This is so I don’t forget what I did to set this up correctly, since I spent hours tweaking.
1. Install FREENAS on designated computer. In my case I used a 4 GB flash drive as the target for the install.
2. Create a ZFS volume. This is important. Don’t create a UFS one, it will get in the way of changing permissions from the Windows side later on, due to some unknown bug, took me hours to realize.
3. Create a group for all the users in the LAN that will have equal access rights.
4. Create as many users as needed to match the users and their credentials in the LAN computers (workgroup style).
5. Configure CIFS service settings for workgroup so it matches your LAN workgroup. Set authentication model to local users.
6. Create a new volume, with the main LAN user as the owner, and the group created in step 3 above as the owner (group).
7. Change permissions to rwxrwxr-x. This is so you can allow certain shares to be accessed but not modified.
8. Set ACL to Windows.
9. Create a Windows CIFS share. Allow guest access. If prompted to start service, click yes.
10. From a Windows computer, create the main folders that will be public and private. Edit the security in the private one by removing the everyone from the permissions. That effectively makes the permissions for that folder rwxrwx- – – , i.e. if you’re not the owner or belong to the group, you don’t have access at all.
11. If you wish to remove write permissions from subfolders of the publicly shared folder, edit advanced permissions for Everyone to allow only:
Traverse folder / execute file
List folder / read data
Read attributes
Read extended attributes
Read permissions
Apply to This folder, subfolders and files.
12. I ran into a problem deleting files and folders when logged in as owner/group member. To handle, I granted full control to the first private folder of the share, and set it to propagate to subfolders and files.
I supposed individual shares could be set up, as an alternate method, using ZFS datasets. As of this writing I have not tested that route so can’t say if it’s more convenient/configurable/flexible. I know the above works.