Managing CIFS shares permissions after joining AD

Introduction:

After joining SoftNAS to Microsoft Active Directory, there are three different methods for controlling users and groups access:

  1. POSIX ACLs (NTFS compatible) [AD]
  2. Windows Share Permissions [AD]
  3. Samba valid users (From SoftNAS UI)

  • There is no longer any need or advantage to using the SoftNAS UI to manage permissions for SAMBA/CIFS. If configured correctly, you can manage these permissions entirely via Active Directory.

  • When you create a new volume and share it using CIFS, by default it is owned by the root user and the root group, they will both have full permissions on that folder in addition to Everyone.

POSIX ACLs

POSIX ACLs are a type of access control list compatible with NTFS. This layer of security lives in the inodes table of the file system itself.

The recommended method is to manage this type of permissions using Active Directory, although it can also be managed from the SoftNAS CLI if necessary.

Best Practice - Security Focused Point of View

  1. Change the ownership of the share to the user(s) you want.

  2. Add the required permissions to the user(s) you want.

  3. If wanted, remove the Everyone permission but not until you have configured permissions for yourself.


DO NOT start by removing Everyone permissions as this will lock yourself out.

If you have locked yourself out, you will need to use the SoftNAS CLI to change back others permissions to rwx.

Windows Share Permissions

Share Permissions are another layer of security managed and hosted by Active Directory, and are not stored within the file system of the shares.

By default, when you join SoftNAS to active directory using the UI, you will be asked for the groups that will be able to manage the share permissions. This step will grant the selected groups SeDiskOperatorPrivilege.

By default, the Share permissions are set to allow Everyone to access the share, but of course any user will also hit the other layer of security (POSIX ACLs permissions). If the POSIX ACLs layer does not grant permissions to a particular user, then the share permissions have no effect.

In other words, allowing access for a certain user on a certain share using share permissions has no effect if that user has no POSIX ACLs permissions and vice versa.

  • If you are not sure what groups have been assigned with the SeDiskOperatorPrivilege, you can check by issuing the following command in the SoftNAS CLI:

    net rpc rights list accounts -<ADMIN>
  • If you need to allow other groups to manage the share after you have already joined the Active Directory, issue the following command in the SoftNAS CLI:

    /var/www/softnas/scripts/ad_group_permission.sh -f <ADMIN> -g <PASSWORD> -i "SOFTNAS\<GROUP>"

Managing Share Permissions

  • Using an account member of Domain Admins group, log in to any joined Windows machine.

  • Open Computer Management
  • Navigate to Action > Connect to another computer ...

  • Enter the SoftNAS Domain Name.

  • Navigate to System Tools > Shared Folders > Shares and select the share

    Ignore any warning message(s)

Samba Valid Users from SoftNAS UI

You still have the option to manage access to shares using SoftNAS UI, but it is not recommended as this would lead to two totally different machines managing permissions from SoftNAS and Active Directory, as well as two different sets of permissions to be managed.  

This will very likely lead to confusion and human error, without any real benefit.