napp it share permissions, so that only authorized users can see the share

Notice: Page may contain affiliate links for which we may earn a small commission through services like Amazon Affiliates or Skimlinks.

tnkrer

New Member
Sep 20, 2016
28
1
3
54
I searched around, but did not find answer to this question .. So here is my requirement
I am creating multiple ZFS file systems on my pool. Some of those I want accessible by all users (read or read and write, depending on situation).
However, I would like to have some ZFS file systems that are accessible to only authorized users. And they should not even be listed for non authorized users. So non-authorized users should not be able to see any shares that they cannot read into.
Is that possible? How to do that?

Thanks

ETA: Saw this on solaris documentation
"When SMB shares are created on a ZFS file system, the SMB share name appears as an entry in the .zfs/shares directory. You can use the ls command to show the share-level ACLs on the entries in this directory. You can also use the chmod command to modify the share-level ACLs on the entries in this directory. See the ls(1) and chmod(1) man pages."
Will try that .. but not yet sure how to! Do I add a user (authorized user) with read write permissions using /usr/bin/chmod and then remove everyone's permissions again using chmod?

ETA2: I think this is a way to do it on FreeNAS. Don't have my freeNAS set up anymore to test.

ETA3: After further reading .. this feature seems to be called ABE (Access Based Enumeration). Still do not know how to do it though
 
Last edited:

gea

Well-Known Member
Dec 31, 2010
3,141
1,184
113
DE
You can restrict access based on ACL on files or folders, either via /usr/bin/chmod, via Windows as user root or via napp-it (ACL extension). Similar to Windows you can also set ACLs directly to a share (your ETA) either via chmod to the share control file, via Windows and computer management or via napp-it (ACL extension).

You can hide a share for all users if you add a $ to the share name (example a share data$) that is only accessable if you enter the sharename on connect ex \\server\data$

Eta2
The FreeNAS info is for SAMBA. While you can use SAMBA on Solarish as well, the default is the Solaris kernelbased and multithreaded SMB server that is part of the OS and ZFS.

Eta3
You can hide files or folders where a user has no access with ABE. This is a ZFS share property on Solarish. If you use napp-it this is an option when you enable a share.
 
Last edited:
  • Like
Reactions: tnkrer

tnkrer

New Member
Sep 20, 2016
28
1
3
54
Thanks Gea!
If nothing else works, I can go with $ extension to my non-public shares

ETA1 - going to try with windows, cli syntax is overly complex. I do not really expect to do this frequently once my shares are set up.

on ETA2 - I do not plan to use samba .. I will stay with the default of napp it.

ETA 3: - I do not see a setting for ABE in the UI. Is that part of ACL extension? I should be able to do it with this command
zfs share -o share.smb.abe=on tank/home%myshare

edit to ETA3: That command did not work. neither did zfs get share.smb.all
(These are from solaris 11.1 documentation .. so may be something is different)
 
Last edited:

Bronko

Member
May 13, 2016
111
10
18
105
To extend the share name with $ (data$) only works for windows clients, with Linux its visible anyway.

Here you find the ABE option via smb activation:

Screenshot from 2016-10-07 21:30:27.png
 
  • Like
Reactions: tnkrer and T_Minus

tnkrer

New Member
Sep 20, 2016
28
1
3
54
Thanks Bronko.
I still did not see ABE when I tried to update smb for a share that was created earlier. But then I tried to turn sharesmb off and then turn it on again and got the screen you have and was able to turn on ABE.
Now on to testing that it actually works for not listing the shares :)

(Gea, in the create FileSystem menu, ABE does not show up in my napp it VM, ZFS appliance v. 16.02f Feb.13.2016)

ETA: After setting ABE on ZFS filesystem/share test AND setting the permissions for this share to only root and power users, I am still seeing the share test in linux (without any authorization) and windows (only for users in napp it system, but that user does not have permissions to share test). The directory test/.zfs/shares/test is not available in windows to change permissions. So have to do it via cli.

upload_2016-10-7_17-46-34.png

upload_2016-10-7_17-47-12.png

So the goal is, in this case, test should not even show up in the explorer
 
Last edited:

tnkrer

New Member
Sep 20, 2016
28
1
3
54
So I have done three things
1. Enabled ABE on the share
2. Removed permissions for everyone on the share
(here are the compact acls)
Code:
d---------+  3 root     root           3 Oct  7 20:49 test
              everyone@:rwxpdDaARWcCos:fd-----:deny
              user:root:rwxpdDaARWcCos:fd-----:allow
            group:staff:rwxpdDaARWcCos:fd-----:allow
3. Removed permissions for everyone on the .zfs share directory
Here are the compact acls
Code:
root@myNas:/space/test/.zfs/shares# /usr/bin/ls -V
total 1
-rwx------+  1 root     root           0 Oct  7 20:49 test
              user:root:rwxpdDaARWcCos:fd-----:allow
Still the share is visible :(
 

gea

Well-Known Member
Dec 31, 2010
3,141
1,184
113
DE
You can restrict access but I suppose hiding a share beside the administrative shares with share$ is not possible in Windows nor with Solaris SMB as Sun developed its own SMB server to behave like Windows and to offer NFS and SMB shares as a pure ZFS filesystem property. This is different to Linux or SAMBA so feature set there may be different. ABE is related to files and folders not shares.