Changed ACL on root pool dataset, now problems

eb7224a3

Cadet
Joined
Feb 8, 2020
Messages
4
I changed chown of my root pool to be root and wheel group. I also removed advanced ACLs from the root pool, because I thought this was a mistake. I used setfacl -bn /mnt/poolname/

I'm on the latest 11.3 STABLE and everything was working fine prior to my nonsense with setfacl

Since then, none of my SMB shares are working, despite going around and recreating permissions, etc. I'm completely locked out of my data due to this mistake.

Does the root pool dataset have advanced ACLs applied to it by default? Why would changing the root dataset permissions via the CLI affect advanced ACLs downstream?
 
Joined
Jan 4, 2014
Messages
1,644
From the UI, you can't actually edit the ACLs on the root pool, with good reason I suspect.

screenshot.89.png
 

eb7224a3

Cadet
Joined
Feb 8, 2020
Messages
4
From the UI, you can't actually edit the ACLs on the root pool, with good reason I suspect.

View attachment 35721

Looks so! Now I'm wondering if reinstalling FreeNAS would remedy the situation or do I need to go through the pain in the ass process of breaking the pool and rebuilding it? I've tried exporting it and reimporting it to no avail.
 
Joined
Jan 4, 2014
Messages
1,644
Looks so! Now I'm wondering if reinstalling FreeNAS would remedy the situation or do I need to go through the pain in the ass process of breaking the pool and rebuilding it? I've tried exporting it and reimporting it to no avail.
I would sound out @anodos before you do anything else as he may have some ideas.
 

KrisBee

Wizard
Joined
Mar 20, 2017
Messages
1,288
Does the root pool dataset have advanced ACLs applied to it by default? Why would changing the root dataset permissions via the CLI affect advanced ACLs downstream?

By default, the root-level dataset has root/wheel as owner/group and no advanced ACL applied. What does getfacl /mnt/poolname return?
It's possible you have simply changed the ACL on /mnt/poolname in a way that prevents traversal to next level down. But any changes you made to the ACLs of shared dataset probably need reviewing.

Don't reinstall and hold tight until perms/ACLs on your pool are sorted.
 

eb7224a3

Cadet
Joined
Feb 8, 2020
Messages
4
By default, the root-level dataset has root/wheel as owner/group and no advanced ACL applied. What does getfacl /mnt/poolname return?

Copy pasta:
Code:
getfacl /mnt/nas01-pool01
# file: /mnt/nas01-pool01
# owner: root
# group: wheel
            owner@:rwxp--aARWcCos:-------:allow
            group@:rwxp--a-R-c--s:-------:allow
         everyone@:------a-R-c--s:-------:allow


It's possible you have simply changed the ACL on /mnt/poolname in a way that prevents traversal to next level down. But any changes you made to the ACLs of shared dataset probably need reviewing.

Here's a getfacl on a child dataset:
Code:
# file: /mnt/nas01-pool01/test
# owner: [username]
# group: [groupname]
            owner@:rwxp--aARWcCos:-------:allow
            group@:rwxp--a-R-c--s:-------:allow
         everyone@:rwxp--a-R-c--s:-------:allow
         everyone@:--------------:fd-----:allow


In addition, I've stripped and redone the permissions of shared datasets to no avail.

Don't reinstall and hold tight until perms/ACLs on your pool are sorted.

Definitely would love to sort this out without having to reinstall. I'm making backups of my most important data via an attached external storage (USB) drive just in case.
 

sbence

Cadet
Joined
Feb 27, 2020
Messages
7
chmod 755 /mnt/nas01-pool01

Hey!
I have the same problem, but for me I get an error message (with or without sudo): Operation not permitted

Untitled-5.jpg


Is there a solution for this?
Thanks for the answer!
 

KrisBee

Wizard
Joined
Mar 20, 2017
Messages
1,288
@snbence You don't need the "sudo" when you are already root, but that command will not fix your problem. It looks like you choose to share your entire pool rather than separate datasets within the pool and share one or more dataset. IIRC the last upgrade dis-allows changing the permissions and/or ACL on the top-level of the pool via the WEBUI, in your case mounted at /mnt/DATA. The chmod will not work at the CLI because by treating your entire pool as "windows type" share, the acltype property has been set to restricted.

Start a new thread and ask @anodos for the correct commands to sort this out. For future reference, this starter guide is still useful:https://www.truenas.com/community/threads/how-to-set-up-windows-smb-shares-on-freenas.83376/
 

sbence

Cadet
Joined
Feb 27, 2020
Messages
7
@snbence You don't need the "sudo" when you are already root, but that command will not fix your problem. It looks like you choose to share your entire pool rather than separate datasets within the pool and share one or more dataset. IIRC the last upgrade dis-allows changing the permissions and/or ACL on the top-level of the pool via the WEBUI, in your case mounted at /mnt/DATA. The chmod will not work at the CLI because by treating your entire pool as "windows type" share, the acltype property has been set to restricted.

Start a new thread and ask @anodos for the correct commands to sort this out. For future reference, this starter guide is still useful:https://www.truenas.com/community/threads/how-to-set-up-windows-smb-shares-on-freenas.83376/

Hi, thanks for the answer!
Actually I do not share the root dataset, I have datasets inside it, but SMB still not works because (if I understand right) the root dataset "DATA" is not shared for Other or All, only for Owner, and Group. So no matter what permission I set in the child datasets it wont work with the username "bence". I solwed it with putting the user "bence" into the "wheel" group so now I am able to connect to the "Data" dataset with SMB.
But still the main goal would be to set all of my pools root datasets permissions the same because now all three are different.

Screenshot 2021-01-17 214521.png
 

sbence

Cadet
Joined
Feb 27, 2020
Messages
7

anodos

Sambassador
iXsystems
Joined
Mar 6, 2014
Messages
9,545
Hey, that is worked, great thanks!!
No problem. There is unfortunately a prevalence of how-tos online that advise basically setting 770 on zpool mountpoints, which is generally a terrible idea because it prevents users from accessing their files unless they're a member of the owning group.
 
Top