NAS4FREE with SAMBA 4 in Active Directory – fun with ACLs

Nov 062015

Page Contents

1 ACL set codes
2 Changing permissions over NAS4FREE console is possible
3 But it’s probably easier to manage it from Windows workstation
4 Useful links

ACL set codes

insta-25
Working with permissions on NAS4FREE shell is pleasant and enjoyable experience …. *cough*, *cough*.

$ getfacl /tank/shared

# file: /tank/shared
# owner: aduser
# group: 500
                         everyone@:rwxpD-a-R-c---:------:allow
                            group@:rwxpD-a-R-c---:------:allow
                      group:aduser:rwxpDdaARWcCo-:fd----:allow
 group:adgroup_shared_share_access:rwxpDdaARWc---:fd----:allow

full_set = rwxpdDaARWcCos = all permissions
modify_set = rwxpdDaARWc–s = all permissions except write_acl, write_owner
read_set = r—–a-R-c— = read_data, read_attributes, read_xattr, read_acl
write_set = -w-p—A-W—- = write_data, append_data, write_attributes, write_xattr
NFSv4 ACL legend (read from top, down and exit on first match)

            
                 owner@:--------------:-------:deny
                 owner@:rwxp---A-W-Co-:-------:allow
                 group@:-w-p----------:-------:deny
                 group@:r-x-----------:-------:allow
              everyone@:-w-p---A-W-Co-:-------:deny
              everyone@:r-x---a-R-c--s:-------:allow
                        ||||||||||||||:|||||||
           (r)read data +|||||||||||||:||||||+ (I)nherited
           (w)rite data -+||||||||||||:|||||+- (F)ailed access (audit)
              e(x)ecute --+|||||||||||:||||+-- (S)uccess access (audit)
               a(p)pend ---+||||||||||:|||+--- (n)o propagate
               (d)elete ----+|||||||||:||+---- (i)nherit only
         (D)elete child -----+||||||||:|+----- (d)irectory inherit
          read (a)ttrib ------+|||||||:+------ (f)ile inherit
         write (A)ttrib -------+||||||
           (R)ead xattr --------+|||||
          (W)rite xattr ---------+||||
             read a(c)l ----------+|||
            write a(C)l -----------+||
         change (o)wner ------------+|
                   sync -------------+

Changing permissions over NAS4FREE console is possible

setfacl -m u:aduser:rwxpdaARWc:fd:allow folderHere
setfacl -m g:adgroup_shared_share_access:rwxpDaARWcCo:fd:allow shared/

But it’s probably easier to manage it from Windows workstation

Pick one responsible user and grant him/her SeDiskOperatorPrivilege

net rpc rights grant aduser SeDiskOperatorPrivilege -U adadmin
net rpc rights list accounts -P
net rpc rights list -P

Also add in NAS4FREE web interface under Services|CIFS/SMB|Share|Edit|Auxiliary parameters

admin users = aduser
valid users = @adgroup_shared_share_access, @"ADgroup Shared Share Access"
write list = @adgroup_shared_share_access, @"ADgroup Shared Share Access"

And just let him do the hard work of dealing with other users.

Useful links

https://wiki.samba.org/index.php/Shares_with_Windows_ACLs

http://wiki.nas4free.org/doku.php?id=documentation:setup_and_user_guide:services_cifs_smb_samba

http://wiki.nas4free.org/doku.php?id=documentation:setup_and_user_guide:services_cifs_smb_shares

One Response to “NAS4FREE with SAMBA 4 in Active Directory – fun with ACLs”

kepago says:

14th February 2018 at 11:12 am

whoah this blog is magnificent i like studying your articles.

Stay up the good work! You realize, lots of persons are hunting around for this info, you can help them greatly.

Reply

Sloppy Linux Notes