NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.
Forum Discussion
Shares user and and group permissions
Hi,
4 years after this thread...
I am migrating to FreeNAS and turning the ReadyNAS into a backup NAS
I got the opportunity to test again the shares/permissions:
- created a share: enfants2
- a group: smb_enfants_ro
- a user: enfants
- Network access: smb_enfants_ro checked RO access, smb_admin group and admin user have RW access
- File access: same
- All others are unchecked, include user "enfants2" member of smb_enfants_ro group
Windows Advanced permissions are correctly applied for the group after above setup in GUI
However, notice smb_admin and ReadyNAS admins groups permissions were not properly set by the GUI (I configured both as RW for Network Access and File Permissions in GUI)
Connection test fails:
net use o: \\NAS\enfants2 /user:enfants # connection impossible
I edit Network Connection option to explicitly add the user enfants to RO access:
Test user connection: works
net use o: \\NAS\enfants2 /user:enfants # connection succeeds and share is mounted on drive o:
So, we still have to explicitly specify the SMB user access rights, because it is not inherited from the group using the GUI !
It is wired that this is not fixed while on other NAS brands the permissions are properly applied. I have many users/groups, and being able to apply the groups permissions without having to set user permissions individually is mandatory
The issue is that every user needing access has to be explicitly added to the SMB Network Access in GUI. Adding his group is not enough. Because of that, we are then obliged to configure the rights for each individual user in Windows, making the use of groups to quickly set permissions useless !
Again, at least on the FreeNAS and a collegue Synolgy NAS, this is not the case and we only have to setup the groups permissions
Hope this gets fixed after so many years...
Best regards
13 Replies
Replies have been turned off for this discussion
Looks like forum still corrupts images uploaded !
Here are they + edited in first post
https://ibb.co/LZ8y7xH
https://ibb.co/HHtnfGC
https://ibb.co/0XNnBDr
https://ibb.co/TRy2ZhBNormally I recommend leaving the file permissions set to everyone access, and controlling access with network permissions alone.
When I tried that, it is working ok.
Network Access:
File Access:
Test
I was unable to copy a file into the folder - confirming that enfants only had read access.
nteresting
However, that is really a very bad fix you suggested
As per the doc, Network Permissions will apply Samba permissions.
However, File Permissions are related to the Unix system permissions
With your fix, if your user needs shell access, he will have r/w permissions everywhere. Worst, from my tests, it has even rmdir permission to directories he's not teh owner, which is really wired
Here's the example:
member : group
teddy : read
tommy : readw
https://imgshare.io/image/groups.N0hLn9
Shares:
share name: office
https://imgshare.io/image/share.N0hG1F
Network permissions:
group read: has read access
group readw : has r/w access
https://imgshare.io/image/network.N0hQmO
File Permissions:
allow all
https://imgshare.io/image/files.N0hooQ
Give the users shell access, then SSH into the NAS
Here are the results of the simple shell commands creating / deleting folders
# login as teddy user (ro only access to office in SAMBA) root@NAS-01:/# su - teddy # teddy tries to create some files and dirs: surprise, it is possible ! teddy@NAS-01:~$ cd /medias1/office teddy@NAS-01:/medias1/office$ touch teddy.file mkdir teddy touch teddy/file exit logout # login as tommy (r/w access on office in SAMBA) # and create some dirs/files root@NAS-01:/home/admin# su - tommy tommy@NAS-01:~$ cd /medias1/office tommy@NAS-01:/medias1/office$ mkdir tommy touch tommy.file touch tommy/tommy.file # we have now files and dirs owned by both teddy (ro) and tommy (rw) tommy@NAS-01:/medias1/office$ ls -la total 32 drwxrwxrwx+ 1 guest guest 80 Nov 14 14:22 . drwxr-xr-x 1 root root 76 Nov 14 14:15 .. drwxrwxrwx+ 1 teddy read 8 Nov 14 14:21 teddy -rw-rw-rw-+ 1 teddy read 0 Nov 14 14:21 teddy.file drwxrwxrwx+ 1 tommy readw 20 Nov 14 14:22 tommy -rw-rw-rw-+ 1 tommy readw 0 Nov 14 14:22 tommy.file exit logout # teddy (ro) is back and deletes tommy's files and dirs root@NAS-01:/home/admin# su - teddy teddy@NAS-01:~$ cd /medias1/office teddy@NAS-01:/medias1/office$ rm tommy.file rm -rf tommy ls -la total 32 drwxrwxrwx+ 1 guest guest 50 Nov 14 14:22 . drwxr-xr-x 1 root root 76 Nov 14 14:15 .. drwxrwxrwx+ 1 teddy read 8 Nov 14 14:21 teddy -rw-rw-rw-+ 1 teddy read 0 Nov 14 14:21 teddy.fileIt seems that the readyNAS doesn't properly apply ACLS permissions from within the GUI, if it even applies them at all. I did not try to apply the permissions from windows and check if they translate to ACLS in the shell and properly set the Unix permissions on access from shell. However, at the end, if it even works, it means we must setup all users file access from the gui, then from windows and that group only permissions will not apply if the user is not configured
Again, this is wired as it really works out of the box in other brands I tested while here, we don't know what kind of access is really done / applied.
NETGEAR Academy
Boost your skills with the Netgear Academy - Get trained, certified and stay ahead with the latest Netgear technology!
Join Us!
