Bizarre Permissions Issue

[HarryStottle]

so I have a shared drive (smb share) with a bunch of folders which my users have full read/write access to and I am the owner. All working perfectly.

But none of us can create new folders. If I try, I'm told I need permission from myself, to create the folder!

However, if I create a folder somewhere on my local workstation, I can copy it across to the drive without issue. And once the folder exists, we can all do whatever we want to inside it EXCEPT create a new sub folder. Which, again, I can get around by creating it elsewhere and copying it across.

What am I missing?

 

[chuck32]

Please share the error message and your ACL configuration.

Did you maybe change permissions afterwards and did not apply them recursively?

 

[HarryStottle]

Capturing the error message is simple enough, but, as a newbie, I don't know how to capture the ACL config and although I can find plenty about how to perform the configuration I can't find any idiot guide to retrieving it for the purposes of the kind of diagnosis you wish to perform.

I'm guessing its a quick job but I haven't guessed what that job is!

Oh, and No, I didn't fail to apply recursively. If anything I fear I may overuse the "Apply Recursively" button because I press it after every change (if its available) just in case.

 

[chuck32]

Capturing the error message is simple enough, but, as a newbie, I don't know how to capture the ACL config

Just share screenshots of the error message and of the screen in the true as GUI where you configured your permissions.

 

[HarryStottle]

the first two images are the error messages. I've included 2 because they imply some kind of contradiction. The owner and creator of all the relevant folders is Mike. in the first image, you see the error when attempting to change the name ("New Folder") to "MY NEW FOLDER" and tells us that we need to get permission from MIke to make the amendment. Yet it is Mike who is logged in and try to change that name. And nothing prevented that actual folder creation. And, if we go into the folder, despite the block on changing its name, we are able to create new files and copy anything we like into it.

In this second image, it's apparently Dan (another legit user has full rights) to whom we need to go for permission, despite the fact that he did NOT create the "New Folder".

Not sure the ACL images are what you requested, so advise if I'm off beam:

For the relevant SMB share, a folder called DATA mapped as Drive Y on the windoze workstartions

The ACLs are for the Owner and the the Group, "Vizbiz". On this share, Everyone has full rights. Everyone needs to be able to Create new folders, files and to delete same; as well as full modification rights.

Hope this provides clues.

 

[chuck32]

The ACLs are for the Owner and the the Group, "Vizbiz". On this share, Everyone has full rights. Everyone needs to be able to Create new folders, files and to delete same; as well as full modification rights.


View attachment 76030

View attachment 76031

Unfortunately you left out the interesting parts ;) Show also what is shown on the left (Owner and Group). And what is below owner@ namely the actual permission for your group vizbiz.
And what permissions did you apply (full list)?
CORE is slightly different from SCALE, but I think if you show some more info we will be able to fix it.

In Windows, right click a folder that gives you trouble and go to proprieties -> security, there you can compare which user / group has which permission if you scroll through it.

If you desire that every member of vizbiz has full control, why not set permissions to "Full Control"?

I'll leave you the link to this youtube video, which may shed some light.

 

[HarryStottle]

ah!

It didn't occur to me that I could do that (why not set permissions to "Full Control"?) using the Windoze permissions. I thought it had to be done within TrueNAS. I should have a chance to try that later today. Will post the results...

 

[chuck32]

didn't occur to me that I could do that (why not set permissions to "Full Control"?) using the Windoze permissions.

Sorry if that was confusing, I meant within truenas GUI, this is the place where I'd centrally manage permissions.

Although you can probably edit permissions within Windows, given your user has write ACL rights.

 

[HarryStottle]

well I tried the windows permissions assignment anyway and got some very confusing results.

I had no problem assigning rights to the "New Folders" and then testing them by successfully renaming them.
I checked the permissions on the most important folder (BUSINESS) on the DATA drive and found that the VIzbiz group has all the rights they should have - which they can only have "inherited" from their rights to the DATA drive because no separate subfolder permissions have been assigned.

But a couple of other folders which already have data in them, including 1 which is happily accepting backups from a Payroll program, isn't showing any users as having rights and when I tried to assign them, got the "access denied" error.

Below is, I hope the image of the groups you referred to. Not sure it reveals anything other than what I've previously described.

As to the full list of permissions I applied, the short answer is that it IS the full list! I don't know how to grab an image of that but every permission that can be applied is ticked for both Owner and Vizbiz group and all were applied recursively.

It looks like I've somehow mangled the rights assignment but everything I look at appears to set as it should be.

 

[chuck32]

Core UI is different from my scale UI, shouldn't the group rights read group@ instead of owner@ ?

 

[HarryStottle]

Dunno about the group@ thing. The name's were applied by TrueNAS, not me.

Nanycase, despite my amateurish bodging, it seems that my tweaking of the windoze rights has fixed the problem. We can now create and rename the folders as expected. So I'll consider this one sorted, even though it's probably not sorted "correctly". I suspect I'll have to revisit it for something similar in the future. Meanwhile, thanks for your interest and advice.

Only one more question: how do we show threads like this as "Resolved" or, at least, closed?

 

[chuck32]

Only one more question: how do we show threads like this as "Resolved" or, at least, closed?

Go to your first post, choose edit and then under title select the prefix.

Dunno about the group@ thing. The name's were applied by TrueNAS, not me.

Scale UI is slightly different but to my understanding and from scrubbing through the linked video, this is where you would change the permissions for the set group.

 

[anodos]

The most typical case where users are able to create but not rename files is when the administrator has removed DELETE / DELETE_CHILD permissions from the parent directory. This situation also occurs in windows under the same circumstances.