ACL & Dataset Setup

[ECC]

Hi,
I watched many tutorial on this, but I'm still struggling with my setup. My situation:

1 pool called "storage". 2 users: user_a and user_b. All users use Win machines / SMB Share.

I want to create a folder structure inside storage that contains: folder_1, folder_2 and folder_3

user_a should have full access to folder_1, folder_2 and folder_3
user_b should only have access to folder_2 and folder_3

Now, if everything is setup properly, all users should see the 3 folders inside of storage, but the access to folder_1 is restricted to user_a.


Please help me

 

[anodos]

Option 1: One SMB share,
1) create 3 users user_a, user_b, admin
2) make "admin" a member of "builtin_administrators" group
3) create an SMB dataset "storage/share" and have it owned by builtin_administrators
4) add ACL entry to storage/share granting group "builtin_users" READ access with NO_INHERIT flags set.
5) create SMB share pointing to /mnt/storage/share and authenticate to share as Admin and create folders 1, 2, 3
6) use ACL editor in windows to add"full control" for user_a to folder_1 through folder_3,
7) use ACL editor in windows to add "modify" for user_b to folder_2 and folder_3

Option 2: Three SMB shares:
1) create users / groups as above
2) create datasets storage/ds1, storage/ds2, storage/ds3
3) add ACL entry granting FULL_CONTROL for user_a to all three three datasets, add ACL entry granting MODIFY for user_b to ds2, ds3
4) create separate SMB shares pointing to each of the datasets.

Note:
Despite multiple how-tos stating to "chmod 770 /mnt/storage"... do not under any circumstances do this. It will prevent users from being able to access shares.

 

[ECC]

Thank you, but unfortunately it didn't work.

5) create SMB share pointing to /mnt/storage/share and authenticate to share as Admin and create folders 1, 2, 3

I couldn't do that, there was no option in the sharing menue to share as admin. How should i create the folders? In Truenas GUI or in Windows SMB Share?

6) use ACL editor in windows to add"full control" for user_a to folder_1 through folder_3,

I don't understand: ACL Editor is supposed to be in TrueNAS GUI, so how can I open the ACL Editor in Windows?

Just my opinion: The setup for ACL& Permissions is an absolut nightmare in TrueNAS... I did it once in QNAP and had no problems whatsoever. I don't understand why it has to be that inconvenient...

 

[anodos]

Thank you, but unfortunately it didn't work.

I couldn't do that, there was no option in the sharing menue to share as admin. How should i create the folders? In Truenas GUI or in Windows SMB Share?

Step 1 I specified creating an "admin" user. Use this user account to authenticate to the share.

I don't understand: ACL Editor is supposed to be in TrueNAS GUI, so how can I open the ACL Editor in Windows?

Windows File Explorer has an ACL editor that can be used for editing the ACL on any file in the SMB share. Right click on file, click on "Security tab". Normal windows administration stuff. Create directories in share with SMB client, then alter their permissions. The steps are basically the same as what you would do on a Windows server.

Just my opinion: The setup for ACL& Permissions is an absolut nightmare in TrueNAS... I did it once in QNAP and had no problems whatsoever. I don't understand why it has to be that inconvenient...

I'm sorry that you're having problems. In general, you create users, create groups, and set permissions for the groups.

Perhaps I wasn't clear, I proposed two separate solutions depending on how you wanted to achieve a pretty vague objective.

Another option would have been to do the following in the GUI

1) create datasets
storage/share
storage/share/ds1
storage/share/ds2
storage/share/ds3

2) set permissions
grant builtin_users group READ access (non-inheriting) to storage/share.
grant user_a FULL_CONTROL to storage/share/ds1, storage/share/ds2, storage/share/ds3
grant user_b FULL_CONTROL to storage/share/ds2, storage/share/ds3

3) create share for path /mnt/storage/share

 

[ECC]

Step 1 I specified creating an "admin" user. Use this user account to authenticate to the share. The steps are basically the same as what you would do on a Windows server.

I forgot one error: During the creation of the admin user, I got this error:

Code:

[EFAULT] Failed to set NT password for admin: Username not found!

