Sorry we lost some posts because of database errors!

*New 12.1 series Release:
2020-09-01: XigmaNAS 12.1.0.4.7728 - released

*New 11.4 series Release:
2020-08-27: XigmaNAS 11.4.0.4.7718 - released!


We really need "Your" help on XigmaNAS https://translations.launchpad.net/xigmanas translations. Please help today!

Producing and hosting XigmaNAS costs money. Please consider donating for our project so that we can continue to offer you the best.
We need your support! eg: PAYPAL

Permissions to replicate workgroup user based shares - what's best practice ?

Authenticating users & groups on XigmaNAS.
Forum rules
Set-Up GuideFAQsForum Rules
Post Reply
rappel
NewUser
NewUser
Posts: 12
Joined: 28 Apr 2020 18:04
Status: Offline

Permissions to replicate workgroup user based shares - what's best practice ?

#1

Post by rappel »

Simple-ish use case.
XigmaNAS server, Datasets and corresponding shares, A,B,C,D
Clients primarily Windows and some Android. Passwords on Windows clients set on Xigmanas user accounts. (Android clients yet to come, suspect this will depend on app used to access)
No Active Directory or any other Directory service.

A - Personal share for Fred. He can do anything.
B - Publicly accessible by anyone for everything.
E - Publicly accessible by anyone for read, accessible by Fred for File write, directory creation etc. It's his area to share things with the world.
F- Accessible by Group1 for anything
K - Accessible by Group1 for read, accessible by Fred for File write, directory creation etc. It's his area to share things with Group1.
L - Accessible by Group1 for read, accessible by Group2 for File write, directory creation etc. It's their working area but they want Group1 to be able to read anything.

So what is the best way to do each of these to a) avoid future problems and b) maintain security?
I think a couple might have more than one way to do. I can't see how to achieve 'L' at all given only one group and no public access required.

Issues I'd like to clear up with the answer are:
is it OK to simply define and use a group for group permissions on dataset i.e. leave root as owner where there is no specific user privacy required?
is it OK to leave a group set as wheel when you have a personal share? i.e. don't create a group specifically for the user and assign to the dataset?
What's the relationship between the guest account that users are defaulted to be in with the allow guest access in the SMB share tabs? Logged in users without the guest group seem to be able to access a "guest access" share anyway.

Would the answers be any different if I said that I wanted all NTFS ACLs to be correctly carried over and later on I might want them to also be used in calculating accessibility to a file?

I'm asking because I'm reasonably familiar with doing this in a Windows environment, but while I have set Unix style permissions before I've not done it in a mixed environment, nor have I really pushed my understanding of how the UNIX ones apply practically. Equally While SAMBA is a wonderful tool it's quite complex and I've caught a crab before when trying to configure myself. While the Xigmanas interface simplifies this considerably, there's also not a lot of refs to what needs to be configured through which WebGUI pages. -
I've found literally hundreds of refs that seem to address this but when you get into them they are specific use cases, not general best practice and often there's an overwhelming list of instructions on how to do this with SMB.Conf files etc.

To be honest I can probably work out the latter as there are only four screens - Account user & group, ZFS dataset and SMB share.

As ever any help appreciated.
Setup
SuperMicro X9SCM-F; 16GB ECC; 6 x 12TB Toshiba N300; system disk Supermicro 120GB SSD

User avatar
ms49434
Developer
Developer
Posts: 840
Joined: 03 Sep 2015 18:49
Location: Neuenkirchen-Vörden, Germany - GMT+1
Contact:
Status: Offline

Re: Permissions to replicate workgroup user based shares - what's best practice ?

#2

Post by ms49434 »

You need to enable ZFS ACL inheritance on your datasets, create all necessary users and groups, then maintain permissions using setfacl/getfacl.

man setfacl -> NFSv4 ACL ENTRIES
Samba 4 on FreeBSD with ZFS and NFSv4 ACLs
1) XigmaNAS 12.1.0.4 amd64-embedded on a Dell T20 running in a VM on ESXi 6.7U3, 22GB out of 32GB ECC RAM, LSI 9300-8i IT mode in passthrough mode. Pool 1: 2x HGST 10TB, mirrored, L2ARC: Samsung 850 Pro; Pool 2: 1x Samsung 860 EVO 1TB, SLOG: Samsung SM883, services: Samba AD, CIFS/SMB, ftp, ctld, rsync, syncthing, zfs snapshots.
2) XigmaNAS 12.1.0.4 amd64-embedded on a Dell T20 running in a VM on ESXi 6.7U3, 8GB out of 32GB ECC RAM, IBM M1215 crossflashed, IT mode, passthrough mode, 2x HGST 10TB , services: rsync.

rappel
NewUser
NewUser
Posts: 12
Joined: 28 Apr 2020 18:04
Status: Offline

Re: Permissions to replicate workgroup user based shares - what's best practice ?

#3

Post by rappel »

Having skimmed the refs, I can see that if I read through in detail they will most likely help me with the 'L' configuration and also perhaps when I get to looking at how to later get NTFS ACLs working (I assume that the inference is that they map somehow to ZFS ACLs)
However the articles ref'ed are more how to do it, not what to do and what's best. I assume from what you said and the ref'd content that more complex situations will need CLI commands. Not a problem.

What I'm after for A,B,E,F & K, I think can be done simply with std. owner/group/world permissions as the permissions are applied at a dataset level and don't need to change below. I can state what I've set up for comment but I was trying to avoid focussing on what I've done so that folks could suggest what best practice might look like for these.

Or are you saying that I should really avoid those altogether, leave owner at root and group at wheel and go for ZFS ACLs across the board?
Setup
SuperMicro X9SCM-F; 16GB ECC; 6 x 12TB Toshiba N300; system disk Supermicro 120GB SSD

Post Reply

Return to “Local Users & Groups”