How to Use Windows ACL to Manage User Permissions on the QNAP NAS
I – What is Windows ACL?
II – About ACL Permissions
III – How to Enable ACL on Qnap;
IV – ACL Permission Configration
I – What is Windows ACL?
ACLs, or Access Control List is a security concept, where a list of individual users or groups can have specific access to certain actions to a file. An example would be in respect to the above overview image, where the accountant can have write access to update the file. The sales manager can review the file, and other users are denied access.
Windows ACL allows the QNAP NAS administrator to configure file and folder permissions for the local and domain users on the NAS from Windows Explorer. The administrator can add, modify, and remove Windows ACL permissions of the NAS on Windows XP, Vista, Windows 7, Windows Server 2003, and Windows 2008.
II – About ACL Permissions
| Permission | Description |
|---|---|
| Traverse Folder/Execute File | For folders: Traverse Folder allows or denies moving through folders to reach other files or folders, even if the user has no permissions for the traversed folders. (Applies to folders only.) Traverse folder takes effect only when the group or user is not granted the Bypass traverse checking user right in the Group Policy snap-in. (By default, the Everyone group is given the Bypass traverse checking user right.) For files: Execute File allows or denies running program files. (Applies to files only). Setting the Traverse Folder permission on a folder does not automatically set the Execute File permission on all files within that folder. |
| List Folder/Read Data | List Folder allows or denies viewing file names and subfolder names within the folder. List Folder only affects the contents of that folder and does not affect whether the folder you are setting the permission on will be listed. (Applies to folders only.) Read Data allows or denies viewing data in files. (Applies to files only.) |
| Read Attributes | Allows or denies viewing the attributes of a file or folder, such as read-only and hidden. Attributes are defined by NTFS. |
| Read Extended Attributes | Allows or denies viewing the extended attributes of a file or folder. Extended attributes are defined by programs and may vary by program. |
| Create Files/Write Data | Create Files allows or denies creating files within the folder. (Applies to folders only). Write Data allows or denies making changes to the file and overwriting existing content. (Applies to files only.) |
| Create Folders/Append Data | Create Folders allows or denies creating folders within the folder. (Applies to folders only.) Append Data allows or denies making changes to the end of the file but not changing, deleting, or overwriting existing data. (Applies to files only.) |
| Write Attributes | Allows or denies changing the attributes of a file or folder, such as read-only or hidden. Attributes are defined by NTFS. The Write Attributes permission does not imply creating or deleting files or folders, it only includes the permission to make changes to the attributes of a file or folder. In order to allow (or deny) create or delete operations, see Create Files/Write Data, Create Folders/Append Data, Delete Subfolders and Files, and Delete. |
| Write Extended Attributes | Allows or denies changing the extended attributes of a file or folder. Extended attributes are defined by programs and may vary by program. The Write Extended Attributes permission does not imply creating or deleting files or folders, it only includes the permission to make changes to the attributes of a file or folder. In order to allow (or deny) create or delete operations, see Create Files/Write Data, Create Folders/Append Data, Delete Subfolders and Files, and Delete. |
| Delete Subfolders and Files | Allows or denies deleting subfolders and files, even if the Delete permission has not been granted on the subfolder or file. (Applies to folders.) |
| Delete | Allows or denies deleting the file or folder. If you do not have Delete permission on a file or folder, you can still delete it if you have been granted Delete Subfolders and Files on the parent folder. |
| Read Permissions | Allows or denies reading permissions of the file or folder, such as Full Control, Read, and Write. |
| Change Permissions | Allows or denies changing permissions of the file or folder, such as Full Control, Read, and Write. |
| Take Ownership | Allows or denies taking ownership of the file or folder. The owner of a file or folder can always change permissions on it, regardless of any existing permissions that protect the file or folder. |
| Synchronize | Allows or denies different threads to wait on the handle for the file or folder and synchronize with another thread that may signal it. This permission applies only to multithreaded, multiprocess programs. |
 Note |
|---|
| You will not be able to access an encrypted file without the Encrypting File System (EFS) key, even if you have the necessary permissions. |
III – How to Enable ACL on Qnap;
Note: The QNAP NAS firmware must be v3.7.0 or above.
This application note will guide you to:
Enable Windows ACL
Login the NAS as “admin”. Go to “Access Rights Management” > “Share Folders” > “Advanced Options”, select “Enable Windows ACL Support” and click “Apply”.
Note: When Windows ACL is enabled while Advanced Folder Permissions are disabled, the file and folder permissions will only apply to Samba service. To apply the permission settings to Samba, FTP, AFP, and Web File Manager, please also enable “Advanced Folder Permissions”.
IV – ACL Permission Configration
Configure Basic Permissions
Open Windows Explorer and connect to the NAS via Samba. Right click a shared folder and select “Properties”. Under the “Security” tab are the permission settings. Click “Edit”.
Select a user name (NAS local or domain user). Modify the permissions for the user and click “Apply”.
Configure Advanced Permissions
To configure advanced permissions, right click a shared folder and select “Properties”. Click “Advanced” under the “Security” tab.
Click “Change Permissions”.
Click “Edit” to configure the advanced permissions. Modify the permission settings and click “Apply”.
