Sunday, October 1, 2017

Windows Share Permissions Done Right in FreeNAS

The scenario is that you have a FreeNAS machine - for reference I am running FreeNAS-11.0-U2 - and you want to have a multi-user system where different users have different permissions to access shares over a local network. Here I will show a quick and basic setup of a new share and setting its permissions. Then I will explain two common issues that are encountered and how to resolve them:
  • Everybody can see and read the shares over the Windows network
  • I have set up the users, added them to the proper group, but they still cannot access a Dataset

To begin with, the basic steps for creating a new network share is as follows:
  1. Create and manage users and groups
  2. Create and share the Datasets

Create and Manage Users and Groups

It is probably easier to start with this. So for example we want to have 3 users, Alice, Bob and Charlie. They should all be granted access to some common shared directories and have restricted access to some other directories.
  1. Create a Group called "Shared". This group will be the owner of later directories (Datasets) accessible to all of the users.
    Creating a new group called Shared.
  2. Create the users Alice, Bob and Charlie and add them to the group Shared.
    Creating a new user and adding immediately to the Shared group
    Adding the new user Alice, at the same time assigning her to the Shared group.

Create and Share the Datasets

There are plenty of guides on this and it is not so complicated once you get the hang of it. For reference take a look at doc.freenas.org, forums.freenas.org or tekblog. Here just for the sake of introduction the basic idea.
  1. Create a new Dataset called "Common" as a Windows share.
    Creating a new Dataset called Common.
  2. Change the permissions of the newly created Dataset and set the Owner (user) as root and the Owner (group) the Shared group.
    Changing the permissions of the new Datatset.
  3. Share the newly create Dataset. This makes it available over the network.
    Creating a new Windows (SMB) share
    Creating a new SMB (Windows) sahre for the newly created Dataset
 At this point all 3 users have access to the Common share over the network, by default \\freenas.local\Common. This is the basic setup and it will work on freshly created datasets. If you have previosuly changed any permissions on parent Datasets the read the section below for explaining the issues.

General Errors and Solution 

A brief section explaining some (trivial) problems I encountered and found it hard to get an explanation.

Everybody can see and read the share over the network

By default when making Windows shares in FreeNAS the group "Everyone" is added to a share and hence all users who can log in can actually view the share. The solution is to attach the volume in a Windows amchine as the owner of the dataset, right-click the folder, go to permissions and remove the group "Everybody" from the access list. This prevents LAN users from seeing the sahres all together.
Checking user and group permissions for the main Dataset
By default, the group "Everyone" is added to FreeNAS Windows shares.

Permissions settings for the main Dataset
To deny access of local network users without explicit permissions to view the shared Datasets, remove the "Everyone" group from the permissions tab.
If you have sub-folders in the datase, you will get a prompt asking you if you want to change the permissions recursively, you can say yes.

I have set up the users, added them to the proper group, but they still cannot access a Dataset

This can happen if a parent Dataset is shared and some of its sub-datasets are also shared separately. The issue comes when the sub-dataset has to be shared with an user, but the parent dataset has to be restricted. It took me a while to figure out - as it is often not mentioned - but the parent dataset in FreeNAS has to have the same Owner (group) as the sub-dataset you want to share. Lets look at the following simple share setup as an example.
Storage Dataset with Music and Series sub-datasets.
Example share setup, where Storage Dataset has 2 sub-datatsets.


If I wanted to share just the Music sub-dataset with Alice, I would need to do the following,
  • Create a new group, e.g. called "Shared"
  • Add Alice to the group Shared
  • Make "Shared" the Owner (group) of the Music dataset
  • Make "Shared" the Owner (group) of the Storage parent Dataset (this is usually forgotten!)
  • To restrict Alice's access to the Series dataset, make sure that it is owned by another group in which Alice is not a member.

No comments:

Post a Comment