SOLVED ACL with SMB, child datasets can be deleted - help

[ragametal]

I’ve been trying to get my ACLs to work for the last couple of days but I think it is time to ask for help.

I created a parent Dataset and 2 child datasets.
I created a single SMB share for the parent dataset, that way when the clients access the share they could also access the child datasets as they appear as folders.

Pool
|
---Parent
|
---Child 1
|
---Child 2

My intent is not to allow anyone to create, modify or delete the contents of the parent dataset but i do want people to have full control inside the child datasets.

The ownership is as follows

• Parent – root:wheel
• Child1 – root:child1
• Child2 – root:child2

My ACLs looks as follows

Everything works as expected inside the child datasets and people are not allow to create or modify the existing contents in the parent dataset.

However, when people are in the parent dataset, they can delete a child dataset from there. The dataset is not really deleted as it will reappear when they “refresh” their window but the contents inside the child dataset would be gone by then.

In parent dataset, no one has the permissions to “delete children” or “delete”. In the child datasets, the groups do have “delete” permissions as i want people to be able to delete the files they created inside the child dataset.

I can prevent people from deleting the child dataset if I remove the “delete” permissions for that child dataset. But this would also prevents users from deleting or renaming the contents inside the child dataset.

What am i doing wrong? How can i prevent clients from deleting the dataset via SMB?

ps. I'm using Truenas 12.0-U6

 

[JohnDigital]

So it sounds like you are stopping the kids from deleting each others files, you can look around about a "sticky bit" then this will allow only the owner to delete the folder(s) root can always delete too.. It was always how you stop folks deleting stuff in the upload folder or the upload folder itself hah, im sure its still used.

 

[ragametal]

@John Digital , you just hit the nail on the head. My “admin” kids doesn’t like when my other “employee” kids mess up with their finance files and folders. Why can’t they just get along?

Jokes aside thanks for the suggestion. I never heard about the “Sticky bit” before but it sounds like it does exactly what I want to achieve. But i do have some questions about it.

1. The sticky bit seems to be part of the unix type permissions. I’m using ACLs, do you know if the sticky bit is compatible with ACL permissions?
2. Do you know hot to set up a sticky bit via the web GUI? It looks like i need to “chmod +t” the dataset in order to implement the sticky bit and, while i’m more comfortable than i should using the CLI, the general consensus here is that i should interact with truenas via the web GUI in order to avoid problems doing updates.

BTW, your suggestion made me think about adding an explicit ACE denying the “Delete” permission for the “builtin_users” on the Parent dataset, but this didn’t work either.

I’m really at lost here.

 

[ragametal]

Update.
These are the things that i have tried but the outcome is the same (users can delete the child dataset folder presented inside the parent dataset via SMB):

1. I changed the permissions from ACLs to unix type permissions. Then Set the sticky bit on the parent folder with chmod ug+t Parent but that didn't work.
2. Set the sticky bit on the Child dataset folder and that didn't work.
3. Changed the permissions back from Unix type to ACL type and un-selected the "Delete" permissions for the "Child1" and "Child2" groups. This worked but it also prevented users from renaming or deleting files/folders inside the child datasets.
4. I added explicit "Deny" ACE for the group "builtin-users" and selected the "Delete" permission but this had the same outcome as #3.

I'm all ears if If anybody has additional suggestions.

I updated my permissions table to make it simpler and easier to nail down where is my problem.

 

[ragametal]

I finally figured it out.
In case someone else run into this, the solution was to add an ACE to each of the child datasets to Deny the “Delete” permission for the group “builtin_users”.

The catch was that i had to do this from windows. For some reason this method didn’t work when i tried to add this ACE directly from truenas.

So, in windows, i opened the SMB share and right-click the folder for the first child dataset. Went to properties, security, advanced and added the following permission entry

Now nobody (besides root of course) can do anything on the Parent share and the users can do anything they want inside their assigned child datasets. There is order in the world again.

 

[JohnDigital]

Yes sounds like youve nailed it. Sticky bit is generally used in a server environment.

