SMB Share Permissions Issue
#1
Scooby Regular
Thread Starter
Join Date: Mar 1999
Location: The Great White North
Posts: 25,080
Likes: 0
Received 0 Likes
on
0 Posts
SMB Share Permissions Issue
Afternoon all,
Here's the situation, I've got a Windows 2003 Enterprise server, acting as a DC. I am going to connect from a Mac (running OS X 10.4.10) via SMB to a share called authgroups on this server.
I have four users in AD:
alpha, bravo, charlie, and delta
I have created two groups in AD:
ab, and cd
alpha and bravo are members of group ab, and charlie and delta are members of group cd.
I've shared authgroups as a windows share. The security settings on the root of authgroups has been changed to add the groups ab and cd with the default permissons.
The sub-folders of the share have had their permissions changed so that only the ab group has access to the ab folder, and the cd group only has access to the cd folder (when I say only, I mean that the Administrator, creator owner and System users/groups are there)
In the Sharing option of Properties it's set to Everyone + Read, which is the default I believe.
The theory behind all this is that, for example, user delta should be able to connect to authgroups and should only be able to access the cd folder on the share. I'm not too bothered if they see the ab folder, but they should not be able to access it.
If I share the folder for Mac and connect, I get exactly this behaviour, however, this does NOT happen when I connect via SMB. In the example above, delta has access to both the ab and cd folders, obviously not what I want.
So, what exactly am I doing incorrectly here? I presume it must be possible to configure the settings in such a way so as to provide the access I want. My current though is that it's something to do with the Sharing permissions, as opposed to the Security Permissions. It looks as though whatever is set on the Sharing permissions page is inherited throughout the share.
Any advice on what to change is greatly appreciated.
Here's the situation, I've got a Windows 2003 Enterprise server, acting as a DC. I am going to connect from a Mac (running OS X 10.4.10) via SMB to a share called authgroups on this server.
I have four users in AD:
alpha, bravo, charlie, and delta
I have created two groups in AD:
ab, and cd
alpha and bravo are members of group ab, and charlie and delta are members of group cd.
I've shared authgroups as a windows share. The security settings on the root of authgroups has been changed to add the groups ab and cd with the default permissons.
The sub-folders of the share have had their permissions changed so that only the ab group has access to the ab folder, and the cd group only has access to the cd folder (when I say only, I mean that the Administrator, creator owner and System users/groups are there)
In the Sharing option of Properties it's set to Everyone + Read, which is the default I believe.
The theory behind all this is that, for example, user delta should be able to connect to authgroups and should only be able to access the cd folder on the share. I'm not too bothered if they see the ab folder, but they should not be able to access it.
If I share the folder for Mac and connect, I get exactly this behaviour, however, this does NOT happen when I connect via SMB. In the example above, delta has access to both the ab and cd folders, obviously not what I want.
So, what exactly am I doing incorrectly here? I presume it must be possible to configure the settings in such a way so as to provide the access I want. My current though is that it's something to do with the Sharing permissions, as opposed to the Security Permissions. It looks as though whatever is set on the Sharing permissions page is inherited throughout the share.
Any advice on what to change is greatly appreciated.
#2
Scooby Regular
Join Date: Apr 2007
Location: South Wales
Posts: 559
Likes: 0
Received 0 Likes
on
0 Posts
It may well be the case that whatever permissions you have set on the share have got inherited on the folders within the share.
Within the permissions tab there should be a little tick box which says something like 'Allow child objects to inherit permissions'. If you untick this then you can grant different permissions on the other folders within the share
Hope that helps
Within the permissions tab there should be a little tick box which says something like 'Allow child objects to inherit permissions'. If you untick this then you can grant different permissions on the other folders within the share
Hope that helps
#3
Scooby Regular
Thread Starter
Join Date: Mar 1999
Location: The Great White North
Posts: 25,080
Likes: 0
Received 0 Likes
on
0 Posts
I had to disable the inherit permissions option to allow me to explictly change the permissions on the ab and cd folders within the share. When I did uncheck that option I was asked if I wanted to cancel, copy or remove the existing ownership, I said copy, and then removed the user/groups I did not want, which were Users group and either ab or cd group, depending on the folder.
I've double-checked and the sub-folders are not inheriting the permissions from the parent.
I've double-checked and the sub-folders are not inheriting the permissions from the parent.
#4
Scooby Regular
Join Date: Apr 2004
Location: Cardiff
Posts: 1,928
Likes: 0
Received 0 Likes
on
0 Posts
What I do for shares is for the share permissions
give group ab and cd read and change in sharing permissions of the share, then full control for admins, domain admins etc so share permissions are
domain admins = full control
ab = change and read
cd = change and read
then with ntfs permissions the permissions i would set would be (for the root share folder)
domain admins = full control
ab = List folder contents, nothing else ticked
cd = List Folder contents, nothing else ticked
assuming there is nothing in the root above the 2 folders ab and cd.
ab folder I would take off the object inherit permissions thing and give
Domain admins = full control
ab security grouop = either list, read and execute or modify depending if they need to write and change
then i would replicate those permissions down, cd folder:
Domain admins = full control all ticked
cd security group = either read, list and execute or modify depending on requirements, then replicate those permissions down
give group ab and cd read and change in sharing permissions of the share, then full control for admins, domain admins etc so share permissions are
domain admins = full control
ab = change and read
cd = change and read
then with ntfs permissions the permissions i would set would be (for the root share folder)
domain admins = full control
ab = List folder contents, nothing else ticked
cd = List Folder contents, nothing else ticked
assuming there is nothing in the root above the 2 folders ab and cd.
ab folder I would take off the object inherit permissions thing and give
Domain admins = full control
ab security grouop = either list, read and execute or modify depending if they need to write and change
then i would replicate those permissions down, cd folder:
Domain admins = full control all ticked
cd security group = either read, list and execute or modify depending on requirements, then replicate those permissions down
Thread
Thread Starter
Forum
Replies
Last Post
Phil3822
General Technical
0
30 September 2015 06:29 PM