SMB mixed permissions share

[CHERIJO]

I have a SOHO SMB setup with multiple shares where I need nobody/guest access to them all. This is a very small office, where random clients come in to collaborate quite often. Some shares need write access, others need to be read only. In the past I've separated them all out into multiple shares and just used the SMB read only flag on the share for read only shares with guests allowed, and just setting basic 'nix owner ACLS to inherit from user:nobody, group:shares . The downside to this is it means I have a very large list of shares under the server. I'm looking to tighten this up a bit if I can. I'm going to oversimplify the number of shares to concentrate on just one part of it as an example. I'm also going to ignore specific users, admins, etc.

Let's say I have two shares:
Media RO (ZFS dataset, Everyone, including guests, can Read from it, no one can modify, write, delete, etc)
Media RW (ZFS dataset, Everyone, including guests, can Read, Write, Modify, Delete, etc etc.)

Ideally, I would like ONE share with multiple sub folders, each with their own permissions:
Media (ZFS dataset, shared, Everyone including guests, read only base folder, no writing/deleting by anyone but an admin).
|- Media RO (ZFS dataset, shared, Everyone including guests, read only, no writing/deleting by anyone but an admin)
|- Media RW (ZFS dataset, shared, Everyone including guests,Read/Write/Delete)

Ideally, I'd love it all to be controlled from the webUI for administrative purposes, and as much as possible via the GUI and minimal console commands (Often I'm off site and need to fix permissions issues with file for people, or I need to carefully explain what to do to my boss who is not console friendly...). These shares will also be accessed from *nix and mac systems, so controlling permissions from the server's *nix ACLs seems like the best way I have to meet that need.

I've been mucking about with it, and I just can't quite seem to get the right levels set to be able to fully browse the full directory structure AND prevent all deleting of files and prevent writing in the right places.

 

[Basil Hendroff]

Start by detailing your FreeNAS hardware and software configuration and what type of clients you use eg. Win10, OS X, etc.

 

[CHERIJO]

FreeNAS-11.2-U2.1 on a Custom mini server (Core i7-7700, 16GB RAM, 4x4TB HDD in Raid-Z2). Clients = everything under the damn sun; windows 10, win 7, win 8, mac os 10.x (multiple eras of machines), Android phones, iphones, ubuntu... take your pick.

 

[Basil Hendroff]

Let's say I have two shares:
Media RO (ZFS dataset, Everyone, including guests, can Read from it, no one can modify, write, delete, etc)
Media RW (ZFS dataset, Everyone, including guests, can Read, Write, Modify, Delete, etc etc.)

Is this what you have?

Ideally, I would like ONE share with multiple sub folders, each with their own permissions:
Media (ZFS dataset, shared, Everyone including guests, read only base folder, no writing/deleting by anyone but an admin).
|- Media RO (ZFS dataset, shared, Everyone including guests, read only, no writing/deleting by anyone but an admin)
|- Media RW (ZFS dataset, shared, Everyone including guests,Read/Write/Delete)

Is this what you want?

Ideally, I'd love it all to be controlled from the webUI for administrative purposes, and as much as possible via the GUI and minimal console commands (Often I'm off site and need to fix permissions issues with file for people, or I need to carefully explain what to do to my boss who is not console friendly...). These shares will also be accessed from *nix and mac systems, so controlling permissions from the server's *nix ACLs seems like the best way I have to meet that need.

It's coming, but not here yet. For more info, refer to the thread Methods For Fine-Tuning Samba Permissions . For what you require, you will need Windows ACLs to fine tune.

 

[Basil Hendroff]

Clients = everything under the damn sun; windows 10, win 7, win 8, mac os 10.x (multiple eras of machines), Android phones, iphones, ubuntu... take your pick.

What's dominant? What's permanently set up in the SOHO?

 

[Basil Hendroff]

Extract from the FreeNAS User Guide...

SMB Tips and Tricks shows helpful hints for configuring and managing SMB networking. The FreeNAS and Samba (CIFS) permissions and Advanced Samba (CIFS) permissions on FreeNAS videos clarify setting up permissions on SMB shares. Another helpful reference is Methods For Fine-Tuning Samba Permissions.

I'd encourage you to visit the links. To get you up to speed quickly, start with the videos. Both are pertinent to what you want to achieve.

 

[CHERIJO]

What's dominant? What's permanently set up in the SOHO?

There is literally nothing permanent other than the server. So far as dominant, Windows 10, android, iphone, and OSX are the most used by employees, so nothing is really dominant. I'm plenty familiar with doing it through Windows ACLs, but managing the permissions (fixing errors) especially is a pain when I'm often off site and it's critical that a bad permission gets fixed *now* (Don't ask how it happens, lets just say a certain employee does what they think they have to in a high needs moment, but it hoses others later, and securing them out isn't an option).

For security reasons, the SMB shares are intranet only; nothing leaves the office except final output works that are approved (It's literally the only way we have to ensure any kind of security with such a wide variety of clients dropping in and out. (If you are wondering WTH this IT security nightmare workplace would be, it's a small technical AV/Staging company- tight deadlines, highly collaborative). Getting on site to fix permissions via Windows is a PITA, and I don't always have a windows machine with me to do admin; my most common tool with me is my android phone and a mini BT keyboard. A VM running Win isn't particularly useful on a tiny smartphone screen either. I know I can do Windows type permissions via the shell in FreeNAS, but that is a true PITA.

I am mostly fishing to see if anyone knows a good way to set this up that's totally FreeNAS Web GUI friendly. If not, it's not the end of the world, we'll just keep doing the simpler locked out method we have been using.