click on a share
• Click on "properties"
• Click on "security tab"
• Add ACEs for groups that need access and delete "everyone" ACE

 

[beltz02]

Perfect - Thanks so much!

 

[beltz02]

You need to set access control entries (ACEs) for the shares. Make sure permissions type is set to "windows". Then using a windows client and authenticated as a user with appropriate privileges:

• Navigate to \\<server hostname or IP>
• Right-click on a share
• Click on "properties"
• Click on "security tab"
• Add ACEs for groups that need access and delete "everyone" ACE

I was still having issues so I started over from scratch. I cannot see the groups that are created in FreeNas. I can log in and create a folder and when I look at the permissions it looks okay, however it can't find the groups that are setup on the FreeNas box
I have some screenshots attached

 

[anodos]

I was still having issues so I started over from scratch. I cannot see the groups that are created in FreeNas. I can log in and create a folder and when I look at the permissions it looks okay, however it can't find the groups that are setup on the FreeNas box
I have some screenshots attached

Well, there are a few options regarding what's going on here.

Option 1: You are authenticating to shares as your user, but there is some sort of permissions issue preventing your user from retrieving a list of users and groups on your FreeNAS server. This permissions issue is probably client-side rather than server-side. Try performing the task while logged in as a local admin account on your Windows client.

Option 2: You are not authenticating properly and are getting the privileges assigned to "Everyone". When you are connected to your share, type "smbstatus" on the FreeNAS server's console. It should tell you which user you are authenticated as.

If you only need to grant a single group access to the share, then change the share's permissions so that it is owned by the appropriate group rather than "wheel".

For the sake of thoroughness, please post your smb4.conf file enclosed in code tags. It is located at /usr/local/etc/smb4.conf.

 

[beltz02]

Well, there are a few options regarding what's going on here.

Option 1: You are authenticating to shares as your user, but there is some sort of permissions issue preventing your user from retrieving a list of users and groups on your FreeNAS server. This permissions issue is probably client-side rather than server-side. Try performing the task while logged in as a local admin account on your Windows client.

Option 2: You are not authenticating properly and are getting the privileges assigned to "Everyone". When you are connected to your share, type "smbstatus" on the FreeNAS server's console. It should tell you which user you are authenticated as.

If you only need to grant a single group access to the share, then change the share's permissions so that it is owned by the appropriate group rather than "wheel".

For the sake of thoroughness, please post your smb4.conf file enclosed in code tags. It is located at /usr/local/etc/smb4.conf.

Thank you so much for your wiliness to help me. I created a new admin account on a windows machine to do additional testing. When I log in I see something odd in the group like an invalid group. (attaching screens and config)

Code:

[global]
    server max protocol = SMB2
    encrypt passwords = yes
    dns proxy = no
    strict locking = no
    oplocks = yes
    deadtime = 15
    max log size = 51200
    max open files = 7067
    load printers = no
    printing = bsd
    printcap name = /dev/null
    disable spoolss = yes
    getwd cache = yes
    guest account = nobody
    map to guest = Bad User
    obey pam restrictions = Yes
    directory name cache size = 0
    kernel change notify = no
    panic action = /usr/local/libexec/samba/samba-backtrace
    server string = FreeNAS Server
    ea support = yes
    store dos attributes = yes
    hostname lookups = yes
    time server = yes
    acl allow execute always = true
    local master = yes
    idmap config *:backend = tdb
    idmap config *:range = 90000000-100000000
    server role = standalone
    netbios name = TEST
    workgroup = WORKGROUP
    security = user
    pid directory = /var/run/samba
    smb passwd file = /var/etc/private/smbpasswd
    private dir = /var/etc/private
    create mask = 0666
    directory mask = 0777
    client ntlmv2 auth = yes
    dos charset = CP437
    unix charset = UTF-8
    log level = 1
  

[TestShare]
    path = /mnt/Volume_Test/Dataset_test
    printable = no
    veto files = /.snap/.windows/.zfs/
    writeable = yes
    browseable = yes
    recycle:repository = .recycle/%U
    recycle:keeptree = yes
    recycle:versions = yes
    recycle:touch = yes
    recycle:directory_mode = 0777
    recycle:subdir_mode = 0700
    vfs objects = zfsacl streams_xattr aio_pthread
    hide dot files = yes
    guest ok = no
    nfs4:mode = special
    nfs4:acedup = merge
    nfs4:chown = yes
    zfsacl:acesort = dontcare

 

[anodos]

Are you on 9.2.1.9? If not, upgrade. There was a group mapping bug introduced in 9.2.1.7 and 'fixed' in 9.2.1.9.

 

[beltz02]

FreeNAS-9.2.1.7-RELEASE-x64 (fdbe9a0)

I'll upgrade and retest

 

[beltz02]

I've upgraded and I am still experiencing the issue: FreeNAS-9.2.1.9-RELEASE-x64 (2bbba09) - Any additional thoughts?

 

[beltz02]

Are you on 9.2.1.9? If not, upgrade. There was a group mapping bug introduced in 9.2.1.7 and 'fixed' in 9.2.1.9.

alright I got it to work. I'll post an entire update with my exact setup. I do believe I did the same steps many times, but in any case, this makes me happy. I'm going to do a little more testing before I say "Closed" but I just wanted to thank you for your help. This Thanks Giving I'm helpful for you on the forums.