Can't add user to dataset ACL

[Ashamed2228]

Every time I try to add this user I created using the WebUI I get a python error:

Error: Traceback (most recent call last): File "/usr/lib/python3/dist-packages/middlewared/job.py", line 426, in run await self.future File "/usr/lib/python3/dist-packages/middlewared/job.py", line 463, in __run_body rv = await self.middleware.run_in_thread(self.method, *([self] + args)) File "/usr/lib/python3/dist-packages/middlewared/main.py", line 1252, in run_in_thread return await self.run_in_executor(self.thread_pool_executor, method, *args, **kwargs) File "/usr/lib/python3/dist-packages/middlewared/main.py", line 1249, in run_in_executor return await loop.run_in_executor(pool, functools.partial(method, *args, **kwargs)) File "/usr/lib/python3.9/concurrent/futures/thread.py", line 52, in run result = self.fn(*self.args, **self.kwargs) File "/usr/lib/python3/dist-packages/middlewared/schema.py", line 1322, in nf return func(*args, **kwargs) File "/usr/lib/python3/dist-packages/middlewared/plugins/filesystem_/acl_linux.py", line 676, in setacl return self.setacl_nfs4(job, data) File "/usr/lib/python3/dist-packages/middlewared/plugins/filesystem_/acl_linux.py", line 470, in setacl_nfs4 self.setacl_nfs4_internal(path, data['dacl'], do_canon, verrors) File "/usr/lib/python3/dist-packages/middlewared/plugins/filesystem_/acl_linux.py", line 423, in setacl_nfs4_internal raise CallError(setacl.stderr.decode()) middlewared.service_exception.CallError: [EFAULT]

Even without changing anything and just saving the ACL that error shows up. I'm tring to change ACL because I can't access the SAMBA share with the user I just created, I keep getting access denied errors

 

[Ashamed2228]

I also got this in the notifications:

mail.send​

Error: [EFAULT] you must provide an outgoing mailserver and mail server port when sending mail


I didn't even know we could set up email notifications in TrueNAS, why is trying to send mails if they aren't setup?

 

[Samuel Tai]

Every time I try to add this user I created using the WebUI I get a python error:

Error: Traceback (most recent call last): File "/usr/lib/python3/dist-packages/middlewared/job.py", line 426, in run await self.future File "/usr/lib/python3/dist-packages/middlewared/job.py", line 463, in __run_body rv = await self.middleware.run_in_thread(self.method, *([self] + args)) File "/usr/lib/python3/dist-packages/middlewared/main.py", line 1252, in run_in_thread return await self.run_in_executor(self.thread_pool_executor, method, *args, **kwargs) File "/usr/lib/python3/dist-packages/middlewared/main.py", line 1249, in run_in_executor return await loop.run_in_executor(pool, functools.partial(method, *args, **kwargs)) File "/usr/lib/python3.9/concurrent/futures/thread.py", line 52, in run result = self.fn(*self.args, **self.kwargs) File "/usr/lib/python3/dist-packages/middlewared/schema.py", line 1322, in nf return func(*args, **kwargs) File "/usr/lib/python3/dist-packages/middlewared/plugins/filesystem_/acl_linux.py", line 676, in setacl return self.setacl_nfs4(job, data) File "/usr/lib/python3/dist-packages/middlewared/plugins/filesystem_/acl_linux.py", line 470, in setacl_nfs4 self.setacl_nfs4_internal(path, data['dacl'], do_canon, verrors) File "/usr/lib/python3/dist-packages/middlewared/plugins/filesystem_/acl_linux.py", line 423, in setacl_nfs4_internal raise CallError(setacl.stderr.decode()) middlewared.service_exception.CallError: [EFAULT]

Even without changing anything and just saving the ACL that error shows up. I'm tring to change ACL because I can't access the SAMBA share with the user I just created, I keep getting access denied errors

Does the username have spaces in it?

 

[Ashamed2228]

hi, no spaces, only letters

 

[Ashamed2228]

I can't edit my messages.

The name does has spaces btw, and not only spaces, this character too: Á.

 

[Samuel Tai]

OK, you've run into a little bit of Unix backwards compatibility. The username can only use letters and numbers, no spaces, no special characters.

 

[Ashamed2228]

I meant that the "Full name" has spaces and an accent, the username has only letters

 

[Samuel Tai]

Please attach some screenshots of what you're trying to do. There's not enough info here to help troubleshoot.

 

[Ashamed2228]

I think I know what is happening, for some reason the webUI or the system (IDK) needs me to enter the whole username, I can enter for example the first 3 letters, and then select the name from the list, otherwise I get the error, if I manually enter the entire username I get no errors, at least from what I'm testing.

One question about this, I have a dataset named just "parent", I went and edited the permissions of that dataset and added my user "ashamed" and applied, but that created a child dataset named after my username, why? Is this normal? I don't want that I only want to add my user to the ACL so I can access the share through SAMBA.

