Allow one user to rwx in SMB:WORM

[scorpoin]

Greetings,

I have created a smb share with SMBWORM and following is the out put of ACL .

Code:

getfacl my-share                
# file: my-share
# owner: foobar
# group: foo_2
            owner@:rwxpDdaARWcCos:fd-----:allow
            group@:rwxpDdaARWc--s:fd-----:allow
         everyone@:--------------:fd-----:allow

Now I would like to assign rear write execute permission for user test . I ran following command

Code:

setfacl -m user:test:rwx my-share/

But getting error message

Code:

setfacl: my-share/: branding mismatch; existing ACL is NFSv4, entry to be merged is POSIX.1e

Any one help me what am I doing wrong?

Regards

 

[sretalla]

NFSv4_ACLs - FreeBSD Wiki

 

[scorpoin]

Code:

#
getfacl  my-share/New\ folder

file: my-share/New folder
# owner: usery
# group: foo_2
            owner@:rwxpDdaARWcCos:fd----I:allow
            group@:rwxpDdaARWc--s:fd----I:allow
         everyone@:--------------:fd----I:allow

Thanks for your prompt response I get it. But now facing an other issue. Parent directory set to WORM once any user from group foo_2 create a file or directory it will be read only after 5 minute. Now I want userx to be allow to delete file or directory from my-share folder or any sub directory with in my-share.

I set permission

Code:

setfacl -m -R u:userx:rwxpDdaARWcCos:fd:allow my-share

Code:

getfacl  my-share/New\ folder
# file: qc-share/New folder
# owner: usery
# group: my-share
         user:userx:rwxpDdaARWcCos:fd-----:allow
            owner@:rwxpDdaARWcCos:fd----I:allow
            group@:rwxpDdaARWc--s:fd----I:allow
         everyone@:--------------:fd----I:allow

yet unable to delete file or directories from userx with in my-share

 

[sretalla]

I can't directly comment on that other than to say that the WORM share concept isn't something that you can expect to mess with (AFAIK).

I understand it to be some custom task running in the middleware which sets things to read-only at the expected time.

 

[scorpoin]

so is there any work around doing it so? can you guide me which process make it read only?

Regards

 

[sretalla]

Well, I just went and reminded myself that it's actually a SAMBA module:

Using the worm VFS Module - SambaWiki

wiki.samba.org

iX compiles SAMBA with that module enabled.

That's all I know about it.

 

[WI_Hedgehog]

Dataset_A : share_1 :: [WORM] (userset_1) => (all users of the share have Write-Once-Read-Many permission)

Add:
Dataset_A : share_2 :: [rwx] (userset_2) => (all users of the share have Read/Write/browse access)

 

[scorpoin]

Dataset_A : share_1 :: [WORM] (userset_1) => (all users of the share have Write-Once-Read-Many permission)

Add:
Dataset_A : share_2 :: [rwx] (userset_2) => (all users of the share have Read/Write/browse access)

@WI_Hedgehog Thanks for your prompt response, could you explain a bit about this scenario so I can test it .

 

[WI_Hedgehog]

@WI_Hedgehog Thanks for your prompt response, could you explain a bit about this scenario so I can test it .

You work for a company that does diagnostics and once a diagnostic is run it should be recorded permanently; it should also be immutable so the data cannot be tampered with or erased by mistake. You therefore create a storage volume on the server called DIAG. At this point the volume has some attributes of where the information will be stored (obviously), how the data should be stored (it's highly compressable so you enabled compression), and things of that nature.

There it sits. Great. But how do employees store diagnostics there? That's why you created a "share" to share the volume. You set the share attributes such as which users can access the volume, what type of access they have (technitions have read/write, assistants have read-only), and you made it a WORM share so the data becomes immutable (after the obligatory five minutes, so if a scan is bad the technition has time to review it and delete it, however the tech cannot accidentally delete the file next week). All good.

But then the new company president's son Hunter is brought onboard, and he's not the upstanding model citzen your company usually employs. He has a drug habit. And a porn addiction. And he's financially irrisponsible. And somehow that &@$%@^) uploaded a bunch of porn to the network's DIAG volume and you've been made responsible for babysitting him and cleaning up his messes, a task which you'd love to delegate because you have a job to do and "mop guy" isn't it.

You, being actually skilled at your job (unlike Hunter), therefore uses the server GUI to create another share. When prompted for where the volume resides you select DIAG, but this time create a normal share with read/write permissions and call it Hmop. Your subordinate Petrice has been kind of a pain in your...anyway, she's a nosy busy-body always trying to hold people to every nitpicky company rule, so you add her to the list of users for that share, giving her something productive to do. You also add Holly who's much more reasonable than Petrice, but because the company mandates you give people vacations you know someone will have to keep an eye on things when Petrice is at home de-fluffing her cats and reading the latest trashy romance novel.

There you go, techs have WORM storage, "mop men" (who are in this case women) have read/write access to that storage area, and you can keep doing what you normally do which if you're me means sitting back in your leather-covered chair looking out the floor-to-ceiling windows of your office, basking in the sun and passing out while dreaming of your previous night's exploits. (You asked...)

 

[Hansi]

Greetings:
bare with me please, I'm new...i followed through on this thread because I was not able to delete files, as the User (Creator) of a SMBWORM share.
Other than that, the WORM share works great.
I understood that the workaround above, was to create another SMB share to the same dataset, and give the user read/write/execute rights (that would be me).
I'm using TrueNAS Core (TrueNAS-13.0-U6), and it would not allow me to submit a second share onto a dataset that already had the SMBWORM configured.
I really appreciate your help. I've tried researching so much...reading and reading, but decided to reach for help.

Just for clarity...all I'm trying to do, is setup a simple shared folder where the family can post photos to, but not accidentally delete them. If needed they would revert to me, to delete them.
I hope I'm on the right track.
Thanks again
Hansi

 

[sretalla]

Forget about a second SMB share and just use an SCP client (filezilla, WinSCP) when needed to modify things.

 

[Hansi]

Thanks for the quick reply!
I'll have to read up on those... This is new ground for me.