Dataset Unix Permissions VS ACL Can Someone explain.

[Paul5]

I upgraded from 9.3 to 11.3 and was faced with ACLs for a dataset. From a Unix media player I could not modify anything, rename, delete.
I tried everything I could change with the ACL settings and still nothing.
I stripped the ACLs which gives me back Unix dataset permissions Owner - Group - Other
I set it to 770 and I have control back again.
I have read a lot but still have no idea. Is:
ACL supposed to be edited from a windows client that's why It had no effect from a Unix media player even though ACL was set to everyone and Full Control.
In 11.3 where can I check to see what the dataset was set to Unix / Windows for I don't know why the upgrade applied the ACLs

I've lost many many hours on this and read a lot but still have no clue on how to use ACLs or even if I need to use ACLs.

 

[Basil Hendroff]

There is a good explanation of Unix permission groups and basic permissions, and Windows/ZFS ACLs and advanced permissions in Methods For Fine-Tuning Samba Permissions.

 

[Paul5]

There is a good explanation of Unix permission groups and basic permissions, and Windows/ZFS ACLs and advanced permissions in Methods For Fine-Tuning Samba Permissions.

Note: below I actually somewhat make reference to issues I have :)

Thanks but that's one of the many things I read. You need pre-requisit degrees in Unix and Windows sharing before you can comprehend yet alone want to progress. Even following line by line doesn't necessarily work.

Extract from your link:
Dataset User and Group Permissions
Dataset user and group permissions are controlled through the FreeNAS webgui by expanding "Storage" in the left pane of the webgui, clicking on the "View Volumes" button, selecting the dataset corresponding to your samba share in the right panel, then clicking on the "Change Permissions" icon in the lower-left side of the aforementioned panel. Permissions type should be set to "Windows" This is not true on 11.3 upgrade you cannot view or change with an ACL controlled dataset it pushes you to edit the ACLs regardless of client type. By default "full control" of your samba share is granted to the owner(user) and owner(group), and "read-only" access to all other authenticated users. Sound like my issue default 'read-only' to all users, but ACL won't affect changes. Additional fine-tuning should be managed through modifying filesystem ACLs. Spent over 6 hours on reading and trying to get one user permissions trying every which way. This procedure is more fully explained in the freenas handbook at the following site: http://doc.freenas.org/11/storage.html#change-permissions

The only thing that actually worked was stripping the ACLs and using 770 for the dataset. I had no idea what damage removing the ACLs would do since every other thing I click on comes with some cryptic end of the world warning.

In conclusion:
I have no knowledge understanding or comprehension of ACls but do know that all software has bugs. So user error? Highly likely, software bug, Highly likely. I'm inclined with software bug. After all why hijack a working dataset by applying an ACL that has crippled the shares and whilst it saves visual changes nothing actually changes, unless it's not capable of working with SMB1 which makes the hijack even worse.

 

[Paul5]

I believe it to be bugs, I added below what I wrote on one of my other help requests as I would say my lack of understanding/confusion is due to bugs and nothing working as it should or atleast how it should work in my head :) O' just in case the default ACL used is 'Restricted'

UPDATE:
I removed the ACLs and got back Owner - Group - Other set the dataset to 770 and all is good.
Today I recreated the ACL for 'System' and first thing I noticed was that it changed from 'root' to 'tes' for the owner.
Tested 'tes' out and it all seems to work. I had previously tried it as it is now created but it didn't work.
Upgrade bug?
Created user called Jo
Added ACL and entered Jo as a user > full control > Failed
Added 'System' group to Jo's aux and Jo has full control.
Removed all permissions from Jo's ACL other than read > Failed, still full control (ACL group override?)
Removed Jo's ACL and still full control
Removed the 'group@' ACL > Jo has no access.
In this case 'group@' determines what users and or users ACL can do.

Adding a user ACL for 'Fine Tuning' doesn't work. It's governed by 'group'

One issue/bug resolved by removing and recreating the ACL but now no fine tuning. Jo has to belong to 'system' group and have the default ACL 'group@' for access and permissions to work which he inherits all it's policys as per the ACL but to fine tune Jo's ACL to say 'read-only' doesn't work.

This is my first encounter with ACL's jumping from 9.3 to 11.3 but it seems to be experimental and bugy to be production. Yes :) I did download 'Stable'.

Definitely bugs: I just tried creating some clones on FreeNAS and Clonezillas response was: Clonezilla unknown partition table format on disk /dev/sda
Removed the ACL for pools under test that failed then recreated ACL Restricted with no changes and clones worked.

Well that's a day I'll never get back.