CIFS home directories: Configuring Authenticated Access with a Domain Controller

[Fab Sidoli]

Hi,

I'm trying to understand the process for setting up SMB shares for serving up AD users home directories in a mixed client environment of Windows, Unix and Mac machines.

I have created a storage pool called 'store' under which sits additional datasets named after each username. I have adopted this method in order to allow quotas to be applied to each users home directory. I assume this is the only way to be able to enforce quotas?

The share and ACL type for 'store' is Windows and the owner/group is root/wheel. The individual user datasets underneath store also have Windows share and ACL types set. The ownership of the datasets is set to AD username/AD users group.

When sharing out I have just created an SMB share called store where the mount path is /mnt/store (i.e., the top level dataset). I have the following options checked: Browsable to Network Clients; Show Hidden Files; and Access Based Share Enumeration. I have not selected Default Permissions or Use as home share (this seems to me to be for local system accounts rather than AD accounts but please correct me if I am wrong).

In terms of behaviour I would like the following:

1. On any client, if a user browses the share (store) that they only see datasets they should have access to (i.e., if in the same group).
2. On a linux client, that root is squashed in a manner that is possible to set when doing NFS shares.

Currently, when I browser the share I see all datasets. How do I prevent this? For example, if I have store/{userA,userB,userC} and A and C are in the same group I would like userA to see userC's directory and vice versa. If userB logs in they should only see userB. Does this need to be set purely via Windows explorer?

In terms of mounting on a linux box, when a user logs in root currently has full access to all the users files which is dangerous. How to I prevent this?

Apologies if I have not provided enough information. This is my first look at FreeNAS and I'm still working my way around it.

Many thanks,
Fab

 

[Johnny Fartpants]

How many users are you looking to do this for?

 

[Fab Sidoli]

At the moment, about 750. We're looking to migrate from another file server.

 

[Johnny Fartpants]

I get your idea about each user having their own dataset so that you can control quotas but manually creating and managing 750 datasets would be a pain I would suggest.

You could look into using zfs user quotas on a given dataset.

 

[Fab Sidoli]

I'm not sure I understand. Do you mean having one dataset (store) and then directories (not datasets) underneath that have ZFS quotas set?

 

[Johnny Fartpants]

Yes.

ZFS can set dataset quotas but also user quotas. Therefore if the only reason you want a dataset per user is to control quotas then you may be able to utilise the user quota function. Unfortunately, I don't think this is configurable from the FreeNAS UI but will work from the CLI.

I would also never mix SMB with NFS on the same dataset so get your Linux users to connect via SMB and keep it simple. The reason you can see everything when you connect to your shares atm is because the 'everyone' field by default allows read access which you can remove if you connect to your share from a Windows machine and manage permissions that way. If you went with the way you originally suggested then you would want the owner and group of each dataset to be your AD administrator for example and then add your user when changing the permissions from a Windows machine.

Finally, for shared areas, I create groups in AD and assign those groups permissions to the relevant share. Then as users need access its just a case of adding the AD user to the AD group.

 

[Johnny Fartpants]

zfs set userquota@user1=50G students/compsci

zfs set groupquota@staff=100G students/labstaff

https://docs.oracle.com/cd/E19253-01/819-5461/gitfx/index.html

 

[anodos]

Yes.

ZFS can set dataset quotas but also user quotas. Therefore if the only reason you want a dataset per user is to control quotas then you may be able to utilise the user quota function. Unfortunately, I don't think this is configurable from the FreeNAS UI but will work from the CLI.

I would also never mix SMB with NFS on the same dataset so get your Linux users to connect via SMB and keep it simple. The reason you can see everything when you connect to your shares atm is because the 'everyone' field by default allows read access which you can remove if you connect to your share from a Windows machine and manage permissions that way. If you went with the way you originally suggested then you would want the owner and group of each dataset to be your AD administrator for example and then add your user when changing the permissions from a Windows machine.

Finally, for shared areas, I create groups in AD and assign those groups permissions to the relevant share. Then as users need access its just a case of adding the AD user to the AD group.

ZFS user quotas aren't currently exposed in the UI, but I've added support for them via Samba when the 'ixnas' module is enabled.

 

[Fab Sidoli]

Hi both,

I'm testing this out now. If I've understood you correctly then I would do something like

mkdir /mnt/store/testuser{1,2,3}
zfs set userquota@testuser1=10G store
zfs set userquota@testuser2=20G store
zfs set userquota@testuser3=30G store

The permissions would then have to be set on a window box?

 

[Johnny Fartpants]

If you check the box 'use as home share' when sharing via SMB and point it at your 'store' dataset.

Create a group in AD called something like 'homegroup'.

After that add the below line to your SMB share config.

valid users = @"ADS\homegroup"

Now if a user tries to connect to \\servername\store and they are a member of the AD group 'homegroup' bingo a home folder is created and permissions auto-sorted.

The tricky bit is setting your user quotas. I have a script that I automate via cron that checks the home folder names that have been created and apply a default quota on all folder names i.e. user names. The only issue with this method is if you want bespoke quotas for different users but if you are happy with a blanket quota then this seems to work.

Execute via cron

setquota1.sh 50g /mnt/tank/Home/ADS

It's worth mentioning that I don't actually run this setup in production as we don't really have a requirement for home shares as they are catered for in a different environment but I played with this idea a little while ago and in practice, it worked so be sure to play with it a bit first in case there are any gotchas.

 

[Fab Sidoli]

Thanks for your time on this. I think I have the sharing aspect sorted but am having difficulty with permissions.

I now have /mnt/shares/{homes,groups} and I'm sharing out from /mnt/shares so that if you got to \\freenas in File Explorer you'll see "shares" under which sit "groups" and "homes". With in these are group and user directories. When I mount the share and view the permissions, under the "share" tab is Everyone with Full Control. The result seems to be that I can browse the entire directory try as I please from shares down.

How do I prevent this?

Fab

 

[Johnny Fartpants]

Ok so to avoid confusion which part of the permissions are you struggling with the 'home share' option I explained above or just a good old fashioned simple share?

 

[Fab Sidoli]

A good old fashioned share. I didn't go for the "home share" option since it seemed to be for local accounts, not AD accounts.

 

[Johnny Fartpants]

Ok so in that case make sure your dataset has an appropriate owner and group like AD Admin and then via a Windows machine connect to the share and simply remove the 'everyone' user from the top level.