Ran into an issue with a TrueNAS Scale deployment for a customer that they would like resolved.
Normally, an SMB share is not visible in File Explorer if the user viewing the share isn’t part of a security group as defined in the share’s ACL. However, if the share permissions are setup with a nested security group the share is visible to everyone. It’s my understanding that since the user lacks read permissions they shouldn’t be able to see the share.
Has anyone ran into this, or can anyone think of a solution to the problem?
make sure the net-BIOS or windows discovery is disabled in the shares settings. this could be causing the share to be visible if the share is part of the domain and permissions are set to allow [domain users] to see it.
with nested AD groups, they will be able to see the share itself but will not have access.
this is a function of the AD groups, the way they are setup and is expected behavior.
there is the possibility that the AD groups are not configured correctly, and that an AD audit may be necessary if security is their concern.