Share points effective permissions SMB

FTP Server, File Server, DDNS, SAMBA, AFP, NFS
Post Reply
mousebat
Starting out
Posts: 39
Joined: Wed Feb 12, 2020 10:39 pm

Share points effective permissions SMB

Post by mousebat »

Hi all

We have a NAS in Standalone SMB mode with 3 shared folders:

AdminDrive
ProductionDrove
WorkDrive

And we have 3 groups that have RW permissions on the folders:

AdminGroup -> RW -> AdminGroup
ProductionGroup -> RW -> ProductionGroup
WorkGroup -> RW -> WorkDrive

Then we have a variety of users who may be part of WorkGroup, AdminGroup, ProductionGroup or a variety of any or all of them. The groups the user belongs to defines which shared folder it has access to. It's not really a seniority-type hierarchical choice, it's just different departments need access to different folders dependent on their role in our company.

This works in AFP but not SMB.

It seems that because each group has no RW permissions for the other drives they effectively cancel each other out from start to finish. So all I end up with is users who can RW the WorkDrive.

Do I have to set up a different group for every combination of access? If I had 5 shares that would be a huge amount of groups for all the different combinations!

It seems easier to just add access to the shared folders at the user level but what if something and I need to quickly add RW permissions to 20 users on a new drive or remove permissions etc...?

Hope someone can shed light of this for me.

MB
Mousetick
Experience counts
Posts: 1081
Joined: Thu Aug 24, 2017 10:28 pm

Re: Share points effective permissions SMB

Post by Mousetick »

Don't deny access to the other groups. Leave them out of the shared folder permissions. Conflicts in Shared Folder Permissions
mousebat
Starting out
Posts: 39
Joined: Wed Feb 12, 2020 10:39 pm

Re: Share points effective permissions SMB

Post by mousebat »

The other groups haven't got any explicit "deny" ticks yet it says "no access" on it's calculated permissions...
Mousetick
Experience counts
Posts: 1081
Joined: Thu Aug 24, 2017 10:28 pm

Re: Share points effective permissions SMB

Post by Mousetick »

Yes that's normal. A lack of permission means "no access" for that user or group. But unlike an explicit "Deny" it doesn't prevent access if the user or group is granted access by another permission. "Deny" takes precedence over everything else.

I don't know which part of the UI you're looking at but AFAIK what QTS shows are not calculated permissions, it only shows the permissions as they are configured.

If you want to verify the calculated/effective permissions, you need to connect to the SMB server with a specific user.
mousebat
Starting out
Posts: 39
Joined: Wed Feb 12, 2020 10:39 pm

Re: Share points effective permissions SMB

Post by mousebat »

It looks like I'm going to have to rethink our permissions hierarchy. I think we'll have to have to follow a more role based access control hierarchy with groups per role in our organisation.
mousebat
Starting out
Posts: 39
Joined: Wed Feb 12, 2020 10:39 pm

Re: Share points effective permissions SMB

Post by mousebat »

Can anyone tell me how Samba checks the group permissions when in standalone mode but using Access Based Share Enumeration? Does it query the smb.conf file and cross reference the /etc/group file or does it have some other database?
Mousetick
Experience counts
Posts: 1081
Joined: Thu Aug 24, 2017 10:28 pm

Re: Share points effective permissions SMB

Post by Mousetick »

mousebat wrote: Thu Jun 17, 2021 11:30 pm Does it query the smb.conf file and cross reference the /etc/group file
Yes.
or does it have some other database?
No.
Post Reply

Return to “File Sharing”