All my Windows shares are world-readable

[wsanders]

I am using the Freenas 9.3 GUI. My Freenas server is joined to my domain. I create a zfs folder/filesystem called /mnt/tank/cifstest. In the Storage tab, using the Permissions button, I assign the folder a username and group from Active Directory, *Unix* type permissions, 0700 recursively, and then share the folder with CIFS. This works the way I expect; on Windows clients, the filesystem is only accesssible by the AD user that owns the folder.

When I use the GUI to convert the share to a CIFS share, permission type "Windows", the unix mode boxes get greyed out and set to 0775 with an ACL (drwxrwxr-x+ in the CLI), and everyone in Windows can mount the folder and read (but not write) files in it, even users not in the group that owns the folder. This is *not* what I expect. Even as root in the CLI, I can't change permissions on the folder.

Also, FWIW, anyone with a nonroot login to the Freenas server can read and write the contents of the folder.

Any ideas what I am doing wrong here? It looks like "Unix" permissions are the only way to prevent folders from being world-readable. It's almost as though there is an old fasioned NT "workgroup" share it's falling through to, but all my WIndows clients and FreeBSD are in an Active Directory domain.

 

[anodos]

This is because you need to configure permissions on your samba server like you would a windows server.

• In windows explorer, navigate to "\\<server>"
• Right-click on your share, click "properties" --> "security"
• Fine-tune permissions as you would a windows server

Don't use the CLI.

 

[wsanders]

That's a reasonable workaround to try, but I get an error (Windows 7 and Server 2012 R2 clients) "Unable to save permission changes on cifstest, The parameter is incorrect" when I try to remove "Everyone" from the group/user name list or edit check boxes in the Permissions window for files. Directories have only a greyed out "special permissions" check box.

I'm going to stick with the Unix permissions, I have a mix of Mac user using AFP and SMB and Windows users anyway.

 

[anodos]

That's a reasonable workaround to try, but I get an error (Windows 7 and Server 2012 R2 clients) "Unable to save permission changes on cifstest, The parameter is incorrect" when I try to remove "Everyone" from the group/user name list or edit check boxes in the Permissions window for files. Directories have only a greyed out "special permissions" check box.

I'm going to stick with the Unix permissions, I have a mix of Mac user using AFP and SMB and Windows users anyway.

It's not a workaround. The proper method of managing permissions with nfsv4 ACLS is to use setfacl, not chmod. Setfacl is a fairly annoying tool to use and so samba has the zfsacl module enabled by default on FreeNAS. This allows you to modify nfsv4 ACLs using windows explorer.

There may be underlying permissions or settings issues that are preventing you from saving changes (possibly caused by fiddling around with permissions on the dataset). If you are so inclined, you could try creating a new test dataset (windows share type) owned by "root:domain admins" and using the domain admins account to fine-tune ACLs.

Otherwise, use what you're comfortable with.

For reference regarding ACLs see the following (some are old / possibly out-of-date):
http://www.slideshare.net/andy_leonard/when-acls-attack
http://typo3.sambaxp.org/fileadmin/user_upload/SambaXP2009-DATA/Nils_Goroll.pdf
http://archive.sambaxp.org/fileadmi...ecentimprovementsinusingNFS4ACLswithSamba.pdf

 

[wsanders]

Thanks for helping. I tried creating a virgin dataset with Windows perms:
# getfacl virgindataset
# file: virgindataset
# owner: root
# group: wheel
owner@:rwxpDdaARWcCos:fd----:allow
group@:rwxpDdaARWcCos:fd----:allow
everyone@:r-x---a-R-c---:fd----:allow

I can delete "everyone" with setfacl -x but it's easier to just use Unix style permissions. Unix permissions doesn't get rid of the ACL but it removes the "+"from the posix permissions and sets "everyone" to "everyone@:------a-R-c--s:------:allow". I'm a noob using Samba with AD, but it's enough of a help that I can use active directory accounts "DOMAIN\users" with Unix permissions.