In creating ACLs for Samba shares I went through the following learning curve. This is both a question to determine if my final solution does what I think it does and a suggestion for updating the documentation, Semi related where I want to use builtin_users and builtin_administrators below for the Shared ACL I use them in the Access ACL too.
Changing a SID using a group name
First one needs to blank out the existing SID to have the Domain and Name lookup a SID. Second Name alone is not enough. The SAMBA (Windows) domain WORKGROUP does not appear to work. The server's HOSTNAME does appear to work in some cases including user defined groups and the system defined group of builtin_users and it does not work the system defined group of builtin_administrators (generates an error when saving the Edit Shared ACL page). After searching the web I found a list of well known SIDs (unrelated to TruNAS documentation) for builtin_users (S-1-5-32-545) and builtin_administrators (S-1-5-32-544). Entering those as the desired SID generated a Domain of BUILTIN and respectively a name of Users and Administrators. I believe I blanked out the SID and used Domain BUILTIN and name Users/Administrators and they worked to lookup the SID
My question (and assumption) at this point is that BUILTIN/Users is equivalent to {HOSTNAME}/builtin_users. Meaning BUILTIN/Administrators would be the equivalent of {HOSTNAME}/builtin_administrators, if the later worked which as noted before it appears not to work. If that is not true what is the difference between BUILTIN/Users and {HOSTNAME}/builtin_users as the SIDs are different. {HOSTNAME}/builtin_users seems to be machine specific SID while BUILTIN/Users seems to be machine "agnostic" or for a generic machine SID. To me this indicates their meanings could be different in subtle ways, In my current case the names of the members of the groups both match between the client and server machines.
Should the TruNas documentation for Edit Shared ACL reflect even with a web reference the available system Domain/Name combinations for potential users?
Changing a SID using a group name
First one needs to blank out the existing SID to have the Domain and Name lookup a SID. Second Name alone is not enough. The SAMBA (Windows) domain WORKGROUP does not appear to work. The server's HOSTNAME does appear to work in some cases including user defined groups and the system defined group of builtin_users and it does not work the system defined group of builtin_administrators (generates an error when saving the Edit Shared ACL page). After searching the web I found a list of well known SIDs (unrelated to TruNAS documentation) for builtin_users (S-1-5-32-545) and builtin_administrators (S-1-5-32-544). Entering those as the desired SID generated a Domain of BUILTIN and respectively a name of Users and Administrators. I believe I blanked out the SID and used Domain BUILTIN and name Users/Administrators and they worked to lookup the SID
My question (and assumption) at this point is that BUILTIN/Users is equivalent to {HOSTNAME}/builtin_users. Meaning BUILTIN/Administrators would be the equivalent of {HOSTNAME}/builtin_administrators, if the later worked which as noted before it appears not to work. If that is not true what is the difference between BUILTIN/Users and {HOSTNAME}/builtin_users as the SIDs are different. {HOSTNAME}/builtin_users seems to be machine specific SID while BUILTIN/Users seems to be machine "agnostic" or for a generic machine SID. To me this indicates their meanings could be different in subtle ways, In my current case the names of the members of the groups both match between the client and server machines.
Should the TruNas documentation for Edit Shared ACL reflect even with a web reference the available system Domain/Name combinations for potential users?