Can't add user to dataset ACL

Ashamed2228 · Mar 17, 2023

Every time I try to add this user I created using the WebUI I get a python error:


Error: Traceback (most recent call last):
  File "/usr/lib/python3/dist-packages/middlewared/job.py", line 426, in run
    await self.future
  File "/usr/lib/python3/dist-packages/middlewared/job.py", line 463, in __run_body
    rv = await self.middleware.run_in_thread(self.method, *([self] + args))
  File "/usr/lib/python3/dist-packages/middlewared/main.py", line 1252, in run_in_thread
    return await self.run_in_executor(self.thread_pool_executor, method, *args, **kwargs)
  File "/usr/lib/python3/dist-packages/middlewared/main.py", line 1249, in run_in_executor
    return await loop.run_in_executor(pool, functools.partial(method, *args, **kwargs))
  File "/usr/lib/python3.9/concurrent/futures/thread.py", line 52, in run
    result = self.fn(*self.args, **self.kwargs)
  File "/usr/lib/python3/dist-packages/middlewared/schema.py", line 1322, in nf
    return func(*args, **kwargs)
  File "/usr/lib/python3/dist-packages/middlewared/plugins/filesystem_/acl_linux.py", line 676, in setacl
    return self.setacl_nfs4(job, data)
  File "/usr/lib/python3/dist-packages/middlewared/plugins/filesystem_/acl_linux.py", line 470, in setacl_nfs4
    self.setacl_nfs4_internal(path, data['dacl'], do_canon, verrors)
  File "/usr/lib/python3/dist-packages/middlewared/plugins/filesystem_/acl_linux.py", line 423, in setacl_nfs4_internal
    raise CallError(setacl.stderr.decode())
middlewared.service_exception.CallError: [EFAULT]

Even without changing anything and just saving the ACL that error shows up. I'm tring to change ACL because I can't access the SAMBA share with the user I just created, I keep getting access denied errors

Ashamed2228 · Mar 17, 2023

I also got this in the notifications:

mail.send

Error: [EFAULT] you must provide an outgoing mailserver and mail server port when sending mail

I didn't even know we could set up email notifications in TrueNAS, why is trying to send mails if they aren't setup?

Samuel Tai · Mar 17, 2023

Ashamed2228 said:
Every time I try to add this user I created using the WebUI I get a python error:

Error: Traceback (most recent call last): File "/usr/lib/python3/dist-packages/middlewared/job.py", line 426, in run await self.future File "/usr/lib/python3/dist-packages/middlewared/job.py", line 463, in __run_body rv = await self.middleware.run_in_thread(self.method, *([self] + args)) File "/usr/lib/python3/dist-packages/middlewared/main.py", line 1252, in run_in_thread return await self.run_in_executor(self.thread_pool_executor, method, *args, **kwargs) File "/usr/lib/python3/dist-packages/middlewared/main.py", line 1249, in run_in_executor return await loop.run_in_executor(pool, functools.partial(method, *args, **kwargs)) File "/usr/lib/python3.9/concurrent/futures/thread.py", line 52, in run result = self.fn(*self.args, **self.kwargs) File "/usr/lib/python3/dist-packages/middlewared/schema.py", line 1322, in nf return func(*args, **kwargs) File "/usr/lib/python3/dist-packages/middlewared/plugins/filesystem_/acl_linux.py", line 676, in setacl return self.setacl_nfs4(job, data) File "/usr/lib/python3/dist-packages/middlewared/plugins/filesystem_/acl_linux.py", line 470, in setacl_nfs4 self.setacl_nfs4_internal(path, data['dacl'], do_canon, verrors) File "/usr/lib/python3/dist-packages/middlewared/plugins/filesystem_/acl_linux.py", line 423, in setacl_nfs4_internal raise CallError(setacl.stderr.decode()) middlewared.service_exception.CallError: [EFAULT]

Even without changing anything and just saving the ACL that error shows up. I'm tring to change ACL because I can't access the SAMBA share with the user I just created, I keep getting access denied errors

Does the username have spaces in it?

Ashamed2228 · Mar 17, 2023

hi, no spaces, only letters

Ashamed2228 · Mar 17, 2023

I can't edit my messages.

The name does has spaces btw, and not only spaces, this character too: Á.

Samuel Tai · Mar 17, 2023

OK, you've run into a little bit of Unix backwards compatibility. The username can only use letters and numbers, no spaces, no special characters.

Ashamed2228 · Mar 17, 2023

I meant that the "Full name" has spaces and an accent, the username has only letters

Samuel Tai · Mar 17, 2023

Please attach some screenshots of what you're trying to do. There's not enough info here to help troubleshoot.

Ashamed2228 · Mar 17, 2023

I think I know what is happening, for some reason the webUI or the system (IDK) needs me to enter the whole username, I can enter for example the first 3 letters, and then select the name from the list, otherwise I get the error, if I manually enter the entire username I get no errors, at least from what I'm testing.

One question about this, I have a dataset named just "parent", I went and edited the permissions of that dataset and added my user "ashamed" and applied, but that created a child dataset named after my username, why? Is this normal? I don't want that I only want to add my user to the ACL so I can access the share through SAMBA.

Because otherwise I keep getting access denied in Windows when I enter my user credentials (the user has no home directory btw, if that matters)

Samuel Tai · Mar 17, 2023

Did you configure parent as a home share? Autocreation of child datasets is the default for home shares.

