In this scenario, I (Rex) am an Administrator and should have fiull access to every share. I set myself into the Administrators share and set Administrators to have full access to the HR share. If I (the user) am set to No Access, despite the fact that I am an Administrator with Full Access to HR, I am denied access.
In the same case, I set the Administrators group to have No Access to the HR share, but leave myself with Full Access. I cam still able to read and write in that share.
To summarize, it seems that a User rights trump Group rights. This seems wrong. Did I miss something?
I don’t mean to be obtuse here, but that doesn’t make sense. Here’s my argument:
The point of a group is to assign a specific set of rights to multiple persons. If the User rights trump Group rights, in order to grant group privledges to an single User, they would have to have indifidual rights assigned to each share they need to access.
Example: Bob is new to HR. As an employee he also gets read access to the News share. If, as it works, a new User defaults to no access to any share, but the user is added to the HR Group, his User access of None will trump the Groups Full Access. In order to get him access to HR and News, I would have to change his User rights to match the rights I wanted him to have in the group. That being the case, why did I make a group in the first place?
If you’ve assigned a user to an ADMIN GROUP and that group has WRITE access to a share, then that user should have write access to the share regardless of what the individual user settings are.
That’s the bad thing about the group management function of the NAS – the DISPLAYED permissions don’t really indicate the “effective” permissions and it can get confusing.
In other words, in actual samba configurations, it’s possible to allow WRITE access via a GROUP but DENY access via specific user permissions. In this case, according to Samba’s documentation:
I agree, Tony. That is how it should work, but my system seems to be ignoring all permissions granted through Groups in favor of rights assigned to Users.
I’ve read and re-read the manual and they don’t have any ‘rules’ on how groups work.
To respond to Altavoz, your suggestion is great if you are working with only a handful of users and shares. In a more complex environment, Groups are a huge benefit. Since Users and Shares are created with a default of No Access, a “Least Restrictive” approach would be appropriate. In other words, If a user has No Access rights, but belongs to a group with Read Access, the user should have Read Access to the share. If the user has Read/Write access to a share and belongs to a group with only Read Access, the User should still have Read/Write access.
With regard to the complex nature of who has what rights on which Share, a summary screen would be very useful. Something like the following (but in a GUI setting and I’m sorry the tabs didn’t translate from Word, but you get the picture):
Share User Access Source
HR Bob Read/Write User
Julie Read Group [HR]
Valerie Read Group [HR]
News Bob Read Group [Employee]
Chad Read Group [Employee]
Julie Read Group [Employee]
Valarie Read User
DEV Alice Read/Write User
Chad Read/Write Group [Developers]
This summary screen would also provide evidence to the administrator that Group and User rights are working properly. It could also be used to determine if a User or Group has or doesn’t have access to a Share that they shouldn’t/should.
To save space here, I have cut and pasted a single share “aFamily”. After running the command you posted, I changed some Group membership and rights and ran the command again. The results are as follows:
Before:
[aFamily]
comment = Family - Real & Perceived
path = /mnt/HD/HD_a2/aFamily
browseable = yes
public = no
oplocks = yes
map archive = no
read list =
write list = “admin”,“@Admins”,“rex”
invalid users = “nobody”,“dawn”,“family”
valid users = “admin”,“@Admins”,“rex”
After: Added dan to @Family and @Family to read access aFamily Share
Note: Members of @Family are red, dan, dawn and family
[aFamily]
comment = Family - Real & Perceived
path = /mnt/HD/HD_a2/aFamily
browseable = yes
public = no
oplocks = yes
map archive = no
read list = “@Family”
write list = “admin”,“@Admins”,“rex”
invalid users = “nobody”,“dawn”,“family”
valid users = “@Family”,“admin”,“@Admins”,“rex”
I guess that means the WD configuration UI screws it up. As the samba docs explain, an “invalid user” is denied access to a share regardless if their group allows access.
Hi, Is it possible to rescrict a share link only for specific users? In other words, can i set WD to force user to enter his credentials in order to see a folder or pictures?
When I set no access to specific folder and then trying to open that share link i get this:
This XML file does not appear to have any style information associated with it. The document tree is shown below.
<dir_contents>
<error_code>401</error_code>
<http_status_code>401</http_status_code>
<error_id>46</error_id>
<error_message>Share is inaccessible</error_message>
</dir_contents>
I was hoping that WD will offer me a login window or something?
Hi, Is it possible to rescrict a share link only for specific users? In other words, can i set WD to force user to enter his credentials in order to see a folder or pictures?
