Project

General

Profile

Feature #25936

Add checkbox to toggle Access Based Enumeration on SMB shares

Added by Andrew Walker about 1 year ago. Updated 12 months ago.

Status:
Resolved
Priority:
Nice to have
Assignee:
John Hixson
Category:
OS
Target version:
Estimated time:
Sprint:
Severity:
New
Backlog Priority:
Reason for Closing:
Reason for Blocked:
Needs QA:
No
Needs Doc:
Yes
Needs Merging:
Yes
Needs Automation:
No
Support Suite Ticket:
n/a
Hardware Configuration:

Related projects 1 project

Description

Access Based Enumeration (ABE) allows admins to hide shares from users based on their permissions. If a user doesn't have permissions, he can't see the share when he navigates to \\server.

This is possible in Samba. It would be helpful to expose some of the config in the FreeNAS web UI. The share-level parameter is "access based share enum = yes|no"

There are two parts to enabling it:

(1) set the parameter
(2) configure share [not NTFS] ACL. By default the share ACL is set to "everyone - full control". This can be modified via the computer management MMC on a windows client, or at the command-line via the sharesec utility.

It'd be good to have a checkbox to fulfill (1). It'd be even better to also have an editor that allows for (2) in the web UI. (1) is trivial. (2) is probably not.

Associated revisions

Revision 42182664 (diff)
Added by Dru Lavigne about 1 year ago

Doc Access Based Share Enumeration.
Ticket: #25936

History

#1 Updated by Sam Fourman about 1 year ago

Having a Full permission editor in the webUI is a common ask from TrueNAS clients.
Maybe this would be a feature of the new TrueNAS UI?

#2 Updated by Andrew Walker about 1 year ago

To clarify, Windows provides an interface to manage which users can see the shares through the share permissions editor in the "Computer Management" mmc. There is no requirement to add an editor to the FreeNAS GUI to enable this functionality (even if it would be cool to have).

If we add this feature, it should also be properly documented. I made a short writeup about it here: https://forums.freenas.org/index.php?resources/smb-tips-and-tricks.15/
Pardon the Comic Sans font.

#3 Updated by Dru Lavigne about 1 year ago

  • Status changed from Untriaged to Unscreened
  • Assignee changed from Release Council to Kris Moore

Kris: what are your thoughts on this one? One for the new UI for 11.2 or later?

#4 Avatar?id=14398&size=24x24 Updated by Kris Moore about 1 year ago

  • Assignee changed from Kris Moore to John Hixson
  • Priority changed from No priority to Important
  • Target version set to TrueNAS 11.1-U1

We are trying to avoid more "checkboxes" cluttering up the UI, this may be better as advanced sysctl option. Over to John to ponder. But the UI editor would be cool. That should be another ticket assigned to UI team for 11.2.

#5 Updated by Andrew Walker about 1 year ago

Kris Moore wrote:

We are trying to avoid more "checkboxes" cluttering up the UI, this may be better as advanced sysctl option. Over to John to ponder. But the UI editor would be cool. That should be another ticket assigned to UI team for 11.2.

I'm not sure if you can do it with a sysctl. It's an smb.conf parameter that needs to be set on samba shares. I.e.

[global]
   <stuff>

[share1]
   <more stuff>
   access based share enum = yes

[share2]
   <more stuff>
   access based share enum = no

#6 Updated by John Hixson about 1 year ago

  • Category changed from 42 to OS
  • Status changed from Unscreened to Screened
  • Priority changed from Important to Nice to have

I don't want any more check boxes ;-) I would like to hide most of the options currently available as sysctl's. I know Fredo has wanted this since I have worked with him. I have no problem adding it, but it's going to be hidden and only people who have a specific need will be able to set it ;-)

#7 Updated by John Hixson about 1 year ago

  • Status changed from Screened to Ready For Release

I've added this to FreeNAS. it will be available in 11.1

#8 Updated by Dru Lavigne about 1 year ago

  • Project changed from TrueNAS to FreeNAS
  • Category changed from OS to OS
  • Target version changed from TrueNAS 11.1-U1 to 11.1-BETA1
  • Private changed from No to Yes

#9 Updated by Dru Lavigne about 1 year ago

  • Description updated (diff)

#10 Updated by Dru Lavigne about 1 year ago

  • Subject changed from Add checkbox to SMB share config in GUI to toggle "access based share enum = yes" to Add checkbox to toggle Access Based Enumeration on SMB shares
  • Private changed from Yes to No

#11 Updated by Dru Lavigne about 1 year ago

John: what's the URL to the commit?

#13 Updated by Bonnie Follweiler 12 months ago

12730

Test Passes in FreeNAS-11-MASTER-201710180506
Screenshot provided

#14 Updated by Dru Lavigne 12 months ago

  • Status changed from Ready For Release to Resolved

Also available in: Atom PDF