Hi all
We have a NAS in Standalone SMB mode with 3 shared folders:
AdminDrive
ProductionDrove
WorkDrive
And we have 3 groups that have RW permissions on the folders:
AdminGroup -> RW -> AdminGroup
ProductionGroup -> RW -> ProductionGroup
WorkGroup -> RW -> WorkDrive
Then we have a variety of users who may be part of WorkGroup, AdminGroup, ProductionGroup or a variety of any or all of them. The groups the user belongs to defines which shared folder it has access to. It's not really a seniority-type hierarchical choice, it's just different departments need access to different folders dependent on their role in our company.
This works in AFP but not SMB.
It seems that because each group has no RW permissions for the other drives they effectively cancel each other out from start to finish. So all I end up with is users who can RW the WorkDrive.
Do I have to set up a different group for every combination of access? If I had 5 shares that would be a huge amount of groups for all the different combinations!
It seems easier to just add access to the shared folders at the user level but what if something and I need to quickly add RW permissions to 20 users on a new drive or remove permissions etc...?
Hope someone can shed light of this for me.
MB
Share points effective permissions SMB
-
- Starting out
- Posts: 39
- Joined: Wed Feb 12, 2020 10:39 pm
-
- Experience counts
- Posts: 1081
- Joined: Thu Aug 24, 2017 10:28 pm
Re: Share points effective permissions SMB
Don't deny access to the other groups. Leave them out of the shared folder permissions. Conflicts in Shared Folder Permissions
-
- Starting out
- Posts: 39
- Joined: Wed Feb 12, 2020 10:39 pm
Re: Share points effective permissions SMB
The other groups haven't got any explicit "deny" ticks yet it says "no access" on it's calculated permissions...
-
- Experience counts
- Posts: 1081
- Joined: Thu Aug 24, 2017 10:28 pm
Re: Share points effective permissions SMB
Yes that's normal. A lack of permission means "no access" for that user or group. But unlike an explicit "Deny" it doesn't prevent access if the user or group is granted access by another permission. "Deny" takes precedence over everything else.
I don't know which part of the UI you're looking at but AFAIK what QTS shows are not calculated permissions, it only shows the permissions as they are configured.
If you want to verify the calculated/effective permissions, you need to connect to the SMB server with a specific user.
I don't know which part of the UI you're looking at but AFAIK what QTS shows are not calculated permissions, it only shows the permissions as they are configured.
If you want to verify the calculated/effective permissions, you need to connect to the SMB server with a specific user.
-
- Starting out
- Posts: 39
- Joined: Wed Feb 12, 2020 10:39 pm
Re: Share points effective permissions SMB
It looks like I'm going to have to rethink our permissions hierarchy. I think we'll have to have to follow a more role based access control hierarchy with groups per role in our organisation.
-
- Starting out
- Posts: 39
- Joined: Wed Feb 12, 2020 10:39 pm
Re: Share points effective permissions SMB
Can anyone tell me how Samba checks the group permissions when in standalone mode but using Access Based Share Enumeration? Does it query the smb.conf file and cross reference the /etc/group file or does it have some other database?
-
- Experience counts
- Posts: 1081
- Joined: Thu Aug 24, 2017 10:28 pm