NS8 FileServer Permissions

Support
,
1

NethServer Version: NS8
Module: FileServer

Hi

On a newly installed and migrated NS8 server, acting as AD and FileServer (Also mail), AD is generally working. Users and Groups were migrated correctly.

Using File Server, it’s possible to open almost any file vie Windows Explorer. Read Permissions are OK.
On all shares, the AD Group is owner. Group members are allowed, no one else.

Even as admin, I can not always save a file, I assume as only the original creator can do so, as it seems.
On NS7 I did run into that issue a very long time ago, and had a solution, but as NS8 is container based, that would not directly work.
A recursive chown / chmod setting correct valid user (eg root or primary group, not an unknown UID from a foreign system) usually does the trick. But on NS(?

A slightly different issue is having files executable for Windows clients using shares:

From my notes:

By default, Nethserver NG 7.x does not allow Windows clients to execute programs saved in shares.

To modify the behavior create this template-custom

mkdir -p /etc/e-smith/templates-custom/etc/samba/smb.conf
cd /etc/e-smith/templates-custom/etc/samba/smb.conf
nano 10EnableExecution

Insert the following lines into the 10EnableExecution file


#
# Custom
#
# 10EnableExecution
#

acl allow execute always = True

Activate the change with the command

signal-event nethserver-samba-update

The change is “global” and affects all shares and user directories.

How could this be set in NS8?

Any suggestions @davidep ?

My 2 cents
Andy

2

Check out the thread Recycle Bin Samba NS8 how to customize samba.

3

Hi @mrmarkuz

Thanks, that’s great for customizing.

But how do I set permissions default, and what are they in NS8 root.root?

TIA

My 2 cents
Andy

4

This post from @davidep can help:

2 Likes
5

chown/chmod does not work with NS8 because ACLs are stored inside an extended attribute: user.NTACL. The contents of that attribute are difficult to administrate with Linux commands because are encoded as Samba likes. You could check commands like smbcacls or samba-tool ntacl set; the best tools are provided by Windows IMO.

However it’s important that ownership of files and dirs is mapped to the container’s root:users uid and gid, that is what Samba expect to write files and dirs correctly, so do not change them!

What NS8 can do from UI is a recursive reset of ACLs to original settings. Bear in mind that members of Domain Admins are always granted full privileges.

image
image1120×696 46.8 KB

I think you can enable that setting as Markus pointed out with a per-share registry entry. As alternative, using a Windows client, set the appropriate ACL bit to allow running a program (by default only read/write permissions are granted for security reasons).

3 Likes
6

@davidep, @dnutan, @mrmarkuz

My first NS8 migration, I also “set” permissions using a Windows PC, and the Domain “Admin” and extracted the shared files folder from a Proxmox backup (PBS File level restore), and copied the files into the empty (correctly pre-set with permissions) folder…

It worked!

:slight_smile:

My 2 cents
Andy

1 Like