Edit Shared ACL experience

[pasha-19]

In creating ACLs for Samba shares I went through the following learning curve. This is both a question to determine if my final solution does what I think it does and a suggestion for updating the documentation, Semi related where I want to use builtin_users and builtin_administrators below for the Shared ACL I use them in the Access ACL too.

Changing a SID using a group name

First one needs to blank out the existing SID to have the Domain and Name lookup a SID. Second Name alone is not enough. The SAMBA (Windows) domain WORKGROUP does not appear to work. The server's HOSTNAME does appear to work in some cases including user defined groups and the system defined group of builtin_users and it does not work the system defined group of builtin_administrators (generates an error when saving the Edit Shared ACL page). After searching the web I found a list of well known SIDs (unrelated to TruNAS documentation) for builtin_users (S-1-5-32-545) and builtin_administrators (S-1-5-32-544). Entering those as the desired SID generated a Domain of BUILTIN and respectively a name of Users and Administrators. I believe I blanked out the SID and used Domain BUILTIN and name Users/Administrators and they worked to lookup the SID

My question (and assumption) at this point is that BUILTIN/Users is equivalent to {HOSTNAME}/builtin_users. Meaning BUILTIN/Administrators would be the equivalent of {HOSTNAME}/builtin_administrators, if the later worked which as noted before it appears not to work. If that is not true what is the difference between BUILTIN/Users and {HOSTNAME}/builtin_users as the SIDs are different. {HOSTNAME}/builtin_users seems to be machine specific SID while BUILTIN/Users seems to be machine "agnostic" or for a generic machine SID. To me this indicates their meanings could be different in subtle ways, In my current case the names of the members of the groups both match between the client and server machines.

Should the TruNas documentation for Edit Shared ACL reflect even with a web reference the available system Domain/Name combinations for potential users?

 

[pasha-19]

Sorry I left out I am running TruNAS CORE version TrueNAS-13.0-U3.1

 

[sretalla]

TrueNAS is developed and maintained as an Enterprise product, paid for by iXsystems sale of hardware and support to Enterprises.

TrueNAS CORE is made available to the general public for free in order to both give back to the OpenSource community and to allow for some "field hardening" of the product before changes are rolled into Enterprise.

The SMB sharing and Windows domain functionality is therefore built with the understanding that you're dealing with an Active Directory Domain, not a Windows Workgroup. (I think that's also an assumption of sorts in the underlying SAMBA product too).

You have discovered already that BUILTIN and {HOSTNAME} versions of things are not the same by seeing that their SIDs are different.

If there's no Active Directory Domain connected, you'll be seeing a mix of locally configured users in TrueNAS and users you have defined in Windows.

I don't think there's an expectation of consistency there, but you may find it necessary to match Windows users with an equivalent account in TrueNAS to get the desired outcome in some cases... but it will never be perfectly consistent without an Active Directory.

 

[pasha-19]

... but you may find it necessary to match Windows users with an equivalent account in TrueNAS to get the desired outcome in some cases... but it will never be perfectly consistent without an Active Directory.

I have in cloned one server setup three times. The pool sizes vary. All servers have the same 4 users where there are 2 adminIDs and 4 userIDs. One server is at my home that will support my daughter's family when she is there (same logons and network setup as her home (for everything except data backup). I will experience a similar situation when visiting her home. The third server will clone the contents of both of our servers as a second server backup. I am also 70+ and have dealt with servers before AD including using windows shares from a Desktop OS (both windows and linux and even apple) to backup data. In this environment the cost of a WINDOWS AD DS server does not appear to be justified.

I will muddle through and not bother you in the future.

Yes; I determined last night clearly {HOSTNAME}/builtin__users does what I want and BUILTIN/Users does not. Still need to check if BUILTIN/Administrators does what I want since {HOSTNAME}/builtin_users returns an error when assigning a Share ACL.

Thanks for responding and good luck.