AD unauthorized users can see files

[EricG1793]

Well, as I was typing this, I figured out the solution... sort of.

I've successfully set up the latest FreeNAS 9.3.1, and I've joined it to the Active Directory domain. I think I finally grasp how to create a dataset for each share. Then share the root of the zvol, and connect a Windows machine to that share, where all the folders for all the other shares will be visible, and you go to the properties of each shared folder and modify permissions there.

What I couldn't figure out was why a user who wasn't given access could not only see, but access files in the shares.

I solved this by right-clicking the shared folder -> Properties -> Advanced -> Change Permissions. Uncheck "Include inheritable permissions..." and check "Replace all child object permissions...." Then remove "Everyone". Apply, and only the authorized users can see and read files!

However, now users who ARE authorized "need permission from [insert username or group of owner here] to make changes to this folder."

Restoring "everyone" to "list folder contents only" doesn't fix it.

Now what?

 

[dlavigne]

Were you able to figure this out?

 

[EricG1793]

Nope.

 

[Mirfster]

Start by looking at @m0nkey_ 's vid: [How-to] FreeNAS and Samba (CIFS) permissions (Video)

/Someone needs to sticky this, cuz I have directed a lot of threads there.... :)

 

[EricG1793]

Good video, thanks for sending my way. Since my box is joined to Active Directory, I think what may be the most important thing there for me is that I should set the owner (user) to "nobody," and I should make the group owner "Domain Admins" (which I'm a member of). However, I also want the "Communications" AD group to have write access. What I'm missing is how to give both those AD groups access while ensuring that anyone outside those groups can't even SEE (or at least open) the contents. From what I understand, that video only covered users and groups locally within FreeNAS.

I'm familiar with setting permissions within Windows Explorer... but see the original post.

 

[Mirfster]

I think what may be the most important thing there for me is that I should set the owner (user) to "nobody," and I should make the group owner "Domain Admins" (which I'm a member of).

Yes, you want to set the "Owner (User)" to "nobody"

I'm familiar with setting permissions within Windows Explorer... but see the original post.

Take a look at this thread where I provided instructions (Page 2); it may assist you: FreeNAS Can't Handle Basic Use Case

 

[EricG1793]

OK, I think I've straightened it out. In FreeNAS, the owner (user) is nobody, and the owner (group) is Domain Admins. I made a dataset and share together called Root, and a dataset and share within Root called Videos. Then, in Windows Explorer, I added the Communications group to the Videos folder. I removed "everyone" from Root and thus Communications as well.

However, Communications was still denied. The solution to seems to be giving Communications access to Root as well. I understand the logic... if you don't have permission to write to the parent zvol, you wouldn't be able to write to the child, either.

Now I don't know what I would do if I wanted another share besides Videos that I did NOT want Communications to have access to. Would I have to make another zvol at the same level that Root is at? Was it mistake creating Root with Videos as a child?

It now seems as though the most efficient thing would have been to create the Videos zvol at the level where Root is at, and that's it. Then, to adjust permissions to Communications, I could just browse the network in Windows Explorer (\\Marty\) and adjust the share permissions that way.

I've attached a screenshot of the storage hierarchy for reference.

 

[Mirfster]

In FreeNAS, the owner (user) is nobody, and the owner (group) is Domain Admins. I made a dataset and share together called Root,

Thinking all you need to do is just create the single DataSet and Share; Set the "Owner (User)" to "nobody" and the "Owner (Group)" to "Domain Admins".... As you have already done

1. Now, in Windows Explorer; connect to the "Root" Share.
   • Thinking it should be "\\Marty\Root"?
     
   • Authenticate with credentials of an account that is part of the "Domain Admins" group
2. Create a folder in there and call it "Videos"
3. Right-Click on the newly created "Videos" folder; Select "Properties" then "Security"
4. Change\Set the permissions as desired
   • Thinking you want to Add "Communications" Group
     • You can grant them "Full Control"; if you want members to be able to add folders\files and set permissions
     • You can grant them "Modify"; if you simply want to allow members to be able to add folders\files and but NOT set permissions
     • Etc...
   • Leave "Domain Admins"
   • Remove anything else

If you wanted to add another folder and prevent "Communications" Group from accessing it and have another group (Say "Accounting") then:

1. Create the "Accounting" Group in FreeNas
2. Create/Add User accounts and make them a member of the "Accounting" Group
3. Browse again to "\\Marty\Root"?
   • Authenticate with credentials of an account that is part of the "Domain Admins" group
4. Create a folder in there and call it whatever you want
   
   • Add the "Accounting" Group and set Permissions accordingly
     
   • Ensuring that the "Communications" Group is NOT listed or Removed if it is listed

Keep in mind that when testing this on a machine, you will/may have to clear cached credentials. This can simply be done by executing "Net Use /Delete *" from a CMD Window as the current User (Not an Administrative CMD Window). It will delete all cached connections and allow you to easily test using another set of credentials.

Hope this wasn't too confusing...

BTW, congrats you are my 1,000th message. :D

 

[Mirfster]

I've joined it to the Active Directory domain

Sorry, overlooked this part. You would want to add the correct AD Group(s) instead...