Fab Sidoli
Contributor
- Joined
- May 15, 2019
- Messages
- 114
Hi,
I'm trying to understand the process for setting up SMB shares for serving up AD users home directories in a mixed client environment of Windows, Unix and Mac machines.
I have created a storage pool called 'store' under which sits additional datasets named after each username. I have adopted this method in order to allow quotas to be applied to each users home directory. I assume this is the only way to be able to enforce quotas?
The share and ACL type for 'store' is Windows and the owner/group is root/wheel. The individual user datasets underneath store also have Windows share and ACL types set. The ownership of the datasets is set to AD username/AD users group.
When sharing out I have just created an SMB share called store where the mount path is /mnt/store (i.e., the top level dataset). I have the following options checked: Browsable to Network Clients; Show Hidden Files; and Access Based Share Enumeration. I have not selected Default Permissions or Use as home share (this seems to me to be for local system accounts rather than AD accounts but please correct me if I am wrong).
In terms of behaviour I would like the following:
1. On any client, if a user browses the share (store) that they only see datasets they should have access to (i.e., if in the same group).
2. On a linux client, that root is squashed in a manner that is possible to set when doing NFS shares.
Currently, when I browser the share I see all datasets. How do I prevent this? For example, if I have store/{userA,userB,userC} and A and C are in the same group I would like userA to see userC's directory and vice versa. If userB logs in they should only see userB. Does this need to be set purely via Windows explorer?
In terms of mounting on a linux box, when a user logs in root currently has full access to all the users files which is dangerous. How to I prevent this?
Apologies if I have not provided enough information. This is my first look at FreeNAS and I'm still working my way around it.
Many thanks,
Fab
I'm trying to understand the process for setting up SMB shares for serving up AD users home directories in a mixed client environment of Windows, Unix and Mac machines.
I have created a storage pool called 'store' under which sits additional datasets named after each username. I have adopted this method in order to allow quotas to be applied to each users home directory. I assume this is the only way to be able to enforce quotas?
The share and ACL type for 'store' is Windows and the owner/group is root/wheel. The individual user datasets underneath store also have Windows share and ACL types set. The ownership of the datasets is set to AD username/AD users group.
When sharing out I have just created an SMB share called store where the mount path is /mnt/store (i.e., the top level dataset). I have the following options checked: Browsable to Network Clients; Show Hidden Files; and Access Based Share Enumeration. I have not selected Default Permissions or Use as home share (this seems to me to be for local system accounts rather than AD accounts but please correct me if I am wrong).
In terms of behaviour I would like the following:
1. On any client, if a user browses the share (store) that they only see datasets they should have access to (i.e., if in the same group).
2. On a linux client, that root is squashed in a manner that is possible to set when doing NFS shares.
Currently, when I browser the share I see all datasets. How do I prevent this? For example, if I have store/{userA,userB,userC} and A and C are in the same group I would like userA to see userC's directory and vice versa. If userB logs in they should only see userB. Does this need to be set purely via Windows explorer?
In terms of mounting on a linux box, when a user logs in root currently has full access to all the users files which is dangerous. How to I prevent this?
Apologies if I have not provided enough information. This is my first look at FreeNAS and I'm still working my way around it.
Many thanks,
Fab