SMB Share, can't add second group

[urobe]

Hey there,
I have a SMB sahre, that is used by about 15 users. Which are within three groups. Admin, Group01, Group02.
The admin group should have access to everything, while the other groups will have some shared folders and some only visible to them self.

I created a dataset which is owned by User0 (Group Admin) , also Apply Group is checked in the Edit Permissions window. ACL Type is Windows.

So far so good. If I now try to edit the permissions in Windows, I see this user and the group, but I can't add a second group. I can add users manually, even if they are not in the admin group.

For example: the share is owned by User0 (Group Admin), which I tried also added to Group01.
I can add User01 (Group Group01), but I can't add Group01 as itself.

I read and watched a couple of tutorials, but there it was never an issue adding a second group.

I could add all the users manually, but I'd prefer a group option, also if new users need to added, I think the risk of messing something up, with single users, seems big.

Any advice is greatly appreciated!

 

[anodos]

Hey there,
I have a SMB sahre, that is used by about 15 users. Which are within three groups. Admin, Group01, Group02.
The admin group should have access to everything, while the other groups will have some shared folders and some only visible to them self.

I created a dataset which is owned by User0 (Group Admin) , also Apply Group is checked in the Edit Permissions window. ACL Type is Windows.

So far so good. If I now try to edit the permissions in Windows, I see this user and the group, but I can't add a second group. I can add users manually, even if they are not in the admin group.

For example: the share is owned by User0 (Group Admin), which I tried also added to Group01.
I can add User01 (Group Group01), but I can't add Group01 as itself.

I read and watched a couple of tutorials, but there it was never an issue adding a second group.

I could add all the users manually, but I'd prefer a group option, also if new users need to added, I think the risk of messing something up, with single users, seems big.

Any advice is greatly appreciated!

11.3 has an ACL manager that allows you to add as many groups as you want.

 

[urobe]

11.3 has an ACL manager that allows you to add as many groups as you want.

Oh my goodness, has it been released?

 

[urobe]

just Installed it! Seems like what I needed! Thanks you very much for the hint!

 

[Johnny Fartpants]

Just to be clear @anodos when setting ACL permissions on an SMB share for 11.3 should we no longer be doing this via a Windows box and instead use the ACL Manager or does it not matter either way?

For info, I would normally add an AD admin group to the 'Group' permission on the dataset and then manage all other users & groups from a Windows box after connecting under the admin credentials.

Thanks

 

[anodos]

Just to be clear @anodos when setting ACL permissions on an SMB share for 11.3 should we no longer be doing this via a Windows box and instead use the ACL Manager or does it not matter either way?

11.3 doesn't have a "Windows box". There's a drop-down for dataset create-time optimizations. I wrote the ACL management in VFS ixnas to be intelligent enough to detect whether the user only has POSIX mode set on a dataset and adjust generation of Windows SD accordingly to be more permissive. Generally, the SMB create-time optimizations and setting ACLs is the best bet for an enterprise / business environment, but ignoring ACLs entirely should also work for home users.

For info, I would normally add an AD admin group to the 'Group' permission on the dataset and then manage all other users & groups from a Windows box after connecting under the admin credentials.

Thanks

There's a button in 11.3 to add an ACL entry (like in the windows UI). In an AD domain, I'd just select the "RESTRICTED" template for the share's ACL. Then I would add an inheriting entry granting FULL_CONTROL to Domain Admins, and an inheriting entry granting MODIFY for Domain Users. Check the "recursive box" and you're done. I think on most largish systems, the ACLs will get applied at a rate of around 4,000 files per second (quite a lot faster than going through windows).

 

[Johnny Fartpants]

Great thanks for clearing that up. What I meant by Windows Box was that I would normally add AD groups to shares via a Windows computer using the permission management option.

So following your above-suggested guide the permissions for my dataset would have root, wheel, CREATOR OWNER, CREATOR GROUP, Domain Admins & Domain Users. Does that sound correct? Could root, wheel, CREATOR OWNER, CREATOR GROUP be removed from within Windows permission management or would that have some detrimental effects?

 

[Johnny Fartpants]

Ah sorry just having another look now. So looks like a better way would be to make my 'Domain Admin Group' the owner and group owner of the dataset and use the RESTRICTED template. That way root and wheel would vanish from the permissions. I could then add domain groups to the relevant shares. This would still leave CREATOR OWNER & CREATOR GROUP but guess that's required for mapping the permissions.

 

[anodos]

Ah sorry just having another look now. So looks like a better way would be to make my 'Domain Admin Group' the owner and group owner of the dataset and use the RESTRICTED template. That way root and wheel would vanish from the permissions. I could then add domain groups to the relevant shares. This would still leave CREATOR OWNER & CREATOR GROUP but guess that's required for mapping the permissions.

Or you can add both groups explicitly and remove the owner@ and group@ entries.