| Both sides previous revision Previous revision Next revision | Previous revisionLast revisionBoth sides next revision |
| docs_in_draft:nas_permissions [2024/04/22 16:41] – [Samba (SMB) Network Shares] crashtest | docs_in_draft:nas_permissions [2024/04/24 02:17] – [Permissions Notes:] crashtest |
|---|
| ===== General ===== | ===== General ===== |
| \\ | \\ |
| The purpose of this document is to provide an overview explanation of access control settings, using Samba network shares, in a peer-to-peer network. It's a brief explanation of permissions, as implemented within Openmediavault's GUI, with some usable examples. It does not apply, directly, to Domains or LDAP environments.\\ | The purpose of this document is to provide an overview explanation of access control settings, using Samba network shares, in a peer-to-peer network. It's a brief explanation of permissions, as implemented within Openmediavault's GUI, with some usable examples. It does not apply, directly, to LDAP or Domains environments.\\ |
| \\ | \\ |
| In Openmediavault's [[https://wiki.omv-extras.org/doku.php?id=omv7:new_user_guide|New Users Guide]], in the sections [[https://wiki.omv-extras.org/doku.php?id=omv7:new_user_guide#setting_up_a_shared_folder|Setting up a Shared Folder]] and [[https://wiki.omv-extras.org/doku.php?id=omv7:new_user_guide#creating_a_smb_cif_samba_network_share|Creating a SMB/CIF “Samba” Network Share]], permission selections where made that will allow **ALL** local LAN users to connect to OMV server shares with **write** access. For home LAN's with one or two users, this may be adequate.\\ | In Openmediavault's [[https://wiki.omv-extras.org/doku.php?id=omv7:new_user_guide|New Users Guide]], in the sections [[https://wiki.omv-extras.org/doku.php?id=omv7:new_user_guide#setting_up_a_shared_folder|Setting up a Shared Folder]] and [[https://wiki.omv-extras.org/doku.php?id=omv7:new_user_guide#creating_a_smb_cif_samba_network_share|Creating a SMB/CIF “Samba” Network Share]], permission selections where made that will allow **ALL** local LAN users to connect to OMV server shares with **write** access. For home LAN admin's, with one or two users, this may be adequate.\\ |
| \\ | \\ |
| On the other hand, some home users may want to prevent children from deleting files and provision to allow guest login's with Read only access. Further, small businesses may want to grant or restrict employee access to specific shares. These scenarios will require that permissions are implemented for NAS share access control.\\ | On the other hand, some home users may want to prevent children from deleting files and provision to allow guest login's with Read only access. Further, small businesses may want to grant or restrict employee access to specific shares. These scenarios will require that permissions are implemented for NAS share access control.\\ |
| Under, **Users**, **Users**, click on the **+Add** button. In the popdown menu, click **+Create**.\\ | Under, **Users**, **Users**, click on the **+Add** button. In the popdown menu, click **+Create**.\\ |
| \\ | \\ |
| {{ :omv7-perms-01.jpg?600 |}} | {{ :omv7-perms-01.jpg?800 |}} |
| | \\ |
| | ---- |
| \\ | \\ |
| **Name:** Add the user name **exactly** as it is entered in the workstation logon, with capitalized letters if used.\\ | **Name:** Add the user name **exactly** as it is entered in the workstation logon, with capitalized letters if used.\\ |
| (In this example, the eye icon was used to show the password unmasked.) | (In this example, the eye icon was used to show the password unmasked.) |
| \\ | \\ |
| {{ :omv7-perms-02.jpg?600 |}} | {{ :omv7-perms-02.jpg?800 |}} |
| \\ | \\ |
| <html><center><b>Save</b> the entry and <b>Confirm</b> the change.</center></html> | <html><center><b>Save</b> the entry and <b>Confirm</b> the change.</center></html> |
| | \\ |
| | ---- |
| \\ | \\ |
| Repeat the process, adding all LAN users that will need access to the server's shares where permissions are applied.\\ | Repeat the process, adding all LAN users that will need access to the server's shares where permissions are applied.\\ |
| <html><center>The End Result</center></html> | <html><center>The End Result</center></html> |
| \\ | \\ |
| {{ :omv7-perms-03.jpg?600 |}} | {{ :omv7-perms-03.jpg?800 |}} |
| \\ | \\ |
| All users have been entered in OMV, by the exact username and password they use to log into their workstations, laptops, etc. Notice that all usernames are in the Group **users** by default.\\ | All users have been entered in OMV, by the exact username and password they use to log into their workstations, laptops, etc. Notice that all usernames are in the Group **users** by default.\\ |
| ===== Shared Folder Permissions ===== | ===== Shared Folder Permissions ===== |
| \\ | \\ |
| By default, the majority of files and folders on the OMV file server are owned and accessed solely by the **root** user account. Since that is not useful in a networked environment, user access to a NAS server storage location is changed by the creation of a “**Shared Folder**”. Creating a shared folder is covered in the New User's Guide under [[https://wiki.omv-extras.org/doku.php?id=omv7:new_user_guide#setting_up_a_shared_folder|Setting up a Shared Folder]]. This process physically creates the folder and assigns usable permissions to the folder, that allow regular user access.\\ | By default, the majority of files and folders on the OMV file server are owned and accessed by the **root** user account. Since that is not useful in a networked environment, user access to a NAS server storage location is changed by the creation of a “**Shared Folder**”. Creating a shared folder is covered in the New User's Guide under [[https://wiki.omv-extras.org/doku.php?id=omv7:new_user_guide#setting_up_a_shared_folder|Setting up a Shared Folder]]. This process physically creates the folder and assigns usable permissions to the folder, that allow regular user access.\\ |
