TrueNAS Core all shares are visible to all users despite not having permission

[Levent]

Setup details:

Latest build of TrueNAS core.

Levent: This user supposed to see and only have permission to Data and Media folders.

LeventPC: This user supposed to see and only have permission to Levent-PC folder (not a home folder)

LeventMBA: This user supposed to see and only have permission to Levent-MBA folder (again, not a home folder)

 

Problem:

The users listed above all able to list Data, Media, Levent-PC, Levent-MBA folders in the network share. However, when attempted to browse, it will just throw out no permission error.

 

Configuration:

• Permissions are set via Pool ACLs. I just add user that I want to list like so.
• Share ACLs are untouched.
• Samba share configuration is the default other than enabling Access Based Shared Enumeration, which supposed to fix this problem but here I am.

 

Any ideas? I distinctly remember setting this up with in smb.conf when my NAS was consisting of a OrangePi Zero with 512mbs of ram and bunch of external harddrives.

 

Spoiler

You can no longer hide pics that are uploaded I guess.

 

[Oshino Shinobu]

Your second screenshot shows an ACL where Everyone has allow permissions. Even if they don't have permissions to access the datasets, access based enumeration looks at the share ACLs.

 

Believe you'd need to seperate each folder/dataset out into a share and adjust share permissions for access based enumeration to hide shares they don't have access to.

[Levent]

4 minutes ago, Oshino Shinobu said:

Your second screenshot shows an ACL where Everyone has allow permissions. Even if they don't have permissions to access the datasets, access based enumeration looks at the share ACLs.

So what is actually the difference? Permission system in TrueNAS seems like a pile of shit compared to OMV that I am used to. I can set up ACLs in at least 2 places that I can see. I also have non-windows clients that is using these Samba shares, so I am not sure if SID can be used there.

 

The said screen makes no sense to me, any tips?

[Oshino Shinobu]

1 minute ago, Levent said:

So what is actually the difference? Permission system in TrueNAS seems like a pile of shit compared to OMV that I am used to. I can set up ACLs in at least 2 places that I can see. I also have non-windows clients that is using these Samba shares, so I am not sure if SID can be used there.

 

The said screen makes no sense to me, any tips?

SIDs should be on the TrueNAS side, so should be able to be used either side.

 

AFAIK, access based enumeration will only look at the share permissions. As you've got it set to everyone has access, everyone will be able to see it. You'd need to change the SID to match the user you want to have access to the share (and see it) and then add for each SID you want that access for.

 

Arguably an easier way is to disable the "browsable" option and just map the shares. ABE is flakey at best in my experience and doesn't work properly with plenty of systems. Though even hiding the shares doesn't always work as some systems scan for hidden shares and will list them anyway.

[LIGISTX]

1 hour ago, Levent said:

Setup details:

Latest build of TrueNAS core.

Levent: This user supposed to see and only have permission to Data and Media folders.

LeventPC: This user supposed to see and only have permission to Levent-PC folder (not a home folder)

LeventMBA: This user supposed to see and only have permission to Levent-MBA folder (again, not a home folder)

 

Problem:

The users listed above all able to list Data, Media, Levent-PC, Levent-MBA folders in the network share. However, when attempted to browse, it will just throw out no permission error.

 

Configuration:

• Permissions are set via Pool ACLs. I just add user that I want to list like so.
• Share ACLs are untouched.
• Samba share configuration is the default other than enabling Access Based Shared Enumeration, which supposed to fix this problem but here I am.

 

Any ideas? I distinctly remember setting this up with in smb.conf when my NAS was consisting of a OrangePi Zero with 512mbs of ram and bunch of external harddrives.

 

  Reveal hidden contents

You can no longer hide pics that are uploaded I guess.

 

If I understand correct, this data was originally configured to be shared vis another system? If so, I’d just wipe all perms and start over. 
 

Then use ACL’s to configure access.

 

For my truenas box, for the most part I have most things shared at a certain “lower” user level, and then my “admin” type user belongs to the lower level groups so I can read/write just about anywhere. 

[Levent]

59 minutes ago, LIGISTX said:

If I understand correct, this data was originally configured to be shared vis another system? If so, I’d just wipe all perms and start over. 
 

Then use ACL’s to configure access.

 

For my truenas box, for the most part I have most things shared at a certain “lower” user level, and then my “admin” type user belongs to the lower level groups so I can read/write just about anywhere. 

Nope this is a completely sepeate build, nothing is reused, even data is different.

 

1 hour ago, Oshino Shinobu said:

SIDs should be on the TrueNAS side, so should be able to be used either side.

 

AFAIK, access based enumeration will only look at the share permissions. As you've got it set to everyone has access, everyone will be able to see it. You'd need to change the SID to match the user you want to have access to the share (and see it) and then add for each SID you want that access for.

 

Arguably an easier way is to disable the "browsable" option and just map the shares. ABE is flakey at best in my experience and doesn't work properly with plenty of systems. Though even hiding the shares doesn't always work as some systems scan for hidden shares and will list them anyway.

Holy shit you were right. Though, I gotta say this was unnecessarily imo.

1. Enabled Access Based Shared Enumeration in every single Samba share that I want this configured.
2. Used the NETBIOS name of my TrueNAS server and the user that I needs to see the share.

Putting a screenshot to help myself in the future again lol.

Spoiler

 

[Oshino Shinobu]

53 minutes ago, Levent said:

Holy shit you were right. Though, I gotta say this was unnecessarily imo.

1. Enabled Access Based Shared Enumeration in every single Samba share that I want this configured.
2. Used the NETBIOS name of my TrueNAS server and the user that I needs to see the share.

Putting a screenshot to help myself in the future again lol.

lol I attended a talk on access based enumeration by one of the consultants at my last job so glad I retained something useful