Methods For Fine-Tuning Samba Permissions

anodos

Sambassador
iXsystems
Joined
Mar 6, 2014
Messages
9,544
Is there any way, through the FreeNAS gui, to set FreeNAS SMB shares up so that only the Owner/Owner Group have read rights? (i.e. the 'Read' permission is not applied to all registered users as is the default).
The default ACL for SMB shares starting in 11.2-U6 is to only grant Owner / Owner Group rights. In 11.3 we have a graphical ACL manager that will allow you to fine-tune beyond that.
 

seb101

Contributor
Joined
Jun 29, 2019
Messages
142
Ah so it is... I was working with a few shares created in versions prior to U6 which was causing my confusion.
 

seb101

Contributor
Joined
Jun 29, 2019
Messages
142
While we are on the topic... my FreeNas box will resolve from '\\nas' or '\\nas.lan' (.lan being my local DNS suffix). When I'm editing ACLs in Windows explorer if I set access persmissions for a share while accessing it at \\nas.lan so for example I grant full permissions on \\nas.lan\share1 to user nas.lan\seb then at a later date try to access it at \\nas\share1 - it doesn't work (no access). Is there any way to have this permissions 'consolidated' for the local user 'seb'?
 

markperron

Cadet
Joined
Jan 14, 2020
Messages
5
Hello and Thank You in advance. I have just done a fresh install to 11.2.U7 and keep getting the message SMB failed to start. I have given permission under Group/User, Under sharing added path to my share and given permission to assigned user/group and under storage given permission to user/group. I am at a lost. Any idea?

Regards,
Mark
 

Redcoat

MVP
Joined
Feb 18, 2014
Messages
2,924
Welcome to the forums.

Did you start the service (Services, SMB)?
 

pumapanzer

Cadet
Joined
Apr 23, 2021
Messages
5
@anodosThank you so much for creating this guide. From my relatively inexperienced point of view, there's a lot of concession that has to be made in order for POSIX to support Windows, and your guide helps bring all that together in the context of TrueNas+ZFS+Samba. Dataset and share permissions were a subject that, while I enjoy learning, I was somewhat wanting to avoid, until I found this guide.

I have been studying TrueNAS for the past month and preparing a migration of my data from a roll-your-own Ubuntu file server (NFS shares, LVM on LUKS on MDADM (RAID 1)). I just LOVE ZFS, and the Free|TrueNAS community is simply amazing (along with a healthy serving of articles by Jim Salter).

I can say that reading over the responses in this thread there have been some who are understandably frustrated. It's unfortunate to think that some may never come back, but if they did, wow, the features in TrueNAS today are so very attractive. I find myself incredibly fortunate to make this transition, at this time.

I think on one hand, TrueNAS community is geared towards the lifelong learner, who enjoys tinkering, and understands the payoff will be worth it when learning open systems. On the other hand, for those who don't have time/desire to learn, or need a business solution, there's definitely iXsystems Commercial Support available. The Case Studies are simply fascinating reading. I would love to have been even a spectator for some of the clients, such as the solution for UCSD IGPP. :grin:

Again, THANK YOU! :smile:

PS - In my personal opinion, a perfect future would be a world absent of all SMB/CIFS. NFS, as the primary replacement, would add simple user authentication. Sure Kerberos is great, but PKI comes to mind, and perhaps other PAM extensions would be great; however, I am by no means an expert of NFS or its roadmap. Anyways, if that were possible, it will be a long time before Windows...I mean SMB/CIFS :wink:...is effectively eradicated--it's a pretty nasty infection at this point, and I digress...
 

anodos

Sambassador
iXsystems
Joined
Mar 6, 2014
Messages
9,544
Sure Kerberos is great, but PKI comes to mind, and perhaps other PAM extensions would be great; however, I am by no means an expert of NFS or its roadmap. Anyways, if that were possible, it will be a long time before Windows...I mean SMB/CIFS :wink:...is effectively eradicated--it's a pretty nasty infection at this point, and I digress...

There are ways to do 2FA through a kerberos server. I don't see this aspect of infrastructure going away. I also don't see much advantage to NFS over SMB at this point. Permissions for a properly configured NFSv4 server are basically identical to what we do over SMB.
 

InQuize

Explorer
Joined
May 9, 2015
Messages
81
Couple questions.
In 11.3 and later, this parameter defaults to "simple". In the case of "simple", owner@ and group@ are mapped to CREATOR-OWNER and CREATOR-GROUP respectively and windows behavior for these well-known-SIDs is reproduced.
I was unable to set CREATOR-OWNER ACE to an SMB dir via Win Explorer. I could at least do it via CLI right? This leads to the second question.

As it is right now I often find the requirement of creating a dataset for each point in SMB structure to be able to utilize TN ACL WebUI.
Is it possible to transform ACL WebUI into a simplistic filesystem browser to be able to edit ACEs at any level of structure without creating a dataset?
 

anodos

Sambassador
iXsystems
Joined
Mar 6, 2014
Messages
9,544
Couple questions.

I was unable to set CREATOR-OWNER ACE to an SMB dir via Win Explorer. I could at least do it via CLI right? This leads to the second question.

As it is right now I often find the requirement of creating a dataset for each point in SMB structure to be able to utilize TN ACL WebUI.
Is it possible to transform ACL WebUI into a simplistic filesystem browser to be able to edit ACEs at any level of structure without creating a dataset?
That's a webui limitation for the moment, the API takes paths. I do think editing CREATOR-OWNER is probably not the right way to go about permissions. Usually you want to create groups and set permissions based on them.
 
Top