FileServer Migration from Windows Server to Truenas Core

[djb]

Hello everyone, i'm in the middle of migrating Windows Fileserver to Truenas, but i'm facing some issues with permissions.

With windows server anyone can apply permissions on a: SMB Share\subfolder1 \ subfolder2 \ subfolder3 , even if the subfolder is created by the users. (So the subfolders inherit permissions from parent, and the final subfolder I break inheritance and edit the permissions)

Truenas needs to have it as dataset in order to set ACL permissions. So if I provide an SMB share the users /mnt/z1pool/Data , and the users create subfolder1\subfolder2\subfolder3 , we can’t control permissions on the third subfolder like windows server.

Is it any workaround to make this happent ? Any suggestions ?

 

[sretalla]

Truenas needs to have it as dataset in order to set ACL permissions.

setfacl ...

Or use Windows security controls from a windows machine to set them.

 

[djb]

setfacl ...

Or use Windows security controls from a windows machine to set them.

Can i setfacl on the subfolder3, if there is the following: /mnt/z1pool/Data
Dataset = Data. SMB Share is on /mnt/z1pool/Data

Then the users create Data\subfolder1\subfolder2\subfolder3.
We need to set ACL permissions on subfolder 3, what would be the setfacl method ?

 

[sretalla]

Maybe you're looking for something like this?

Default permissions with setfacl

Just started using setfacl to assign permissions for a specific group to /var/www/html (CentOS 5). Files in this directory are 640, root:apache. However, I've noticed that after doing something l...

superuser.com

setfacl can work on any directory/subdirectory you tell it to.

be careful once set not to mess with anything on the dataset level and use the "apply permissions recursively" option.

 

[djb]

Maybe you're looking for something like this?

Default permissions with setfacl

Just started using setfacl to assign permissions for a specific group to /var/www/html (CentOS 5). Files in this directory are 640, root:apache. However, I've noticed that after doing something l...

superuser.com

setfacl can work on any directory/subdirectory you tell it to.

be careful once set not to mess with anything on the dataset level and use the "apply permissions recursively" option.

Thanks for your comments.
it seems that using commands will not show in GUI, so this makes it harder to manage.

 

[sretalla]

Depends which GUI you mean... the Windows permissions GUI will show the changes (or you can just make the changes there), just not the dataset GUI in TrueNAS.

If you want a real picture of the ACLs, you need to run getfacl recursively on the path anyway. (the TrueNAS GUI never shows you the actual ACLs applied below the dataset)

so this makes it harder to manage

Maybe, but I don't recall where it says things are easy.

 

[djb]

Depends which GUI you mean... the Windows permissions GUI will show the changes (or you can just make the changes there), just not the dataset GUI in TrueNAS.

If you want a real picture of the ACLs, you need to run getfacl recursively on the path anyway. (the TrueNAS GUI never shows you the actual ACLs applied below the dataset)



Maybe, but I don't recall where it says things are easy.

@sretalla thank you !
to manage permissions using windows , what permissions we need as admin ? full control ACL on the dataset ?, or needs to be also owner ?

 

[sretalla]

You're able to use special permissions to determine it, but I think Owner is inclusive of the required permissions, so that would be it.

You'll need at least these, I think.

 

[sretalla]

Which looks like this in getfacl if I apply it in the Windows dialog: