Share Permissions Being Ignored

[SmokieRat]

I've been reading and searching for awhile now and what I want to do doesn't seem to have been specifically asked before and following the general CIFS guides is not eliciting the results I'm trying to get so any help would be appreciated. Here's what I want to do...

We have about 50 Windows workstations. Each one connects with Active Directory credentials to a NAS(Sans Digital w/their own custom OS) that has a personal share for each person. The Share they log in to controls their permissions so they're only able to access their folder regardless of the folders own security. The AD admin has a separate share they log in to that allows them full access to the same folders regardless of the folders security.

I'm trying to mimic this in FreeNAS but I'm hitting a snag and I'm not sure what I'm missing. I've created the dataset with the AD admin and AD admin group as the initial permissions then created a share to the top level for the admin. Inside this dataset we've created folders for each AD user and then created a share for each folder. Using Windows Computer Management through a Win 7 computer we've then set the Share Permissions so only that single AD user is listed. Once setup we turned the CIFS service off and on to make sure things are set.

Unfortunately it's doesn't seem to be enforcing the Share Permissions and instead enforces the Folders permissions. Users that are not listed on the Share Permissions are still able to access the share on FreeNAS.

Are there any known issues or does someone have any idea why this would be happening? Any and all help is much appreciated as I slow tear out my hair trying to make this work.

tldr; Single dataset w/ several folders
Each folder has single AD user access controlled by Share Permissions and only allows access to that folder.
Admin has Share to the top level that allows access to all.
Share permissions are being ignored for folder permissions and we don't want that.

 

[SmokieRat]

Another Scenario:
In a Windows environment we have folders setup as Root > Team > Member1

Root has Security permissions of NASAdmins(Full), Everyone(Read,List,Execute)
Root has Share Permissions of NASAdmins(Full)
Team has inherited security permissions from Root, no share setup
Member1 has same Security permissions as Root with the addition of Member1(Full)
Member1 has Share permissions of Member1(Full) only (NASAdmins removed)

This allows NASAdmins to connect to \\Server\Root, then navigate to the Member1 folder, but if they tried to go to \\Server\Member1 they would get access denied.
Member1 however can connect to \\Server\Member1 and create/delete folders/files but cannot connect to \\Server\Root

With FreeNAS we have setup a Volume for Root with permissions for NASAdmins(Full), Other(Read,Execute)
When checking the permissions in Windows, it shows NASAdmins(Full), Everyone(Read,List,Execute)
We then setup a Windows(CIFS) Share and pointed it to Root
We copied over the Team folder (contains the Member folders) to Root
When checking the permissions in Windows, they all show NASAdmins(Full), Everyone(Read,List,Execute)
We then added Member1(Full) to the Security permissions on the Member1 folder
We then setup a Windows(CIFS) Share and pointed it to Member1
We did the same thing with the Member2 folder
Using Computer Management on a Windows XP computer we connected to the FreeNAS server
This allowed us to change the permissions on the shares
We removed Everyone(Full) from the Root Share permissions and added NASAdmins(Full)
We removed Everyone(Full) from the Member1 Share permissions and added Member1(Full)
We removed Everyone(Full) from the Member2 share permissions and added Member2(Full)

When Member1 attempts to connect to \\Server\Root or \\Server\Member2 it gets access denied but can connect to \\Server\Member1 (Expected behavior)
When Member2 attempts to connect to \\Server\Root or \\Server\Member1 it gets access denied but can connect to \\Server\Member2 (Expected behavior)
When a NASAdmin attempts to connect to \\Server\Root it works just fine (Expected behavior)
However, a NASAdmin can also connect to \\Server\Member1 or \\Server\Member2 even though they are not listed in the Share permissions of either share (Unexpected behavior)

Is there something I'm overlooking on the Share vs Security permissions with FreeNAS or step I'm missing to get it to work like Windows?

 

[Whattteva]

I think you want to make sure you're using Windows ACL's first. You never actually specified (unless I missed it in your posts) if you're using Windows ACL's or UNIX.

 

[SmokieRat]

We are using Windows ACL's. :)

 

[anodos]

I may be misunderstanding you, but I believe best practice is to leave share permissions (as modified by compmgmt.msc) open to authenticated users and to control access with NTFS permissions via the security tab. For reference see here: http://www.windowsecurity.com/artic...ication_and_encryption/Share-Permissions.html

I have no problems creating fairly granular access controls for my CIFS shares. If you really want to create an extra layer of compexity - because those are fun to debug and ensure job security - then use samba's share definition access controls.