| \\ | \\ |
| The default permissions assigned to a new Shared Folder, in OMV's GUI, are (in this case **Test** is the Shared Folder):\\ | The default permissions assigned to a new Shared Folder, in OMV's GUI, are (in this case **Test** is the Shared Folder):\\ |
| **In the interests of clarity**: | **In the interests of clarity**: |
| * The field that is labeled **File, owner and group** (above) assigns **Standard Linux permissions**. | * The field that is labeled **File, owner and group** (above) assigns **Standard Linux permissions**. |
| * For home server use and to keep server permissions simple, use **Standard Linux Permissions**. | * For home server use and to keep server permissions simple, use only **Standard Linux Permissions**. |
| * Under Standard Linux Permissions, “**Others**” means any user that is not **root** or any user that is NOT in the Group **users**. This includes members of other Groups and **anonymous** login's. **Others**, in this example, have **Read/Execute**. | * Under Standard Linux Permissions, “**Others**” means any user that is not **root** or any user that is NOT in the Group **users**. This includes members of other Groups and **anonymous** login's. **Others**, in the above example, have **Read/Execute**. |
| * The field that is labeled **File access control lists** (above) are **ACL's - (Access Control List)**. | * The field that is labeled **File access control lists** (above) are **ACL's - (Access Control List)**. |
| * **DO NOT** not mix **ACL's** with **Standard Linux Permissions**, without understanding the **//exact//** effects. When using **Standard Linux Permissions**, the boxes under **File access control lists** should __NOT__ be checked. | * **DO NOT** not mix **ACL's** with **Standard Linux Permissions**, without understanding the **//exact//** effects. When using **Standard Linux Permissions**, the boxes under **File access control lists** should __NOT__ be checked. |
| ===== Samba (SMB) Network Shares ===== | ===== Samba (SMB) Network Shares ===== |
| |
| While a **Shared Folder** is a “base” for sharing files, it is only one part of sharing data on a network. A Shared Folder allows for __local__ access, at the server, but it doesn't allow for network sharing. Network sharing requires a Samba share known as “**SMB/CIF**” in OMV's GUI. | While a **Shared Folder** is a “base” for sharing folders and files, it is only one part of sharing data on a network. A Shared Folder allows for __local__ access, at the server, but it doesn't allow for network sharing. Network sharing requires a Samba share known as “**SMB/CIF**” in OMV's GUI. |
| (There are other network sharing techniques, such as **NFS** shares, that are not covered in this document.)\\ | (There are other network sharing techniques, such as **NFS** shares, that are not covered in this document.)\\ |
| \\ | \\ |
| **In the following; Samba**, under **Services**, **SMB/CIF**, in the **Settings** tab is assumed that the **Enabled** box is checked.\\ | **In the following; Samba**, under **Services**, **SMB/CIF**, in the **Settings** tab is assumed that the **Enabled** box is checked.\\ |
| \\ | \\ |
| Under **Services**, **SMB/CIF**, click the **Shares** button. Then click on the **+Add** button. | Under **Services**, **SMB/CIF**, click the **Shares** button. Then click on the **+Create** button. |
| |
| * **Shared Folder:** | * **Shared Folder:** |
| Warning | Warning |
| </span></strong></td></tr><tr><td style="background-color:#FFE4A6;height:25px;width:380px;"> | </span></strong></td></tr><tr><td style="background-color:#FFE4A6;height:25px;width:380px;"> |
| Below the list of admin created user accounts are <b>System Accounts</b>.<br> | In the ACL field, below the list of administrator created user accounts, are <b>System Accounts</b>.<br> |
| System Accounts are defaults that are created for server operations. Admin's should <b>NOT</b> change permissions or ACL settings for System accounts. Doing so may render the server installation inoperable. | System Accounts are defaults that are created for server operations. Admin's should <b>NOT</b> change permissions or ACL settings for System accounts. Doing so may render the server installation inoperable. |
| </tr></table></body></html> | </tr></table></body></html> |
| For instance, in the example Group **users** we have two adults **Fred** and **Mary**, and their two children **Johnny** and **Betty**. It's easy to envision a scenario where adults may need a network share that their children couldn't access, containing medical information, letters to school officials, etc.\\ | For instance, in the example Group **users** we have two adults **Fred** and **Mary**, and their two children **Johnny** and **Betty**. It's easy to envision a scenario where adults may need a network share that their children couldn't access, containing medical information, letters to school officials, etc.\\ |
