Register for the iXsystems Community to get an ad-free experience and exclusive discounts in our eBay Store.

11.3 - ACL/Permissions greyed-out for SMB and POOL

Western Digital Drives - The Preferred Drives of FreeNAS and TrueNAS CORE

yeeahnick

Cadet
Joined
Feb 2, 2020
Messages
8
Hello,

I am new to FreeNAS. I recently installed 11.2U7 and upgraded it to 11.3 a few days ago. Since the update, my "Edit Permissions" and "Edit ACL" menus are greyed out in Pools and SMB Shares whether they are existing or freshly created. When I put my cursor on top of the greyed-out menu it says "Root dataset permissions cannot be edited/Root dataset ACL cannot be edited". Some help would be greatly appreciated.

Thanks.
 

Attachments

  • smb.png
    smb.png
    46 KB · Views: 1,643
  • pool.png
    pool.png
    84.7 KB · Views: 1,578

G8One2

Patron
Joined
Jan 2, 2017
Messages
242
Might need to upgrade your pool. Some things dont work without doing so. Cant say for sure thats your issue though....
 

yeeahnick

Cadet
Joined
Feb 2, 2020
Messages
8
Might need to upgrade your pool. Some things don't work without doing so. can't say for sure thats your issue though....

I did that already. I'm thinking that's what broke it. Thanks for the reply.
 

mgittelman

Patron
Joined
Dec 8, 2017
Messages
411
I had the same issue with a root dataset. Not a big deal for me as I'm mostly only sharing out child datasets through SMB, but this was definitely working in 11.2 since one of my shares was set up that way. Possible bug if you want to submit.
 

KrisBee

Wizard
Joined
Mar 20, 2017
Messages
1,278
It's not broke, that's the new behaviour in 11.3. You can't, and shoudn't, change the root dataset default perms/acl. @yeeahnick You need to create at least one dataset below the root in each of your pools. I'm guessing from your screen caps you have one phyiscal disk per pool, or least a bunch of disks of different sizes which you allocated to different pools.
 

yeeahnick

Cadet
Joined
Feb 2, 2020
Messages
8
It's not broke, that's the new behaviour in 11.3. You can't, and shoudn't, change the root dataset default perms/acl. @yeeahnick You need to create at least one dataset below the root in each of your pools. I'm guessing from your screen caps you have one phyiscal disk per pool, or least a bunch of disks of different sizes which you allocated to different pools.
Ah crap I did not know the behavior changed as this was working prior to 11.3. I actually have 2 drives of the same size per pool, using a mirror configuration. I guess I set it up wrong? I just created a new dataset and the menus are now available. Will test and report back big thanks mate!
 

yeeahnick

Cadet
Joined
Feb 2, 2020
Messages
8
Ok so I can access the permissions and acl for my pool dataset now but still cant access acl for smb shares. Also what do I need to do to set pool share type to unix like it was before?

1580679125184.png
 

Waffelen

Cadet
Joined
Dec 30, 2017
Messages
8
It's not broke, that's the new behaviour in 11.3. You can't, and shoudn't, change the root dataset default perms/acl. @yeeahnick You need to create at least one dataset below the root in each of your pools. I'm guessing from your screen caps you have one phyiscal disk per pool, or least a bunch of disks of different sizes which you allocated to different pools.

@KrisBee I just transfered to 11.3 at the start of the week (wish I had set my permissions first now) if I roll back to 11.2 set permissions on root dataset then come back to 11.3 would that keep my permissions intact or because its now not allowed would they be overwritten? In my use case I need the file structure to be as is cus there are many hundreds and maybe thousands of preexisting shortcuts that need to follow the same paths and not possible to go changing them all but still need to be able to assign users/groups to the root dataset so outside what I said above is there away change the acl in ssh cli? I accept that probably shouldn't be changing acl's on root dataset but there is areas where it is necessary and everything else (that i've seen so far anyway) is completely customiseable in freenas, even if its to your own detriment :-D
 

anodos

Sambassador
iXsystems
Joined
Mar 6, 2014
Messages
8,337
@KrisBee I just transfered to 11.3 at the start of the week (wish I had set my permissions first now) if I roll back to 11.2 set permissions on root dataset then come back to 11.3 would that keep my permissions intact or because its now not allowed would they be overwritten? In my use case I need the file structure to be as is cus there are many hundreds and maybe thousands of preexisting shortcuts that need to follow the same paths and not possible to go changing them all but still need to be able to assign users/groups to the root dataset so outside what I said above is there away change the acl in ssh cli? I accept that probably shouldn't be changing acl's on root dataset but there is areas where it is necessary and everything else (that i've seen so far anyway) is completely customiseable in freenas, even if its to your own detriment :-D
No permissions are changed during upgrade. ACLs can be managed through the CLI with "setfacl", "getfacl", and "winacl". winacl is primarily for recursively applying the ACL.
 

webx

Cadet
Joined
Apr 3, 2020
Messages
2
Hey not sure this was fully answered, BUT i have the same problem. I just upgraded from 9.10 to 11.3U1 and my existing pools for videos are under one big root pool dataset "movie". If you see in my screenshot I have 2 pools with this issue and they are larger drives that are both almost full.

