NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.
Forum Discussion
Change Permission issue (SOLVED)
I have a ReadNAS 3100
RAIDiator 4.2.15
Joined to Windows 2003 Domain
I've gone through the video and documentation to set NTFS permissions on the share. I've created a share called SALES with default Read/Write share permissions on the ReadyNAS. Then logged on to a client Windows 7 PC as the domain admin (also tried from DC with support). I cleared all permissions for the Everyone group. I then added a group called Sales and gave them full control as per the documentation. That all works fine but the issue I have is anyone that belongs to the Sales group can now modify permissions for the Sales folder. I went back in the SALES folder properties and denied Change Permission and Take Ownership permission. Hit apply and then ok. After this the permissions revert back to full control. I do not want the users to be able to modify permissions on shares. Any one else run int o this issue? I have a support call working on this as well.
RAIDiator 4.2.15
Joined to Windows 2003 Domain
I've gone through the video and documentation to set NTFS permissions on the share. I've created a share called SALES with default Read/Write share permissions on the ReadyNAS. Then logged on to a client Windows 7 PC as the domain admin (also tried from DC with support). I cleared all permissions for the Everyone group. I then added a group called Sales and gave them full control as per the documentation. That all works fine but the issue I have is anyone that belongs to the Sales group can now modify permissions for the Sales folder. I went back in the SALES folder properties and denied Change Permission and Take Ownership permission. Hit apply and then ok. After this the permissions revert back to full control. I do not want the users to be able to modify permissions on shares. Any one else run int o this issue? I have a support call working on this as well.
10 Replies
Replies have been turned off for this discussion
- The solution to this problem is create a Domain Policy that will not allow the sales domain useres to change the properties of the Sales share. There is no option in the nas that will prevent the domain users in changing the share permission. The nas frontview only covers the network level permission. That problem that you have is in the file level permission, which needs to be addressed in the DC.
- Yes the issue is File level permissions from the DC but the ReadyNAS will not let me simply give the Sales group the equivalent of the Windows Modify permission in NTFS. The Sales share was setup on the NAS with Read/Write as the default. I went in via a Windows client. Right clicked and selected properties and cleared all the selections from the Everyone group. Added the Sales group (still from the Windows client). I want to give them Read, Write and Delete. The ReadyNAS will allow me to set it to Read. When ever I select Write and click OK it bumps it up to Full Control. Which gives the members of the Sales group the ability to change NTFS permissions on the Sales folder now. The exchange between Windows NTFS permissions and Linux permissions does not seem to be working or mapped correctly. I've also rejoined the NAS to the Domain and that did not help.
- Considering that you're using 4.2.15 which is significantly out of date, I suggest updating your firmware.
- Support told me the same thing. Advanced ACLs don't work in 4.2.15. I will update tonight to .19 and try again.
- Updating to 4.2.19 made no difference. I even deleted the Sales folder and started again.
- A little progress, If I navigate to the SALES folder by drilling into the C drive 1st I can edit the permissions and they will stick (Remove Read Permissions, Write Permissions and Take Ownership). The strange part now is if I go back up to the top level and view the permissions of the SALES folder (not drilling into C 1st). The SALES group will still get Full Control again. This seems to be where Windows is reading the ACL from as the SALES group can still change permissions to the SALES folder.
- Is SALES a share or a folder within a share?
- Sales is a share. Support has also asked to again rejoin the ReadNAS to the domain since I did not do that after I updated to 4.2.19. I will do this tonight.
- Here is an update to help others.
1. Advanced ACLs are not supported below 4.2.16 so get the latest update.
2. I completely started from scratch. Disjoined the Domain and reset the ReadyNAS to Factory Default.
3. Rejoined the Domain using a static account named ReayNASadmin which is part of the Domain Admin group. No not use a user account named readynas! Rebooted the ReadyNAS.
4. Create the Share with the default permissions in Front View (Sales).
5. Log on to a client PC with using the readynasadmin account. Browse to the readynas. Drill into the C folder 1st (this seems to be the key). Then right click on your created folder and set your ACL permissions and they propagate down correctly to new folders created with in the Sales folder.
This is what fixed me. I still have an issue that when a file is created in the Sales folder using the readynasadmin account the people in the Sales group can't access the file even though they have the correct permissions. Support is looking at this issue for me. I hope this helps others! - The last issue I had was that Office files would open in Read Only if it was modified by the Readynasadmin account and then someone in the Sales group opened it.
To fix that, under Advanced CIFS Permissions for the share Enable "Automatically set permissions on new files and folders AND Enable Do not allow ACL changes to be more restrictive than this. Both must be enabled!
Group Rights: Read/Write
Everyone Rights: Read/Write
Use these rights for both new file and new folder creation.
Oplock can be enabled and does seem to play nicely with Office.
When editing an Office file office will create a new file (temp). Once the edit is done and Office is closed it will delete the original file and rename the temp file to the original file name. This is what screws up Samba.
Enjoy!
NETGEAR Academy
Boost your skills with the Netgear Academy - Get trained, certified and stay ahead with the latest Netgear technology!
Join Us!