| \\ | \\ |
| The following is a potential use of ACL's that would allow parents access to a share while denying their children access to the same share:\\ | The following is a potential use of ACL's that would allow parents access to the Shared Folder **Test** while denying their children access to the same share:\\ |
| \\ | \\ |
| {{ :omv7-perms-08.jpg?nolink&600 |}} | {{ :omv7-perms-08.jpg?nolink&600 |}} |
| To be sure that all files and folders in the share are reset with the appropriate permissions, the **Replace** and **Recursive** boxes, at the top, should be checked before clicking on **Save** and **Apply**.\\ | To be sure that all files and folders in the share are reset with the appropriate permissions, the **Replace** and **Recursive** boxes, at the top, should be checked before clicking on **Save** and **Apply**.\\ |
| \\ | \\ |
| After saving, **Johnny** and **Betty** will have no access to the **Test** share, while the remaining users in the Group **users** will have **Write** based on Standard Linux Permissions. Using ACL's in this way allows a home administrator to selectively set individual users, in the Group **users**, to **Read-only** or **No access**. However, note that ACL's __can not__ grant **increased access** that does not exist in Standard Linux permissions.\\ | After saving, **Johnny** and **Betty** will have no access to the **Test** share, while the remaining users in the Group **users** will have **Write** access based on Standard Linux Permissions. Using ACL's in this way allows a home administrator to selectively set individual users, in the Group **users**, to **Read-only** or **No access**. However, note that ACL's __can not__ grant **increased access** that does not exist in Standard Linux permissions.\\ |
| \\ | \\ |
| ---- | ---- |
| (In the following examples root, as the owner, is assumed.)\\ | (In the following examples root, as the owner, is assumed.)\\ |
| \\ | \\ |
| In the examples, the list of users are as follows:\\ | In the examples, the list of users and their passwords are as follows:\\ |
| Fred – IworkOT\\ | Fred – IworkOT\\ |
| Mary – 2kids2feed\\ | Mary – 2kids2feed\\ |
| * In the Shared Folder, the group **users** have **write**. This is necessary so that **Fred**, who is the family server administrator, can **write** to the share from his client. | * In the Shared Folder, the group **users** have **write**. This is necessary so that **Fred**, who is the family server administrator, can **write** to the share from his client. |
| * Samba Public access is set to **Guests allowed** which works with the Shared Folder permission **Others: Read** These permissions and Samba settings will allow visitors **read** access to media shares such as music or movies. | * Samba Public access is set to **Guests allowed** which works with the Shared Folder permission **Others: Read** These permissions and Samba settings will allow visitors **read** access to media shares such as music or movies. |
| * **Read Only is ON**. This will further restrict the Group users down from **Write** to **Read only** access. With young children accessing a share, **Read only** is a good idea to prevent the possibility of an accidental deletion of media files. | * **Read Only is ON**. This will further restrict the Group users down from **Write** to **Read only** access. With young children accessing a share, **Read only** is a good idea to prevent the possibility of the accidental deletion of files. |
| * The Samba **''write list''** bypasses the Samba **Read Only** setting for one user, allowing **Fred** to **write** to the share for admin purposes.\\ | * The Samba **''write list''** bypasses the Samba **Read Only** setting for one user, allowing **Fred** to **write** to the share for admin purposes.\\ |
| \\ | \\ |
| \\ | \\ |
| * The Group **users** have **write**. | * The Group **users** have **write**. |
| * While **Others** have **read**, at the Shared Folder, SMB **Public** is set to “**NO**” which stops all users who are not in the Group **users**. Guests are not allowed. (The same effect, no Guest users, could be achieved at the Shared Folder level with **Others – None**.) | * While **Others** have **read**, at the Shared Folder, the SMB **Public** setting is set to “**NO**” which stops all users who are not in the Group **users**. SMB Guests are not allowed. (The same effect, no Guest users, could be achieved at the Shared Folder level with **Others – None**.) |
| * **Read only** is **OFF** so Shared Folder permissions allow all members of the Group users to write to the share.\\ | * **Read only** is **OFF** so Shared Folder permissions allow all members of the Group users to write to the share.\\ |
| \\ | \\ |
| \\ | \\ |
| * Additions of new users or changes to existing user accounts, such as password changes, would need to be replicated at the server. | * Additions of new users or changes to existing user accounts, such as password changes, would need to be replicated at the server. |
| * Some use cases may benefit from using the [[https://pureinfotech.com/credential-manager-windows-10/|Credential Manager]] built into Win10. | * Some use cases may benefit from using the [[https://pureinfotech.com/credential-manager-windows-10/|Credential Manager]] built into Win10 and 11. |
| \\ | \\ |
| ---- | ---- |