Problem with subfolders permisions

iamreinaldo · February 25, 2019, 2:01pm

Hello,
I am new using UCS, I am facing a problem of permissions. I think that this is bascis, but I got the boat already in moviment here where I work, so I do not understand almost nothing about UCS and Samba.

Here we have only 4 shared folders, but inside one of that folders, there are subfolders. Everybody can use normally the folders, but the subfolders are restricted to only an user, others users can see but can not write nor execute. I do not know how to proceed, can someone help me?
I am sorry about my english, I am Brazilian.

iamreinaldo · March 11, 2019, 10:35am

Anyone could help me, I am with this problem, yet.

dso3000 · March 12, 2019, 8:46pm

I guess you have some windows workstations in a domain?
I’d try to:

Connect to server through SMB from a workstation that is joined to domain with Domain Admin credentials: \\yourserver\
Check folder and file permissions for each shared folder (something like https://www.varonis.com/blog/ntfs-permissions-vs-share/) for granted domain groups.

Moritz_Bunkus · March 13, 2019, 8:28am

By default a share won’t do anything special regarding permissions for files & folders inside that share. This means that a file created by user A will only be writable by user A but not by user B. It might be readable by user B depending on the share’s settings. This is the “safe by default” route.

You generally have two options if you want to grant a group of users the same type of access to a set of files & folders:

Same permissions on all files & directories for all users connecting to a share

If you have a share where all users accessing the share shall have the same type of access to all of the files, you can configure the share to map the user & group credentials of the connecting user to a well-known user and/or group. These settings are called “force user” and “force group” in the share’s settings in the Univention Management Console (edit the share & go to “Advanced Settings” → “Samba options”).

Together with that setting you should also use the “force file mode” and “force directory mode” settings from “Advanced Settings” → “Samba Extended Permissions”.

A typical use case would be a share solely for the HR department. You’ll probably want to restrict the users allowed to connect to the share by setting the “allowed users” option to a group name, e.g. @HR. Then set to “force group” to HR, too, and adjust “force file mode” and “force directory mode” so that the group always has all rights.

The drawback is that you cannot make exceptions for any of the files & directories in that share. If you have one or more files which should be restricted further, you either have to move them to a different share with different settings, or you must abandon this approach altogether and chose the following method:

Managing extended permissions from Windows

If you have a share where certain files & directories should be available to one group while other files & directories need different permissions from the first set of files & directories, you’ll have to use ACLs (access control lists). The easiest way to manage those is from a Windows machine joined into the domain.

Before you can start, though, you’ll have to configure the share to allow NT ACLs in the Univention Management Console. Edit the share, go to “Advanced Settings” → “Samba Permissions” and enable the “NT ACL support” option.

Then log in on Windows as a domain user with domain admin privileges (it can be administrator, but any member of the Domain Admins group will do). Connect to your file server, go into the share, right-click on folders & files and use Window’s built-in ACL management facilities. Google for how to edit file & directory permissions/ACLs with Windows if you’re unsure how to do that.

This approach is the right one for shares where mixed content with mixed security requirements exists.

The obvious drawback compared to the first method is that it isn’t instantly obvious how has access to what.