wsanders
Cadet
- Joined
- Feb 17, 2015
- Messages
- 4
I am using the Freenas 9.3 GUI. My Freenas server is joined to my domain. I create a zfs folder/filesystem called /mnt/tank/cifstest. In the Storage tab, using the Permissions button, I assign the folder a username and group from Active Directory, *Unix* type permissions, 0700 recursively, and then share the folder with CIFS. This works the way I expect; on Windows clients, the filesystem is only accesssible by the AD user that owns the folder.
When I use the GUI to convert the share to a CIFS share, permission type "Windows", the unix mode boxes get greyed out and set to 0775 with an ACL (drwxrwxr-x+ in the CLI), and everyone in Windows can mount the folder and read (but not write) files in it, even users not in the group that owns the folder. This is *not* what I expect. Even as root in the CLI, I can't change permissions on the folder.
Also, FWIW, anyone with a nonroot login to the Freenas server can read and write the contents of the folder.
Any ideas what I am doing wrong here? It looks like "Unix" permissions are the only way to prevent folders from being world-readable. It's almost as though there is an old fasioned NT "workgroup" share it's falling through to, but all my WIndows clients and FreeBSD are in an Active Directory domain.
When I use the GUI to convert the share to a CIFS share, permission type "Windows", the unix mode boxes get greyed out and set to 0775 with an ACL (drwxrwxr-x+ in the CLI), and everyone in Windows can mount the folder and read (but not write) files in it, even users not in the group that owns the folder. This is *not* what I expect. Even as root in the CLI, I can't change permissions on the folder.
Also, FWIW, anyone with a nonroot login to the Freenas server can read and write the contents of the folder.
Any ideas what I am doing wrong here? It looks like "Unix" permissions are the only way to prevent folders from being world-readable. It's almost as though there is an old fasioned NT "workgroup" share it's falling through to, but all my WIndows clients and FreeBSD are in an Active Directory domain.