Subfolder Permissions
Subfolder permissions
Because subfolder privilege is not supported, here is a work-around that will allow you to have a subfolder for each user of you domain:
\\NAS\sharefolder\user1 -- only user1 and admin can have access
\\NAS\sharefolder\user2 -- only user2 and admin can have access
\\NAS\sharefolder\user3 -- only user3 and admin can have access
\\NAS\sharefolder\user4 -- only user4 and admin can have access
…
How it works:
If you have a shared folder where all domain users have permission to read and write, then you can create inside subfolders, and manually change the owner of the subfolder to allow only 1 user to access it. (see above)
So, every domain user can connect to the shared folder, but then, each user can access only 1 sub-folder by setting the permission on the file system. (This is not officially supported by qnap, but it seems to be working). Your NAS must be joined in Active Directory to work for domain user. If not, you can do the procedure only for local users.
Here a script to do it automatically:
If you use a dot on your domain users, like "livetyler.123" use this script:
Subfolderperm_GUIDv2.sh.tar.gz
Note: It will change users by it's UID
The script will list all the users from your domain and create automatically a subfolder for each of them. If the subfolder already exists, than the script will skip it. This allows you to create new user in your AD and run the script again to create new subfolder for new users.
- Create a share folder only for the admin user (example: custom). It will be used to store the script.
- Create a share folder “privates”. It will be used to hold the domain user subfolder. Use a specific folder for that purpose. The script will change folder and files permission. Do not use a Default share folder! Do not call it "homes", it is a reserved name. Do not mix domain users and local users in the same shared folder. Please use a separate shared folder for local user, and for domain user.
- Give Read/Write permission to the NAS admin user and all domain users ("domain users" group) on the shared folder “privates”, and deny guest access.
- Copy the file subfolderperm.tar.gz in the shared folder custom (\\nas\custom)
- Connect to the NAS by SSH with user admin (you can use putty.exe).
- Go in the "custom" folder:
# cd /share/custom
- Extract the archive:
# tar zxvf subfolderperm.tar.gz
- Launch the script :
# sh subfolderperm.sh
You will see the help.
Just run it with the correct parameters:
# sh subfolderperm.sh privates domain
This will create in the shared folder “privates” a subfolder for every domain user, automatically.
If you create new users, you can run the script again to create the new subfolders.
Full logs as example :
[~] # cd /share/custom [/share/custom] # ls subfolderperm.tar.gz [/share/custom] # tar zxvf subfolderperm.tar.gz subfolderperm.sh [/share/custom] # sh subfolderperm.sh usage: sh subfolderperm.sh ShareFolderName <domain|local> ShareFolderName : The share folder name <domain|local> : domain for domain user (NAS must be in AD) <domain|local> : local for NAS local user example: sh subfolderperm.sh privates domain [/share/custom] # sh subfolderperm.sh privatesw domain Share Folder privatesw does not exist [/share/custom] # sh subfolderperm.sh privates domain Setting permission on share folder krbtgt created administrator created guest created tt created exc created uu created space user created glpi created usertest created backupuser created [/share/custom] #
Now, domain users will have access only to their own subfolder in that shared folder "privates".
Done.
For more explanation here is an example by doing it manually (What the script does).
This section explain what the script does. It is not necessary to do it if you use the script above.
- Create a share folder “privates”.
- Give permission to all domain users to read and write on that shared folder, and deny guest access.
Now create a restricted folder to only domain\user1 by doing:
- Login to the NAS by ssh (you can use putty.exe) with user admin.
- Go to the shared folder:
# cd /share/privates
- Create a subfolder “userfolder1” for user1:
# mkdir userfolder1 –m 700 # chown “domain+user1:administrators” userfolder1
- From now only the user domain\user1 (from active directory) can access the subfolder “userfolder1”.
To avoid that somebody delete another user subfolder, change the permission to the parent folder:
# cd /share/privates # chown admin:administrators . # chmod 775 .