I've been googling this for past 3 or 4 days, and I just can't seem to find the info.
Problem is that, other users (ones who aren't owners or in the group) are able to change ownership of the share/folders to themselves and then are able to write/delete files etc.
Basically I set it up like this:
If I can get a handle on the permission (and atleast know that the permissions are working as intended, I can actually start to put files on there and use the NAS). I'm afraid to actually start to use it, worried that I'll maybe have to reinstall freenas and reconfigure the files. Thanks for any help.
Here is my smb.conf:
Problem is that, other users (ones who aren't owners or in the group) are able to change ownership of the share/folders to themselves and then are able to write/delete files etc.
Basically I set it up like this:
- I have an account for myself, and I also have other accounts for my kids. In this case, I want to give them read access, but not modify/delete files.
- Created CIFS share called 'Media' (/mnt/tank/Media) & applied Default Perms, Browsable, and Export Recycle Bin checked, everything else is default (unchecked, empty, or VFS objects, aio_pthread and streams_xattr selected, and a periodic snapshot, no aux param)
- Dataset was also mainly default options (no dedupe, changed to no atime) but after I created CIFS share, in the gui, I changed ownership to my user and my group (When this didn't work first time, I deleted the dataset/cifs share and recreated and tried with my user id and group set to wheel with the same result).
- In windows, security setting for that share or folders I create, my user/group has full permissions, and "Everyone" shows as Read+Execute/List folder contents/Read permissions (I believe these are the default permissions).
- Connecting to FreeNAS using Computer Management and connected to remote server. Under shares, I opened up 'Media' and Share permissions show 'Everyone' only, and it has three permissions (Full Control, Change and Read) and they are all checked. I'm unable to remove 'full control', which just says access denied. Maybe this permission is supposed to be this way and correct?
- As myself, I can mount it, and write files to this share. Other users can mount it, and are not able to create folders/files. But kids accounts are able to change ownership of files, subfolders, and the root of the share to themselves, and then are able to write into the folder, delete files etc. (after taking ownership of the files etc.). Is this normal? i.e. are we supposed to remove Everyone share and have to add specific users that should have read only access? When I add the other user specifically , it seems like that user isn't allowed to modify files and permissions anymore.
If I can get a handle on the permission (and atleast know that the permissions are working as intended, I can actually start to put files on there and use the NAS). I'm afraid to actually start to use it, worried that I'll maybe have to reinstall freenas and reconfigure the files. Thanks for any help.
Here is my smb.conf:
Code:
[global] username map = /usr/local/etc/smbusers server max protocol = SMB2 encrypt passwords = yes dns proxy = no strict locking = no oplocks = yes deadtime = 15 max log size = 51200 max open files = 942932 load printers = no printing = bsd printcap name = /dev/null disable spoolss = yes getwd cache = yes guest account = nobody map to guest = Bad User obey pam restrictions = yes directory name cache size = 0 kernel change notify = no panic action = /usr/local/libexec/samba/samba-backtrace nsupdate command = /usr/local/bin/samba-nsupdate -g server string = FreeNAS Server ea support = yes store dos attributes = yes lm announce = yes time server = yes acl allow execute always = true acl check permissions = true dos filemode = yes multicast dns register = yes domain logons = no local master = yes idmap config *: backend = tdb idmap config *: range = 90000001-100000000 server role = standalone netbios name = FILES workgroup = WORKGROUP security = user pid directory = /var/run/samba create mask = 0666 directory mask = 0777 client ntlmv2 auth = yes dos charset = CP437 unix charset = UTF-8 log level = 1 [Home] path = /mnt/tank/Home printable = no veto files = /.snapshot/.windows/.mac/.zfs/ writeable = yes browseable = yes recycle:repository = .recycle/%U recycle:keeptree = yes recycle:versions = yes recycle:touch = yes recycle:directory_mode = 0777 recycle:subdir_mode = 0700 shadow:snapdir = .zfs/snapshot shadow:sort = desc shadow:localtime = yes shadow:format = auto-%Y%m%d.%H%M-2w shadow:snapdirseverywhere = yes vfs objects = shadow_copy2 zfs_space zfsacl aio_pthread streams_xattr recycle hide dot files = yes guest ok = no nfs4:mode = special nfs4:acedup = merge nfs4:chown = true zfsacl:acesort = dontcare [Media] path = /mnt/tank/Media printable = no veto files = /.snapshot/.windows/.mac/.zfs/ writeable = yes browseable = yes recycle:repository = .recycle/%U recycle:keeptree = yes recycle:versions = yes recycle:touch = yes recycle:directory_mode = 0777 recycle:subdir_mode = 0700 shadow:snapdir = .zfs/snapshot shadow:sort = desc shadow:localtime = yes shadow:format = auto-%Y%m%d.%H%M-2w shadow:snapdirseverywhere = yes vfs objects = shadow_copy2 zfs_space zfsacl aio_pthread streams_xattr recycle hide dot files = yes guest ok = no nfs4:mode = special nfs4:acedup = merge nfs4:chown = true zfsacl:acesort = dontcare