edit share acl is automatically assigned as everyone@.
after selecting purpose > no presets
Access Based Share Enumeration
I mark the part.
but it keeps appearing again.
If I make everyone@ a user registered to the filesystem acl, the folder is hidden to people other than that person, but this time only that user can enter it. Other users added to the directory cannot enter the relevant directory.
How do I overcome this problem?
Access based share enumeration is about redacting contents of response for netsharenum RPC request. It’s not related to this what you’re asking about. There isn’t a good / performant way to do what you’re asking, we’d be stuck having to do user access checks in userspace on every file in a directory when generating a listing (which would significantly harm dir listing performance).
I learned this method by seeing it on forums. So I did it accordingly.
“hiding directory” feature in synolgy and windows to unauthorized users
As far as I know it is available. If
If they did it, it should be possible. I think Trunenas can do this too.
Not quite sure what you are trying to achieve here? Is it that you want a directory within a dataset hidden from some users that have access to the parent or is it that you want the entire dataset/share hidden from users that don’t have access?
I want to hide a directory from users who do not have access permission. Only users with permission can view directories. For example, the Accounting team does not have permission to access the directory named “Management”. That’s why I don’t want accounting to see this.
Ok that makes sense. Do Accounting and Management have their own datasets and shares or do you have one dataset and share and directories within?
Either way is fine for me. I’m still in the installation phase. So I can also create an index under a single dataset. or one dataset for each department.
Ok cool. Are you using a directory service like AD to manage your users and groups or just the local users and groups?
I use local users and groups
Ok simplest way would be two datasets one for Accounting and one for Management.
Create an Accounting Group and a Management Group then all your users assigning them to either the Account Group and/or Management Group.
Then add an ACL entry for the Accounting dataset that gives the Accounting Group modify access and then the same for Management.
Finally share out the Accounting Group via SMB and separately the Management Group.
Outcome is Accounting map to \dnsnameofserver\Accounting and Management map to \dnsnameofserver\Management.
If you don’t like that you could have one dataset called ‘Whatever’ and create a ‘Whatever’ group assigning all users access (perhaps read-only inherit=no) and share this out over SMB. Then create two sub-directories/folders (these could be datasets if you wish to control quotas etc) one called Accounting and one Management. Create the Accounting and Management Groups in TrueNAS and assign your users the relevant permissions and then assign those groups permissions on the directories from a Windows client if you are using directories/folders but using the UI if datasets. If using directories/folders you will need ‘full control’ to do this so you may also want to create an ‘ITAdmin’ group that has full control over all datasets to allow you to manage permissions from a Windows client and make your own user a member of that group.
Outcome is all users map to \dnsnameofserver\Whatever.
Keep away from the ‘Share ACL’ as that just confuses matters and its largely not required/used.
There is no problem granting/disallowing users. When I do this will the datasets be hidden to those who don’t have access?
that was the question.
In scenario one each team is mapping to a different share so they won’t see each others data even if they tried to map to the opposite share because they don’t have access it will fail.
In scenario two both groups map to the same parent dataset/share both Accounting will only see the Accounting folder and Management will only see the Management folder so long as you have setup the permissions correctly that is.
