[BUG] SCALE-22.02-RC.1-2: SMB share / Dataset permissions broken (ro users have rw access)

TheHellSite

Dabbler
Joined
Mar 12, 2021
Messages
12
I just switched my test system from TrueNAS Core to TrueNAS Scale and found that the SMB / dataset permissions are not working properly.
The below setup was working fine on TrueNAS Core.

The problem I am having is that both of my SMB users have r/w access to the share even though UID=1000 should only have read access.
One thing I noticed during the creation was that the r/w user with UID:1001 wasn't selectable in the user list while configuring ACLs. I just typed the name instead. The access to the share is working for him.

This is how I set things up:

1. Created a TEST_pool, created a NAS_dataset.

2. Created two new users just for SMB access.
Code:
UID: 1000 and 1001
GID: 1000 and 1001
Home directory: /nonexistent
Shell: /usr/sbin/nologin
Email: N/A
Password Disabled: false
Lock User: false
Permit Sudo: false
Microsoft Account: false
Samba Authentication: true


3. Added them to the ACL of the NAS_dataset.
Code:
1000                        1001
====                        ====
ACL Type: Allow             ACL Type: Allow
Permissions Type: Basic     Permissions Type: Basic
Permissions: Read           Permissions: Modify
Flags Type: Basic           Flags Type: Basic
Flags: Inherit              Flags: Inherit


4. Created the SMB share.
Code:
Path: /mnt/TEST_pool/NAS_dataset
Name: nas
Purpose: No presets
Enabled: yes
Enble ACL: yes
Browseable to Network Clients: yes
Enable Shadow Copies: yes
Enable Alternate Data Streams: yes
Enable SMB2/3 Durable Handles: yes
Auxiliary Parameters: server min protocol = SMB3_11
 

anodos

Sambassador
iXsystems
Joined
Mar 6, 2014
Messages
9,546
Remove auxiliary parameter. What is output of following two commands (enclosed in [ code ] tags):
Code:
midclt call filesystem.getacl /mnt/TEST_pool
midclt call filesysetm.getacl /mnt/TEST_pool/NAS_dataset
 

TheHellSite

Dabbler
Joined
Mar 12, 2021
Messages
12
Thanks for taking the time!

Remove auxiliary parameter.
Tried that already with no success.

Remove auxiliary parameter. What is output of following two commands (enclosed in [ code ] tags):
Code:
midclt call filesystem.getacl /mnt/TEST_pool
midclt call filesysetm.getacl /mnt/TEST_pool/NAS_dataset
Code:
midclt call filesystem.getacl /mnt/TEST_pool
============================================
{"uid": 0, "gid": 0, "acl": [{"default": false, "tag": "USER_OBJ", "id": -1, "perms": {"READ": true, "WRITE": true, "EXECUTE": true}}, {"default": false, "tag": "GROUP_OBJ", "id": -1, "perms": {"READ": true, "WRITE": false, "EXECUTE": true}}, {"default": false, "tag": "OTHER", "id": -1, "perms": {"READ": true, "WRITE": false, "EXECUTE": true}}], "flags": {"setuid": false, "setgid": false, "sticky": false}, "acltype": "POSIX1E", "trivial": true, "path": "/mnt/TEST_pool"}

midclt call filesysetm.getacl /mnt/TEST_pool/NAS_dataset
========================================================
{"acl": [{"tag": "owner@", "id": -1, "perms": {"BASIC": "FULL_CONTROL"}, "flags": {"BASIC": "INHERIT"}, "type": "ALLOW"}, {"tag": "group@", "id": -1, "perms": {"BASIC": "MODIFY"}, "flags": {"BASIC": "INHERIT"}, "type": "ALLOW"}, {"tag": "GROUP", "id": 545, "perms": {"BASIC": "MODIFY"}, "flags": {"BASIC": "INHERIT"}, "type": "ALLOW"}, {"tag": "GROUP", "id": 545, "perms": {"BASIC": "FULL_CONTROL"}, "flags": {"BASIC": "INHERIT"}, "type": "ALLOW"}, {"tag": "USER", "id": 1000, "perms": {"BASIC": "READ"}, "flags": {"BASIC": "INHERIT"}, "type": "ALLOW"}, {"tag": "USER", "id": 1001, "perms": {"BASIC": "MODIFY"}, "flags": {"BASIC": "INHERIT"}, "type": "ALLOW"}], "trivial": false, "uid": 0, "gid": 0, "path": "/mnt/TEST_pool/NAS_dataset", "nfs41_flags": {"protected": false, "autoinherit": false}, "acltype": "NFS4"}
 

