/
CIFS Access Base Enumeration Setup

CIFS Access Base Enumeration Setup

 

Symptoms

Oftentimes, Users accessing a CIFS/SMB share are able to see folders and files that they do not have permission to access. Although access is visibility denied when attempting to open these resources, the visibility alone can cause confusion and unnecessary support requests.

In environments with shared data, this often leads to users assuming incorrect permissions or believing sensitive data is exposed when in fact that is not the case!

Purpose

This KB explains how to enable Access-Based Enumeration (ABE) on CIFS shares in SoftNAS so that users only see files and directories they are explicitly authorized to access.

ABE improves security posture, reduces user confusion, and aligns CIFS behavior with the principle of least privilege by hiding inaccessible objects from view.

Resolution

What is Access-Based Enumeration (ABE)?

Access-Based Enumeration is a CIFS/SMB feature that filters directory listings based on the user’s effective permissions. When enabled:

  • Users only see folders/files they have read permissions for

  • Unauthorized objects are completely hidden, not just inaccessible

  • Permission enforcement remains unchanged. Only visibility is affected

Enabling ABE on a CIFS Share (SoftNAS)

Step 1: Edit the Samba configuration file

Open the Samba config file:
vim /etc/samba/smb.conf

In the [global] section, add this line just below the last directive:
access based share enum = yes

Example:
client max protocol = SMB3
access based share enum = yes

Step 2: Update the share definition

Find the [Volume] sharename in the config and add the two lines below to control visibility of unreadable/unwritable files and folders:

hide unreadable = yes
hide unwritable files = yes

Example:
[vol1]
writable = yes
browseable = yes
public = yes
guest ok = yes
path = /pool1/vol1
directory mask = 0777
create mask = 0777
vfs objects = shadow_copy2 acl_xattr streams_depot
shadow: snapdir = .zfs/snapshot
shadow: sort = desc
shadow: snapprefix = .*
shadow: delimiter = -
shadow: format = -%Y%m%d-%H%M%S
shadow: localtime = no
hide unreadable = yes
hide unwritable files = yes

Step 3: Restart Samba services

Restart the necessary Samba and Winbind services to apply changes:

systemctl restart sernet-samba-smbd
systemctl restart sernet-samba-winbindd

Verify that the services restarted successfully:

systemctl status sernet-samba-smbd
systemctl status sernet-samba-winbindd

Setting the User Permissions from the Windows Security tab via UNC path

1. Connect to the Share

  1. Open Windows Explorer.

  2. Enter \\softnasIP in the address bar and press Enter. NOTE: replace this (\\softnasIP) with your actual softnasIP

2. Set Folder Permissions via Security Tab

  1. Right-click on the volume/sharename (e.g., vol1) → select Properties.

  2. Go to the Security tab.

  3. Click Edit to change permissions.

  4. Click Add → enter the domain user/group name (e.g., LAB\Administrator) → give the domain user full permissions and click OK.

  5. Right-click on the volume/sharename (e.g., vol1) → select Properties again

  6. Remove the ‘Everyone’ User and click Ok.
    NOTE: Only remove this user when you are sure a Domain admin with full permissions have been already added to the share to avoid being locked out.

  7. Right-click on the volume/sharename (e.g., vol1) → select Properties again

  8. Now you can start adding your desired users

  9. Select the user → check the desired permission boxes:

    • Allow → Full Control / Modify / Read & Execute as needed

    • Deny → Explicitly deny any access you want to block

     

  10. Click Apply, then OK to close all dialogs.

  11. Create multiple Folders (e.g., folderA, folderB, folderC) under the volume/sharename

3. Confirm Inheritance

To prevent unwanted inherited access:

  1. Go to Advanced under the Security tab.

  2. Uncheck “Include inheritable permissions from this object’s parent” if you want to break inheritance.
    NOTE: This must be done on the volume/sharename itself first

  3. Choose to Convert or Remove inherited permissions.

  4. Ensure only desired entries remain.

  5. Click OK to save.

Visibility Testing (Access-Based Enumeration)

Once permissions are in place:

Test 1 – User sees only allowed folders:

  1. Log in to a test Windows PC that is connected to you DC as LAB\qauser1.

  2. Open \\softnasIP\vol1

  3. You should only see folders where qauser1 has access.
    Folders where access is denied or not granted should be invisible, assuming:

    • hide unreadable = yes

    • hide unwritable files = yes

    • ACLs are working as expected

Test 2 – Login as another user (e.g.,qauser2) and repeat.

3. Confirm Inheritance

To prevent unwanted inherited access:

  1. Go to Advanced under the Security tab.

  2. Uncheck “Include inheritable permissions from this object’s parent” if you want to break inheritance.

  3. Choose to Convert or Remove inherited permissions.

  4. Ensure only desired entries remain.

  5. Click OK to save.

  6. Done