Ashamed2228 · Mar 17, 2023

You mean in the SAMBA share config? No, "Use as home share" is unticked

Ashamed2228 · Mar 17, 2023

I've been able to delete the dataset and now I can access the share through Windows, maybe it was because I was using the preset "Private SMB Datasets and Shares"?

Ashamed2228 · Mar 17, 2023

Another question, and sorry to be asking so much and borrowing so much of your time. I'm a little confused about the ACL and permissions on the shares and the datasets/files themselves.

There are permissions on the datasets so if I don't have permissions to read a dataset I wouldn't be able to browse the share, so I need to be added to the ACL of the Dataset.

Then there is the ACL of the Share/SAMBA, those two are independent, right? For example, I can add myself to the dataset's ACL and then I can forbid myself in the share's ACL and I wont be able to browse the share? Is that correct? And if that's correct, then why have two ACL? It seems a little confusing, I have a share I don't want anyone to access because it has some server files, I have already entered whitelisted IPs, should I also edit the share's ACL or do you think that is unneeded? I'm 100% sure my computer is only accessed by me.

Thank you for all your help!

Samuel Tai · Mar 17, 2023

Ashamed2228 said:
I've been able to delete the dataset and now I can access the share through Windows, maybe it was because I was using the preset "Private SMB Datasets and Shares"?

Yes, that would explain the behavior, due to the %U added under this preset.

Samuel Tai · Mar 17, 2023

Ashamed2228 said:
Another question, and sorry to be asking so much and borrowing so much of your time. I'm a little confused about the ACL and permissions on the shares and the datasets/files themselves.

There are permissions on the datasets so if I don't have permissions to read a dataset I wouldn't be able to browse the share, so I need to be added to the ACL of the Dataset.

Then there is the ACL of the Share/SAMBA, those two are independent, right? For example, I can add myself to the dataset's ACL and then I can forbid myself in the share's ACL and I wont be able to browse the share? Is that correct? And if that's correct, then why have two ACL? It seems a little confusing, I have a share I don't want anyone to access because it has some server files, I have already entered whitelisted IPs, should I also edit the share's ACL or do you think that is unneeded? I'm 100% sure my computer is only accessed by me.

Thank you for all your help!

There are 3 different "permissions" settings, which interact in non-obvious and potentially contradictory ways.

Unix permissions, which are accessible via Storage->Pools, and then clicking the 3 dots next to a dataset to Edit Permissions
ACL Manager, which attempts to replicate the Windows Permissions editor. This is reachable by clicking the blue Use ACL Manager button, or by going to Sharing->Windows Shares, and clicking the 3 dots by the share, and selecting Edit Filesystem ACL

This is implemented via xattrs, and sets facl bits on the dataset:
# file: <dataset path>
# owner: <dataset owner>
# group: <dataset group>
owner@:rwxp--aARWcCos:-------:allow
group@:------a-R-c--s:-------:allow
everyone@:------a-R-c--s:-------:allow
Finally, there's the share ACL, which is defined in the Windows share, selectable from the 3 dots via Edit Share ACL.

This is used to control parts of the share's visibility to SIDs, if Access Based Share Enumeration is enabled for the share.

For my own sanity, I avoid the ACL manager and share ACLs, and only rely on the Unix permissions bits.

Ashamed2228 · Mar 18, 2023

Thank you so much for your help!
It's clear now, thank you.

I have another issue, or maybe I'm doing things wrong or something.
I have one application that is set up to run at certain times, this application is going to output a file, I need to access this file through a SAMBA share, this is not in a pool, this whole thing is happening in the system drive. I tried setting it up editting the smb.conf file and restarting the service but it doesn't work, even so when I had stuff added in the smb*.conf files the TrueNAS shares weren't working properly after a system restart and I had to unshare them and share them again to get them working so I deleted everything I did in the smb*.conf files. Is what I'm trying to do possible? Can shares be set up also through CLI/editing the conf files?

Ashamed2228 · Mar 18, 2023

I would have loved to have the options TrueNAS gives us to secure the shares but as I say these files aren't in the pool so it's not possible to share them through the webUI

Ashamed2228 · Mar 18, 2023

Samuel Tai said:
Yes, that would explain the behavior, due to the %U added under this preset.

I would also like to know more about this, can you please point me in the right direction or what keywords should I look for?

Samuel Tai · Mar 18, 2023

Ashamed2228 said:
Can shares be set up also through CLI/editing the conf files?

No. TrueNAS will overwrite conf file changes, as all config is stored in a SQLlite3 database. If you need your cron output to be accessible in a share, redirect the output to a shared dataset.

Ashamed2228 said:
I would also like to know more about this, can you please point me in the right direction or what keywords should I look for?

This is all in the documentation.

Sharing

Reference documentation for all screens within the Sharing menu option.

www.truenas.com

Important Announcement for the TrueNAS Community.

Can't add user to dataset ACL

Dabbler

Dabbler

mail.send​

Never underestimate your own stupidity

Dabbler

Dabbler

Never underestimate your own stupidity

Dabbler

Never underestimate your own stupidity

Dabbler

Never underestimate your own stupidity

Dabbler

Dabbler

Dabbler

Never underestimate your own stupidity

Never underestimate your own stupidity

Dabbler

Dabbler

Dabbler

Never underestimate your own stupidity

Important Announcement for the TrueNAS Community.

Related topics on forums.truenas.com for thread: "Can't add user to dataset ACL"

Similar threads

mail.send