 

[Sparky23]

I'm trying to achieve something similar by having a dataset for Plex media to be nested within an SMB share dataset, effectively making the Plex dataset look like just another file in the share folder, however like you have already mentioned deleting the dataset results in the data within the 'folder' to be lost, I've followed your instructions as exactly as I can and I have been completely unsuccessful, im still able to delete the dataset and lose data.

 

[ragametal]

@Sparky23 i will try to explain what i did in more detail. Maybe I omitted0 something last time.

Based on what you said, plex is a child set inside the main data set. If that is the case then what you need to do is (in WINDOWS) right click the folder for the child set "PLEX" and click on properties.

Then go to the "Security" tab and click on the Advanced button.

A new window will open. In there locate the user "builtin_users" and click on the Edit button. Note, if this user is not listed you need to click on the Add button to add it manually and then click on the Edit button.

Lastly, change the permissions to match what i posted before.

One last thing that i discovered after i did my last post. You need to restart SAMBA every time you make a change. I honestly don't know if windows changes the permissions of the SAMBA share or the ZFS child set but to be sure just restart SAMBA. I honestly restarted the entire NAS just to be sure.

 

[Sparky23]

You need to restart SAMBA every time you make a change.

I'm running Core 13.0-U1 and when I make changes through the dashboard, they do seem to update and show up on the windows side of things immediately although I'll make restarts to see if the changes commit any harder, ha.

I'm hoping to have the Plex dataset 'folder' be undeletable by anyone to protect against any accidental button presses rather than malus, but still enable anyone to read and write data within the dataset itself. Originally I wanted to go for this to avoid having multiple network drives mapped on the windows side to make it more friendly for the less technical of the family.

I'm trying to follow the most recent set of permissions you posted but I don't think following them perfectly will yield the results im after. (Delete permission is enabled for child dataset?)
Here's what I've got set up through the TrueNAS dashboard, not 100% sure on Delete Children permission but if I can at least get this to work we can adjust that later.

and here's what this selection looks like on the windows side of things:

Everything seems to match up okay? So now I proceed to make a rule to deny the delete permission matching up how you have also done it.

I click okay and sure enough the rule shows up in the list, this is where everything falls apart for me. When I click apply the new rule I've created simply disappears.

HOLD THE PHONE. As I'm attempting this again as I do this writeup the situation has changed and I'm lost as to how
This error is new, but that must mean it now, somehow, works perfectly!?
Sure enough I can modify the contents of both datasets, unable to delete the plex dataset, and I don't have the disappearing files problem anymore.

This seems to be a bit of a hollow victory, I'm ecstatic it works but left completely puzzled as to what went wrong on my other attempts. Oh well. Hopefully this additional information will help anyone else looking to achieve the same thing. Thanks anyway for the prompt response Ragametal!

What a day...

 

[Sparky23]

As a bit of a revision to my earlier message;
Upon further inspection the permission that is actually effective in preventing any unwanted deletion of the Plex dataset folder is the 'Delete Children' / 'Delete Subfolders and Files' permission that is applied to the PARENT dataset 'shared' not the child dataset. This wasn't quite what I was going for but seems to have the desired effect?
The only side-effect I've found so far is that any file or folder created by user A cannot be deleted by user B and vise-versa. This is my second day on this issue now so this will have to do.

 

[ragametal]

Well, i didn't experience that particular error but i was running TrueNAS 12 when i wrote this post so, maybe your error is related to TrueNAS 13?

In any event, I'm glad you got it working. This was the most frustrating part of setting up TrueNAS for me. I read a lot of tutorials, manuals, post and saw multitude of youtube videos in an effort to understand how ACLs works and still couldn't make it work the way i wanted to from the TrueNAS GUI.

One observation that i have for you, i never set explicit permissions for the group "built_in users" from the TrueNAS GUI. I only did it from windows and it was only deny rules for the child set. Look into that, maybe the error is just contradictory permissions betweeen what TrueNAS set and what you are trying to do in Windows.