The Views Expressed Below Do not in any way reflect Internal Doctorine or Official Statements of Netgear Inc. These are just my notes - Use at your own Risk.
THIS ARTCILE APPLIES TO READYNAS 4.2.x INTEL UNITS and 4.1.x SPARC UNITS
Helpful Link - a little outdated but still helpful:
NOTE BEFORE GUIDE:
Please read all of the following when you have a chance as it will help you understand the NAS and DOMAINS on a new level.
Here is another guide I made. Its made for those people that really understand the layout of the Readynas. I don’t have the exact steps listed just the general layout that will suffice for L2+. As in there is no picture guides it just explains what you need to do, with the general understanding that you should know where all these options are. If not just send me an email.
Note I have also attached other peoples guides which helped me come up with this ultimate guide and also I attached my domain joining guide if you want one. The full list of the attached stuff is below the Guide at the bottom of the email.
This guide will teach you how to use domain permissions in such a way such that you can have a different folders so that only certain users can make files/folders in them. Exactly what our customers need.
Also the other type of folder is an all access type of folder. Lots of customers will need this type of repository.
Here are the steps.
The general lay out of the guide below is:
First: Join the ReadyNAS to the Domain
I have attached a guide for Joining to the domain
Second: Make an all access share ( the LINUX permissions – which are the permissions we deal with in frontview – need to be all access, it’s the permissions in Windows that actually need to do the work. Think of layers. There are 2 layers of permissions in this case: 1st layer is LINUX/UNIX POSIX permissions on the readynas which need to be all access, then 2nd is the layer of permission assigned by the domain controller)
Third: Set up the folder within the Share so that (a) you have a share that only user1 (and domain admins)can access and (b) you have a share that everyone can access (domain user means everyone… we technically don’t want everyone all access in a domain environment or else non authorized users will be able to access domain repositories – so its better to select domain users instead of everyone in a domain scenario)
Interesting Note 1: Copying files into these folders will not preserve permissions, the files will take on the permissions of the folder you put them in. To preserve permissions one must use third party software like ROBOCOPY.
Important Note 2: If your starting with a share that already has files in it. Please reset the permissions on it. To clear and reset the permissions please read my attached guide on it.
HERE IS THE GUIDE (READ WHOLE BLUE SECTION BEFORE DOING IT):
Domain Permissions - 11-16-2012
Permissions Layers and order:
The idea is that the SHARES will have only READYNAS Permissions and no DOMAIN PERMISSIONS, so that shares will be all access. The Folders within the share are the ones that will have inherited the READYNAS PERMISSIONS for its layer 1 permission levels and for the actual Permissions that users “feel” we setup Domain Permissions from the Domain Controller as an Admin User. (Note you don’t really have to set the permissions from the DC, just make sure your on domain computer logged in as a domain admin, its better though to be on the DC as a domain admin)
* Join to the domain as ADS on 4.2.22 firmware or newer
Again I have attached a document for that ( MY GUIDE ON JOINING DOMAIN is attached)
---WHAT IS RECOMMENDED:---
* Make a SHARE and hit okay (Leave public access on if you want, we will uncheck guest permissions inside cifs which will disable that eitherway)
In the cifs options:
* Uncheck Guest Access
* Make that share wide open
* Default Read/Write
* Advanced ACLS in the CIFS is readwrite and both check marks are checked (however we just left it default)
---Also What Works --- THIS IS WHAT I DO:---
* Just Make a SHARE uncheck guest access and thats it, leave it as default <---- WORKS GREAT
* NOTE IF YOU ALREADY HAVE MADE SHARE MADE WITH FILES IN IT – just reset the permissions on it using the guide provided (MY GUIDE ON RESETTING PERMISSIONS is attached )
==ON WINDOWS SIDE====
* log in to Domain Controller as Domain Admin and Go to the NAS with UNC path \\IP_of_NAS\SHARENAME or \\HOSTNAME_OF_NAS\SHARENAME then make a folder in the share called USER1 (switch USER1 with the username of user you have access to) for the sake of the example and also make a folder called ALLACCESS. Finally also a folder just for domain access.