Because otherwise I keep getting access denied in Windows when I enter my user credentials (the user has no home directory btw, if that matters)

 

[Samuel Tai]

Did you configure parent as a home share? Autocreation of child datasets is the default for home shares.

 

[Ashamed2228]

You mean in the SAMBA share config? No, "Use as home share" is unticked

 

[Ashamed2228]

I've been able to delete the dataset and now I can access the share through Windows, maybe it was because I was using the preset "Private SMB Datasets and Shares"?

 

[Ashamed2228]

Another question, and sorry to be asking so much and borrowing so much of your time. I'm a little confused about the ACL and permissions on the shares and the datasets/files themselves.

There are permissions on the datasets so if I don't have permissions to read a dataset I wouldn't be able to browse the share, so I need to be added to the ACL of the Dataset.

Then there is the ACL of the Share/SAMBA, those two are independent, right? For example, I can add myself to the dataset's ACL and then I can forbid myself in the share's ACL and I wont be able to browse the share? Is that correct? And if that's correct, then why have two ACL? It seems a little confusing, I have a share I don't want anyone to access because it has some server files, I have already entered whitelisted IPs, should I also edit the share's ACL or do you think that is unneeded? I'm 100% sure my computer is only accessed by me.

Thank you for all your help!

 

[Samuel Tai]

I've been able to delete the dataset and now I can access the share through Windows, maybe it was because I was using the preset "Private SMB Datasets and Shares"?

Yes, that would explain the behavior, due to the %U added under this preset.

 

[Samuel Tai]

Another question, and sorry to be asking so much and borrowing so much of your time. I'm a little confused about the ACL and permissions on the shares and the datasets/files themselves.

There are permissions on the datasets so if I don't have permissions to read a dataset I wouldn't be able to browse the share, so I need to be added to the ACL of the Dataset.

Then there is the ACL of the Share/SAMBA, those two are independent, right? For example, I can add myself to the dataset's ACL and then I can forbid myself in the share's ACL and I wont be able to browse the share? Is that correct? And if that's correct, then why have two ACL? It seems a little confusing, I have a share I don't want anyone to access because it has some server files, I have already entered whitelisted IPs, should I also edit the share's ACL or do you think that is unneeded? I'm 100% sure my computer is only accessed by me.

Thank you for all your help!

There are 3 different "permissions" settings, which interact in non-obvious and potentially contradictory ways.

1. Unix permissions, which are accessible via Storage->Pools, and then clicking the 3 dots next to a dataset to Edit Permissions
   
   
   
   
2. ACL Manager, which attempts to replicate the Windows Permissions editor. This is reachable by clicking the blue Use ACL Manager button, or by going to Sharing->Windows Shares, and clicking the 3 dots by the share, and selecting Edit Filesystem ACL
   
   
   
   This is implemented via xattrs, and sets facl bits on the dataset:
   # file: <dataset path>
   # owner: <dataset owner>
   # group: <dataset group>
   owner@:rwxp--aARWcCos:-------:allow
   group@:------a-R-c--s:-------:allow
   everyone@:------a-R-c--s:-------:allow
3. Finally, there's the share ACL, which is defined in the Windows share, selectable from the 3 dots via Edit Share ACL.
   
   
   
   This is used to control parts of the share's visibility to SIDs, if Access Based Share Enumeration is enabled for the share.

For my own sanity, I avoid the ACL manager and share ACLs, and only rely on the Unix permissions bits.

 

[Ashamed2228]

Thank you so much for your help!
It's clear now, thank you.


I have another issue, or maybe I'm doing things wrong or something.
I have one application that is set up to run at certain times, this application is going to output a file, I need to access this file through a SAMBA share, this is not in a pool, this whole thing is happening in the system drive. I tried setting it up editting the smb.conf file and restarting the service but it doesn't work, even so when I had stuff added in the smb*.conf files the TrueNAS shares weren't working properly after a system restart and I had to unshare them and share them again to get them working so I deleted everything I did in the smb*.conf files. Is what I'm trying to do possible? Can shares be set up also through CLI/editing the conf files?

 

[Ashamed2228]

I would have loved to have the options TrueNAS gives us to secure the shares but as I say these files aren't in the pool so it's not possible to share them through the webUI

 

[Ashamed2228]

Yes, that would explain the behavior, due to the %U added under this preset.

I would also like to know more about this, can you please point me in the right direction or what keywords should I look for?

 

[Samuel Tai]

Can shares be set up also through CLI/editing the conf files?

No. TrueNAS will overwrite conf file changes, as all config is stored in a SQLlite3 database. If you need your cron output to be accessible in a share, redirect the output to a shared dataset.

I would also like to know more about this, can you please point me in the right direction or what keywords should I look for?

This is all in the documentation.

/core/uireference/sharing/smbsharescreen/