Configuring Shared Folder permissions

NethServer Version: v7
Module: Shared Folders with AD as the Account Provider

We have 4 users and about 6 Shared Folders setup.

For two folders, 2 users need ReadOnly access while the other 2 users have ReadWrite access.
For another folder, only 2 users need ReadWrite access and no-one else should have access to this folder.

The problem is that I need to select the Allow read permission to everyone in combination with Read and write in order to give the 2 authorized users the correct Read/Write access even though I have explicitly given them the Read/Write permissions under the ACL tab.

I have been a senior Windows Server administrator and network administrator and dev and I currently work in DevOps so the Windows share and file permissions assignments are something very easy for me, I can do it in my sleep.

So I don’t know if there is something really obvious that I am completely missing? Or if there is something in the config files that has gone wrong when I was changing the config around during the initial setup.

The General tab for the share is:

and the ACL tab is:

Both of the users shown on the ACL tab are in the nokken@thenesbitts.net group.

For the users who are authorized to access this folder, they can only view and write to it if I select the options Allow read permission to everyone and Read and write under Guest Access.

the smb.conf shows:

[nokken-files]
path = /var/lib/nethserver/ibay/nokken-files
comment = Nokken Business Files
# 20profile_default:
read only            = no
inherit permissions  = yes
; Add group write bit to default create mask, remove DOS archive bit (see below) #2039
create mask          = 0664
inherit owner        = yes
; Use extended attribute to store DOS attributes (see man page)
store dos attributes = yes
map archive          = no
map readonly         = no
inherit acls         = yes
map acl inherit      = yes
guest ok             = no
browseable           = yes

# 90vfs_output
vfs objects = full_audit recycle
  recycle: exclude_dir = /tmp,/temp,/cache
  recycle: repository = Recycle Bin
  recycle: versions = True
  recycle: keeptree = True
  recycle: touch = True
  recycle: directory_mode = 0770
  recycle: exclude = *.tmp,*.temp,*.o,*.obj,~$*

The problem is that if I if I select the options Allow read permission to everyone and Read and write under Guest Access, then all users can read and write to the share and I can’t have that.

What am I missing or getting wrong?

1 Like

Please have a look at the output of

getfacl /var/lib/nethserver/ibay/nokken-files

Here is the output:

$ getfacl /var/lib/nethserver/ibay/nokken-files
getfacl: Removing leading '/' from absolute path names
# file: var/lib/nethserver/ibay/nokken-files
# owner: administrator@thenesbitts.net
# group: nokken@thenesbitts.net
# flags: -s-
user::rwx
user:james@thenesbitts.net:rwx
user:astri@thenesbitts.net:rwx
group::rwx
mask::rwx
other::rwx
default:user::rwx
default:user:james@thenesbitts.net:rwx
default:user:astri@thenesbitts.net:rwx
default:group::rwx
default:mask::rwx
default:other::rwx

Please try it with the configuration, where read/write access is only enabled for the group which should have access.

Here it is as requested:

getfacl: Removing leading '/' from absolute path names
# file: var/lib/nethserver/ibay/nokken-files
# owner: administrator@thenesbitts.net
# group: nokken@thenesbitts.net
# flags: -s-
user::rwx
user:james@thenesbitts.net:rwx
user:astri@thenesbitts.net:rwx
group::rwx
mask::rwx
other::---
default:user::rwx
default:user:james@thenesbitts.net:rwx
default:user:astri@thenesbitts.net:rwx
default:group::rwx
default:mask::rwx
default:other::---

Did ou try 2 change it from the windows side?

No, if I set the permissions from the web administration, I can’t even get into the share with an authenticated user.

did you try to change subdirectorys ?

subdirectories and their permissions are irrelevant, client OS is irrelevant.

The authorized users do not get access if the perms are set as desired. If the permissions are set so that the authorized users have access, then the permissions are too open.

I noticed that in the smb.conf, there is no valid users = line at all. Should there be one? Or is that defined somewhere else?

For me it looks good, right permissions to the right users.

Perhaps @davidep has an idea.

Okay - I performed a RESET PERMISSIONS to ensure all files and subfolders have the correct permissions.

I then opened up the share again for guest users and I found that I could not browse to the subfolders.

Which does beg the question (and potentially the root cause of the problems) - from a Windows client or Linux client, what should I enter as the username when prompted for my credentials? Should I be entering only james or james@thenesbitts.net as the username?

I would say only james, but try and error :stuck_out_tongue:

If I use only james as the username, the desired permissions prevent access. It will only give me access if I allow Guest Read/Write Access.

If I use james@thenesbitts.net as the username, I am allowed access with the desired permissions.

I can confirm the above solution works from a Linux box.

Now the problem has changed slightly, I need to know either:

  • How to make Windows 10 accept the username I as have used above on a Linux box?
  • How do I make the Shared folders use either james@thenesbitts.net or just james?

Right - got the solution!

Set the permissions to exactly what you want them to be.

On the workstations, when specifying the username - user <username>

Cursed be this specification when the username on the workstation is the same as on the server with the only difference being the two being the password!

1 Like

I’m happy you’ve solved!

Please have a look to the Shared folders documentation: does it need to be changed?

http://docs.nethserver.org/en/v7/shared_folder.html#network-access

1 Like

Yeah - the solution would be in the docs (the one thing I should have done and didn’t - that will teach me to RTFM next time!)

The manual has pretty much got it spot on there, maybe to make it slightly clearer is where is specifies the user COMPANY\john.smith is to maybe change it to WORKGROUP\john.smith or something to that effect?

1 Like

Well, “workgroup” sounds misleading to me, because there’s no Windows workgroup running in this kind of setup; indeed we have an AD domain.

@bwdjames on first post is written

Which is the AD domain controller? Is an external Windows installation or the NethServer-Samba4 installation?

The Nethserver is effectively the AD Domain Controller @pike

@davidep I agree that “workgroup” is a bit misleading, maybe the word “domain” might be a better word.

1 Like