Error: Traceback (most recent call last):
  File "/usr/local/lib/python3.8/site-packages/middlewared/main.py", line 137, in call_method
    result = await self.middleware._call(message['method'], serviceobj, methodobj, params, app=self,
  File "/usr/local/lib/python3.8/site-packages/middlewared/main.py", line 1195, in _call
    return await methodobj(*prepared_call.args)
  File "/usr/local/lib/python3.8/site-packages/middlewared/service.py", line 463, in update
    rv = await self.middleware._call(
  File "/usr/local/lib/python3.8/site-packages/middlewared/main.py", line 1195, in _call
    return await methodobj(*prepared_call.args)
  File "/usr/local/lib/python3.8/site-packages/middlewared/schema.py", line 973, in nf
    return await f(*args, **kwargs)
  File "/usr/local/lib/python3.8/site-packages/middlewared/plugins/account.py", line 506, in do_update
    await self.__set_smbpasswd(user['username'])
  File "/usr/local/lib/python3.8/site-packages/middlewared/plugins/account.py", line 857, in __set_smbpasswd
    await self.middleware.call('smb.update_passdb_user', username)
  File "/usr/local/lib/python3.8/site-packages/middlewared/main.py", line 1238, in call
    return await self._call(
  File "/usr/local/lib/python3.8/site-packages/middlewared/main.py", line 1195, in _call
    return await methodobj(*prepared_call.args)
  File "/usr/local/lib/python3.8/site-packages/middlewared/plugins/smb_/passdb.py", line 112, in update_passdb_user
    raise CallError(f'Failed to set NT password for {username}: {setntpass.stderr.decode()}')
middlewared.service_exception.CallError: [EFAULT] Failed to set NT password for admin: Username not found!

so i managed somehow to create an admin user, but i cannot access the share with the admin credentials

 

[ECC]

1) create 3 users user_a, user_b, admin

can you please tell me, which groups should be assigned to this users?
And what does builtin_users group mean?

 

[anodos]

I forgot one error: During the creation of the admin user, I got this error:

Code:

[EFAULT] Failed to set NT password for admin: Username not found!

Error: Traceback (most recent call last):
  File "/usr/local/lib/python3.8/site-packages/middlewared/main.py", line 137, in call_method
    result = await self.middleware._call(message['method'], serviceobj, methodobj, params, app=self,
  File "/usr/local/lib/python3.8/site-packages/middlewared/main.py", line 1195, in _call
    return await methodobj(*prepared_call.args)
  File "/usr/local/lib/python3.8/site-packages/middlewared/service.py", line 463, in update
    rv = await self.middleware._call(
  File "/usr/local/lib/python3.8/site-packages/middlewared/main.py", line 1195, in _call
    return await methodobj(*prepared_call.args)
  File "/usr/local/lib/python3.8/site-packages/middlewared/schema.py", line 973, in nf
    return await f(*args, **kwargs)
  File "/usr/local/lib/python3.8/site-packages/middlewared/plugins/account.py", line 506, in do_update
    await self.__set_smbpasswd(user['username'])
  File "/usr/local/lib/python3.8/site-packages/middlewared/plugins/account.py", line 857, in __set_smbpasswd
    await self.middleware.call('smb.update_passdb_user', username)
  File "/usr/local/lib/python3.8/site-packages/middlewared/main.py", line 1238, in call
    return await self._call(
  File "/usr/local/lib/python3.8/site-packages/middlewared/main.py", line 1195, in _call
    return await methodobj(*prepared_call.args)
  File "/usr/local/lib/python3.8/site-packages/middlewared/plugins/smb_/passdb.py", line 112, in update_passdb_user
    raise CallError(f'Failed to set NT password for {username}: {setntpass.stderr.decode()}')
middlewared.service_exception.CallError: [EFAULT] Failed to set NT password for admin: Username not found!

so i managed somehow to create an admin user, but i cannot access the share with the admin credentials

That error indicates that there was an issue with creating the user (it did not exist at the time that we tried to add it to the SMB user database). Probably a bug. Please PM me a debug. System->Advanced->Save Debug.

 

[anodos]

can you please tell me, which groups should be assigned to this users?
And what does builtin_users group mean?

builtin_users is a group that contains all local SMB users on the server. It's a builtin group that is the same as BUILTIN\Users (S-1-5-32-545) in windows. When the TrueNAS is joined to an active directory domain, all AD members are also a member of this group.

 

[ECC]

I did the following:

1) created the users user_a, user_b with group (builtin_groups)
2)did this

1) create datasets
storage/share
storage/share/ds1
storage/share/ds2
storage/share/ds3

2) set permissions
grant builtin_users group READ access (non-inheriting) to storage/share.
grant user_a FULL_CONTROL to storage/share/ds1, storage/share/ds2, storage/share/ds3
grant user_b FULL_CONTROL to storage/share/ds2, storage/share/ds3

3) create share for path /mnt/storage/share

then i tried to access it. user_a was able to see & edit all 3 fodlers, but user_b was not able to login at all....Checked the credentials and ACL, but nothing worked....

Another frustrated day with TrueNAS, o boy what have i chosen...

 

[tessierp]

Another frustrated day with TrueNAS, o boy what have i chosen...

Just started to use TrueNAS coming from UNRAID where I faced weird bugs. I wanted to go away from QNAP and other products like Synology but especially QNAP after a unit of theirs I owned craped out due to a bad design.

I'm also struggling with the shares, it is really not straight forward and there are some weird bugs. The home directory functionality should be something easy to use and configure but nothing works for me so far.