Calculate Effective Permissions
To calculate the effective permissions of a user account, right click a shared folder and select “Properties”. Click “Advanced” under the “Security” tab.
Select the “Effective Permissions” tab. Under “Group or user name” click “Select”; input a user or group name. Click “OK”.
The effective permissions of the user or group will be shown.
Transfer Files from a Windows Server to the NAS
After enabling Windows ACL, users can transfer the files from a Windows server to the NAS, keeping the file ACL permissions. A third party software is required. The freeware “Fastcopy” will be used as an example. For more information about Fastcopy, please visit http://ipmsg.org/tools/fastcopy.html.en
- Login the Windows Server with an administrator account. Connect to a shared folder of the NAS and map it as a network drive. Here we assign a drive name Z: as an example.
- Launch Fastcopy.
- Specify the source directory in “Source” and the NAS folder (drive Z) as the destination directory in “DesDir”. Please remember to enable the ‘ACL’ option to allow the NAS to inherit the ACL permissions from the Windows Server.
- Click “Execute” to start the replication job.
Please note that the permissions inherited from the root folder could become explicit permissions. After finishing the data transfer, check the permission settings on Windows,
Windows acl qnap что это
QNAP NAS: Samba (SMB): Enable Windows ACL Support (Fixed a Bug on the NAS)
This fixes a bug found in the model QNAP TS-469 Pro with firmware version 4.2.0 Build 20160130 .
I expect it to work on other models with firmware versions 4.2.x as well.
In short, the required module was installed in a wrong location, but not noticed by QNAP.
Copying the module to the correct location solves the problem.
To jump directly to the solution, click here.
Enabling Windows ACL Support on the NAS
To enable Windows ACL support, follow these steps on the NAS:
- Control Panel > Privilege Settings > Shared Folders > Advanced Permissions ;
- Check the checkbox Enable Windows ACL support ;
- Click the Apply All button.
However, after making the change, the shares could not be reached anymore.
To jump directly to the solution, click here.
Attempt to Connect to Samba on the NAS from Mac OS X with Finder
To connect the share with Finder , follow these steps on the Mac:
- Finder > Go > Connect to Server. ;
- Enter smb://username@host/share , with username , host , and share replaced by your actual values;
- Click the Connect button;
- Enter the correct password for the username ;
- Click the Connect button.
However, the following error is shown:
There was a problem connecting to the server “host”.
The share does not exist on the server. Please check the share name, and then try again.
To jump directly to the solution, click here.
Attempt to Connect to Samba on the NAS from Mac OS X with smbutil
Enter the following command, with username , and host replaced by your actual values:
Enter the correct password for the username ;
Press the Enter key on your keyboard.
However, the following error is shown:
To jump directly to the solution, click here.
Find the Solution (Advanced, May Skip)
Connect to the NAS with ssh with the following command, with host replaced by your actual value:
Examine the command line arguments of the smbd process:
Here is the response:
So, it is known that:
- The smbd executable is located at /usr/local/samba/sbin/smbd ;
- The log files are located in the directory /var/log ;
- The config file is located at /etc/config/smb.conf .
List the directory /var/log :
Here is the response:
So, the log file is expected to be /var/log/log.smbd ;
Read the log file:
Here is tail of the response ( xuserx is the username used):
So, it is known that the problem is due to that the module ‘acl_xattr’ could not be loaded;
Examine the build flags of smbd :
Here is the response:
So, it is known that:
- The Samba package has ACL support;
- The ACL support is not a builtin module, but a separated vfs module;
- The modules are located at /usr/local/samba/lib .
List the directory /usr/local/samba/lib :
Here is the response:
Note that acl_xattr.so is found here!
List the directory /usr/local/samba/lib/vfs :
Here is the response:
At this point, it is easy to spot the solution!
Start Terminal (if not done so);
Connect to the NAS with ssh with the following command, with host replaced by your actual value (if not done so):
Copy the required module to the correct directory:
Support
Summary:
The following instructions will guide you to replicate the files with Windows ACL from a Windows file server to QNAP NAS.
Following instructions are tested with Windows Server 2019 and QTS 4.4.1.
Windows File server and Windows AD service are running on Windows Server 2019.
Procedure
1. Please ensure both Windows file server and QNAP NAS are joined to the same AD domain.
2. Enable Windows ACL support by Control Panel > Privilege > Shared folder > Advanced permission
3. Create a shared folder by NAS admin account for storing the files with Window ACL replicated from Windows file server.
4. Mount this same folder as a network drive on Windows File Server
4.1. Right-click on the folder and find Map Network Drive
4.2. Choose the drive letter to map the shared folder, Here we take Z drive as an example.
4.3 Login with NAS_IP\admin , password of NAS admin
4.4. It should now be mapped as a network drive
5.Edit Permission of network drive (Z:)
5.1 Right-click on Z drive and Click Properties
5.2. Find Advanced under Security tab
5.3 Double click Everyone
5.4 Change Applies to to This folder only
5.5 Click Yes when you meet the following warming
5.6 Setting should now appear as below
6. Download FastCopy , install and run
6.1. Select the source folder you want to replicate the files from
6.2. choose the network drive (Z:) as the destination folder
6.3. make sure ACL is checked.
FastCopy will start to replicate the files with Window ACL from Windows file server to QNAP NAS.
