I'm using FreeNAS 11.0-U2 on good hardware (SM, ECC, Xeon v3), clean installed at 9.10.2, never modded outside the GUI, and nothing running except basics (SMB, SSH, iSCSI).
The SMB clients are mostly Windows. From my desktop, there's a laptop and the server, both offering file shares. I can browse both, fully use the Windows share, can't read files from the SMB share (even when logged in as the owning user). On the other hand the Windows share is wide open, which is probably why, but not ideal, So I don't want to just copy its permissions to the Samba share.
The current permissions are: on the laptop's share (call it \\Laptop\Share1), SYSTEM + Administrators= full, Authenticated Users=Modify, Users=Read (with lesser permissions also granted in each case). On the Samba share (\\Samba\Share2), I have root + ugroup1 = full control and nothing else (root owns the shared directory but is blocked from SMB access using "invalid users = root").
I can browse both shares, but as I said, I can't copy files from \\Samba\share2 even when logged in as a user in ugroup1. I checked the login is for the correct user in smbd log. I know I can add Everyone or Authenticated Users, but I do not want to add everyone and their friend to permissions, just because I don't know how to set it up properly.
What I'd like is file shares working like this:
Three questions:
The SMB clients are mostly Windows. From my desktop, there's a laptop and the server, both offering file shares. I can browse both, fully use the Windows share, can't read files from the SMB share (even when logged in as the owning user). On the other hand the Windows share is wide open, which is probably why, but not ideal, So I don't want to just copy its permissions to the Samba share.
The current permissions are: on the laptop's share (call it \\Laptop\Share1), SYSTEM + Administrators= full, Authenticated Users=Modify, Users=Read (with lesser permissions also granted in each case). On the Samba share (\\Samba\Share2), I have root + ugroup1 = full control and nothing else (root owns the shared directory but is blocked from SMB access using "invalid users = root").
I can browse both shares, but as I said, I can't copy files from \\Samba\share2 even when logged in as a user in ugroup1. I checked the login is for the correct user in smbd log. I know I can add Everyone or Authenticated Users, but I do not want to add everyone and their friend to permissions, just because I don't know how to set it up properly.
What I'd like is file shares working like this:
- Guest, Anonymous, and unauthenticated->guest mapping disabled, except for (maybe) one shared dir that allows read-only guest access. Or as close to disabled as it gets, perhaps guest has to be enabled but then very restricted in ACLs, for discovery of the root share \\Samba to work in Network Places.
- The root share \\Samba can be discovered + seen by anyone automatically, in Network Places (with or without authentication as a Samba user or group).
- Within the root share \\Samba, you can only see the dirs+files below it that you have read/traverse access to. Meaning, no "security by obscurity" - if a dir is only readable by some users/groups, anyone who isn't authenticated as one of those, can't see the dir or access any subdirs/files within it. If you are logged in as a user with read perms for \\Samba\Share2, then you'll see that share and if not, not.
- 4. Programs run on the client by a user can access the server resources that the user can. So when a user browses with Windows Explorer, or runs a program that calls UAC, those progs have the same rights as the user to read/access files.
Three questions:
- What have I got wrong on my current ACLs? Why can I read but not pull files over? (There's no user set up who has a permission/ACL that would allow traverse and dir read but not copying files from it)
- What permissions+ACLs should I be setting on the root \\Samba itself, either from FreeNAS or in Windows?
- What ACLs should I be setting on the root of a shared folder \\Samba\share1?