TheHellSite

Dabbler
Joined
Mar 12, 2021
Messages
12
Code:
root@NAS[~]# pdbedit -L
lpcfg_do_global_parameter: WARNING: The "syslog only" option is deprecated
my_smb_rw_user:1001:my_smb_rw_user
my_smb_ro_user:1000:my_smb_ro_user
 

anodos

Sambassador
iXsystems
Joined
Mar 6, 2014
Messages
9,546
Okay. What is output of
Code:
id my_smb_rw_user
id my_smb_ro_user


GID 545 (builtin_users) has write permissions to the path. Your ro user is probably a member of said group.
 
Last edited:

TheHellSite

Dabbler
Joined
Mar 12, 2021
Messages
12
Okay. What is output of
Code:
id my_smb_rw_user
id my_smb_ro_user


GID 545 (builtin_users) has write permissions to the path. Your ro user is probably a member of said group.

You are absolutely right with that!
Is this a bug? Shouldn't manually created users NOT be a member of that group?
Is it okay or even advised to remove them from the builtin_users group?

Code:
root@NAS[~]# id my_smb_ro_user
uid=1000(my_smb_ro_user) gid=1000(my_smb_ro_user) groups=545(builtin_users),1000(my_smb_ro_user)
root@NAS[~]# id my_smb_rw_user
uid=1001(my_smb_rw_user) gid=1001(my_smb_rw_user) groups=545(builtin_users),1001(my_smb_rw_user)
 

anodos

Sambassador
iXsystems
Joined
Mar 6, 2014
Messages
9,546
You are absolutely right with that!
Is this a bug? Shouldn't manually created users NOT be a member of that group?
Is it okay or even advised to remove them from the builtin_users group?

Code:
root@NAS[~]# id my_smb_ro_user
uid=1000(my_smb_ro_user) gid=1000(my_smb_ro_user) groups=545(builtin_users),1000(my_smb_ro_user)
root@NAS[~]# id my_smb_rw_user
uid=1001(my_smb_rw_user) gid=1001(my_smb_rw_user) groups=545(builtin_users),1001(my_smb_rw_user)
Not a bug. If a user is an SMB user, they are automatically added as a member of the builtin_users. You can either modify the ACL on your dataset to remove the default group or make it so that the ro user is not a member of said group.
 

TheHellSite

Dabbler
Joined
Mar 12, 2021
Messages
12
Okay thank you for clearing this up.

I am going to remove my smb users from the group builtin_users so their ACLs work as supposed.
 

bachewie

Cadet
Joined
Dec 23, 2021
Messages
3
Not a bug. If a user is an SMB user, they are automatically added as a member of the builtin_users. You can either modify the ACL on your dataset to remove the default group or make it so that the ro user is not a member of said group.
How are we able to do this if the dataset permissions cannot be edited? - The "Root dataset permissions cannot be edited", the option remains greyed out, but yet the authentic wiki also recommends using this button that no longer functions.
I'm on a clean install, so this is clearly a problem, or an oversight. As I have no control over SMB, nor permissions, other than making local users and folders (after testing AD integration and discovering it had ACL problems too)
 

anodos

Sambassador
iXsystems
Joined
Mar 6, 2014
Messages
9,546
How are we able to do this if the dataset permissions cannot be edited? - The "Root dataset permissions cannot be edited", the option remains greyed out, but yet the authentic wiki also recommends using this button that no longer functions.
I'm on a clean install, so this is clearly a problem, or an oversight. As I have no control over SMB, nor permissions, other than making local users and folders (after testing AD integration and discovering it had ACL problems too)
You create datasets and share them out. ACL editor should work.
 
Top