* All the security settings will be set in the Security Tab and not in the
--folder: USER1 -- for folder that only "user1" can access--
* If you want to make a USER1 folder
* Make USER1 Folder
* Right click Properties
* Security, then Advanced - change permissions
* Then Break it away from parent.. It’s a check box that needs to be unchecked
(The idea is if you do not break it away from the parent it will have all access based on the permissions setup on its parent which is the SHARE [the parent of an object is where it sits in, so USER1 folder sits in the share SHARE, so USER1s parent is SHARE])
* Propegate the break thru the folders children (it will ask add or remove -- and I Hit Remove either way it worked in the end )
* Then remove DOMAIN USERS and all other permissions (sometimes there are a lot of weird permission objects that don’t make sense – delete them all) because that is allow in access for everyone and everyone
* And add USER1(dont really have to change its permissions, because it already has the read/write settings that we want) and give him FULL CONTROL
* Also Add Domain Admin and give it FULL CONTROL as well so that Domain Admins never lose access to anything ( The idea is every share needs to have domain admins accessible to it, unless its absolutely necessary that the domain admins cant see it, like vital secret CEO paperwork)
* (Note: when we broke away it asks to add or remove when you remove parent. we hit REMOVE parent permissions. When I made folder USER1 it didnt give it write permissions so I wasnt able to write files in USER1 being logged in as USER1. Give USER1 full control in that folder )
--folder: ALLACCESS -- for folder that "all users" can access--
* If you want a folder that everyone has access to
* Just make a folder in side the share SHARE and that’s it
* Why? Since it will be tied to the parent which is the share which we set to all access it should be all good
* Back to Interesting Note 1 from above : When copied a folder made by USER1 (and for USER1 access only) into the ALLACCESS folder it propegated the settings of ALLACCESS into the copied material so that anyone could now access it.. Makeing the ALLACCESS folder and anything within it (weather its copied from another location or not) all accessible. This is not a security risk because if your USER2 you would not be able to copy USER1 folder into the ALL folder. Only when your USER1 can you copy USER1 folder to the ALLACCESS FOLDER.
--for folder that only “domain admins” can access—
* Make a folder
* Right click Properties
* In the advanced properties - change permissions
* break it away from the parent (uncheck that box) - when popup window comes up hit REMOVE
* propagate it properties through its children(with that check box, check the box)
* delete everyone out
* Add “Domain Admins“ and give them full control
To test: Log in as different users from other PCs joined to the domain and see what you can access and etc.
I don’t know if I should mention this now, only if you have mastered the rest of the material on here, however:
HERE IS ANOTHER WAY TO LAYOUT THE PERMISSIONS (instead of all access on the shares and sub folders have the different permissions from the domain)
SO THAT PER SHARE YOU HAVE DIFFERENT PERMISSIONS THAT REQUIRES THE READYNAS POSIX PERMISSIONS TO USE SPECIAL “EXTENDED PERMISSIONS” - WHICH I WILL NOT GET INTO google is great on that topic, BUT BASICALLY WHEN YOU JOIN THE READYNAS TO THE DOMAIN, THE USER & GROUP LIST WILL BE EXPORTED FROM THE DOMAIN CONTROLLER AND IMPORTED INTO THE NAS AUTOMATICALLY. NOW WHEN YOU MAKE A SHARE LETS SAY A SHARE CALLED “ USER1-ONLY”, YOU CAN SET UP –all on the nas- DEFAULT ACCESS NONE AND ONLY GIVE USER1 READ AND WRITE ACCESS ON THE READYNAS SIDE OF THINGS, AND YOU WONT HAVE TO DO ANYTHING FROM THE DOMAIN SIDE)
That’s it, Again it wasn’t really as step by step as I wanted it to be but if you have experience of intuition and also know how to enable and disable things based on simple instruction steps. Like If I tell you disable parent propagation on a folder and you know what that means then you are golden.
Here is the list of the other documents that are worth reading that I have attached:
* “Chirpas ADS Permissions” – older but useful
* Also there is a readynas.com guide on permissions which I have included here “PERMISSIONS GUIDE ON READYNAS ” – older but useful
* “My guide on Joining Readynas to Domain” – This is referenced a lot in the guide because when you join the NAS to the domain it can be a process. The process is explained in this attachement
* “My guide on Resetting Permissions” – If you have a share already and don’t want to start with a new share, make sure you just reset its permissions with the following guide
* Also another guide on resetting permissions called “ORIGINAL PERMISSIONS GUIDE” that was the building blocks of “my guide on resetting permissions”
That’s a lot of reading especially with the attachements.