CIFS permissions on sub-folder

[yois]

Using 9.2.1.5-x64-RELEASE

The following scenario:

I have a folder that is Owned by User "A" (Windows ACL). Domain Admins are granted permissions on all subfolders. On one subfolder, I want to allow User "B" (not Domain Admin). Now I know that this isn't possible without creating another share, becasue User "B" cannot drill down to that subfolder, because they don't have permissions on the root folder. On a Windows box, another share can be created on the specified folder, and sharing from there works. On FreeNAS I'm getting Access Denied.

Why? From the GUI all permissions look OK, but it seems that if the higher level folder don't allow access, then the subfolder cannot be accessed.

 

[anodos]

Assuming what you are writing is correct, this is a difference in behavior between Windows and samba. There are probably a few different ways to get around the problem you describe. Two possible solution are as follows:

• You have two shares "/mnt/Tank/foo/" and "mnt/Tank/foo/bar"
• User A should have access to "/mnt/Tank/foo" and "/mnt/Tank/foo/bar"
• User B should have access to "/mnt/Tank/foo/bar" (but not /mnt/Tank/foo)

Option 1: restructure file tree and use a symlink

1. Change how your file tree is structured to "/mnt/Tank/Share/{bar, foo}" (i.e. /mnt/Tank/Share/bar and /mnt/Tank/Share/foo)
2. Have only one share "/mnt/Tank/Share"
3. Set ACLs for "foo" and "bar" as above.
4. Create a symlink that connects /mnt/Tank/Share/bar to /mnt/Tank/Share/foo/bar (i.e. "ln -s /mnt/Tank/Share/bar /mnt/Tank/Share/foo/bar") [this preserves your original file tree from an end-user perspective].
5. Map "\\FreeNAS\Share\foo" for UserA
6. Map "\\FreeNas\Share\bar" for UserB

Option 2: use share definition access controls

1. Leave ACLs permissive (Allow "A" and "B" access to \\Server\Share1 [/mnt/Tank/foo] and \\Server\Share2 [/mnt/Tank/foo/bar])
2. Set share definition access controls as follows:

Code:

[Share1]
valid users = @Domain Admins
write list = @Domain Admins
read only = yes
[Share2]
valid users = @Domain Users
write list = @Domain Users
read only = yes

Caveat: Under option 2 you will have to look up the proper way to reference AD groups. I can't remember off the top of my head. Access controls should be added to the "auxiliary parameters" field in your share configuration. Overall, I think "Option 1" is better. Putting shares inside shares seems like a bad practice.