This was not an issue with 9.10 as i could set permissions and it didn't matter that it was a root pool. I am not sure how to move the "movies" to a child dataset so that i can set permissions. I use SMB shares for my windows PC's and actually i was only able to get READ only access to the root pool shares.

can someone please help me, what can i do at this point?

1585946672634.png
 

mortman123

Cadet
Joined
Apr 8, 2020
Messages
1
Hey everyone, I've been using my pools in the same way for years. It's a huge pain that they've removed the ability for us to change root dataset permissions. Even if this isn't recommended anymore they should give us an advanced option that can at least allow us to modify the root dataset like before. I created a bug report here


Hopefully they get back to us soon and give us an advanced option to edit the root permissions.
 

aindriu

Dabbler
Joined
Sep 6, 2019
Messages
16
Permissions can still be managed through command line utilities (chmod, chown, setfacl, and winacl). They can also be set over SMB using a Windows client. Perhaps you can explain the use case that requires frequent changing / resetting of permissions on the root level dataset.
Permissions management in 11.2 for datasets was extremely rudimentary. For "windows" datasets it literally just ran "winacl -a reset -r -p <path>", and was only ever really intended to provide a basis for modifying ACLs from a Windows client. In 11.2-U6 and later doing this on the root dataset would more often than not knock servers out of production due to changes in security for default ACLs set by winacl.
The decision to expose permissions at this level has led to enterprise users inadvertently removing access to their entire data pool on quite a few occasions. Home users also have accidentally used this same feature on numerous occasions to accidentally reset permissions across jails and plugins. So there are compelling reasons to place guards to prevent users from doing this.

I have the same problem, i don't have any child datasets on the pool. On a home system there doesn't seem much point setting up a sub permission. There isn't much in the manual about permissions or the commands chmod, chown, setfacl, and winacl. Not very user friendly.
 

acquacow

Explorer
Joined
Sep 7, 2018
Messages
51
I have the same problem, i don't have any child datasets on the pool. On a home system there doesn't seem much point setting up a sub permission. There isn't much in the manual about permissions or the commands chmod, chown, setfacl, and winacl. Not very user friendly.
The man pages have all of the info on these commands.

winacl --help will give you the info for using winacl.

I'd do a lot of reading on ACLs before you touch anything though.

-- Dave
 

wraith

Explorer
Joined
Dec 21, 2015
Messages
95
Hi,

Also recently come across this "problem."

I've double checked my permissions on the root folder and they seem ok ... drwxrwxr-x+. Owner is "me" and owner group is my family group. However, I still can no longer access my root dataset and all my subfolders, including movies, from Windows 10. Windows gives me a "\\FREENAS is not accessible. You might not have permission.."

I've double check and reset passwords within FreeNAS to no avail.

Any thoughts?
 

bachewie

Cadet
Joined
Dec 23, 2021
Messages
3
This is still a problem. Tried with AD connection, and with creating users locally. Cannot manage the ACL of the dataset, so SMB doesn't allow anything to be written.
And the developer is telling us to use the CLI to manage this?
How did this pass any QA?! I'll try fumbling around a little more, then I'll abandon this unfinished product.
 

anodos

Sambassador
iXsystems
Joined
Mar 6, 2014
Messages
8,337
This is still a problem. Tried with AD connection, and with creating users locally. Cannot manage the ACL of the dataset, so SMB doesn't allow anything to be written.
And the developer is telling us to use the CLI to manage this?
How did this pass any QA?! I'll try fumbling around a little more, then I'll abandon this unfinished product.
If you create a dataset (e.g. tank/SMB) you should be able to edit permissions for it. There is no need to use CLI in general.
 

mscombs87

Cadet
Joined
Mar 8, 2022
Messages
2
I have a child dataset created on an existing pool (tank/SMB) trying to mount it with cifs
Code:
[2022/03/08 10:02:29.132953,  0] ../../source3/smbd/service.c:169(chdir_current_service)
  chdir_current_service: vfs_ChDir(/mnt/tank/SMB) failed: Permission denied. Current token: uid=65534, gid=65534, 5 groups: 546 65534 90000004 90000005 90000003


getfacl returns this on tank
Code:
root@truenas[/mnt]# getfacl tank
# file: tank
# owner: root
# group: wheel
            owner@:rwxpDdaARWcCos:fd-----:allow
            group@:rwxpDdaARWcCos:fd-----:allow
         everyone@:--------------:fd-----:allow


getfacl also returns this for SMB which with the gui has full access for everyone@
Code:
root@truenas[/mnt/tank]# getfacl SMB
# file: SMB
# owner: nasuser
# group: builtin_users
            owner@:rwxpDdaARWcCos:fd-----:allow
            group@:rwxpDdaARWcCos:fd-----:allow
         everyone@:rwxpDdaARWcCos:fd-----:allow
         everyone@:--------------:fd-----:allow


This was a pool that was upgraded from FreeNAS to TrueNAS
I do feel in there are issues with preventing the root ACLs to be modified as due to this unless I figure out how to fix this via CLI my SMB shares no longer work. It may work with a brand new pool but many users will upgrade their pools.
 

mscombs87

Cadet
Joined
Mar 8, 2022
Messages
2
Correct that is how it was in the legacy pool. Upgrading the pool over time that no longer worked then removing the ability to change root permissions from the GUI forced me to use the CLI to fix the issue. In a home environment that may be a common thing on older pools.
 
Top