Home directory share - NFS and SMB - How to set ACL correctly?

[RandomPrecision]

I have a dataset on TrueNAS Scale that is my home directory. I want to have this available on my Windows PC and my Linux server. Prior to moving my fileserver to TrueNAS SCALE, it was a generic Linux server. It was acting as both a Samba server (to share my home directory to Windows), and also NFSv4 server (to share my home directory to Linux). So I know what I want to do is technically possible; but I'm having trouble getting the right combination of settings to work as expected.

I have this "working" under TrueNAS scale, but not to my liking. It seems I have one of two choices:

• Disable ACLs for the dataset entirely. This seems to break the Samba share entirely, as I cannot access it from Windows at all when I do this. But the NFS share works as expected.
• Enable ACLs for the dataset (ACL Type=SMB/NFSv4, ACL Mode=Discard). With this set, the Samba share works, and the NFS share works, but all new files are created with the execute bit set (it is ignoring my umask).

So I guess the fundamental, high-level questions are:

1. Is it absolutely necessary for ACLs to be enabled on the dataset for Samba sharing to a Windows 11 PC?
2. If yes to the above, then how should those ACLs be configured such that mounted NFS shares of the dataset honor umask? Or at least don't default to having execute permission?

Thanks!

 

[RandomPrecision]

I think I have a working solution. The gist is, you can set different ACLs for files and directories, as well as control inherit policies (i.e. how new files/directories are treated).

I'm assuming the answer to my first question above is "yes". That is, I believe it's not possible to have Samba sharing to a Win11 PC work without ACLs. So I'm focusing on the second question, trying to make ACLs work for NFSv4 as I want.

This post on superuser was particularly helpful: How do I set default (not inherit) acl permissions on file creation?. Here's the first paragraph of the answer, emphasis mine:

There is no "default ACL" in NFSv4 ACLs. However, you have a precise control over what is inherited and by what. In particular, you can add ACEs to be inherited by files, and another set that can be inherited by directories. Like this - the first three will apply to directories, the following three - to files. Note that directories will inherit both, but the "file" entries will have the "i" (inherit_only) flag set, so they won't apply to the directory itself - they are there only to be inherited by files in the directories. So, this is the ACL on the parent directory:

Code:

        owner@:rwxp----------:-di----:allow
        group@:r-x-----------:-di----:allow
     everyone@:r-x-----------:-di----:allow
        owner@:rw-p----------:f-i----:allow
        group@:r-------------:f-i----:allow
     everyone@:r-------------:f-i----:allow
        owner@:rwxp--aARWcCos:-------:allow
        group@:r-x---a-R-c--s:-------:allow
     everyone@:r-x---a-R-c--s:-------:allow

Here's what I did. First, I set the the acltype at the dataset config level:

1. Select Datasets from the left-hand navigation pane
2. Select the target dataset
3. Select Edit in the Details pane
4. In the Edit Dataset pane, select Advanced Options
5. Set ACL Type to SMB/NFSv4
6. Set ACL Mode to Discard. Note: I'm not 100% sure about this. It appears to be working, but I semi-guessed on this one
7. Save

Now we should be back at the main Datasets screen. Now we can actually edit the ACL per the suggestion above. First step is to set an NFS4 preset:

1. Select Edit from the Permissions pane
2. Check the Apply permissions recursively box
3. Click on Use Presets
4. Use NFS4_HOME or NFS4_DOMAIN_HOME. Notes: I'm not sure what the difference between these two presets is. I tried with both, and I couldn't see any obvious difference. Other presets may be more suitable for your use-case. But for me, it is a network-shared home directory.
5. Click Save Access Control List

This puts me back in the main Datasets screen. Now we need to go in and actually tweak the preset ACL:

1. Click on Edit in the Permissions pane
2. I first modified the owner@ - root ACE: I changed the Flags Type to Advanced, then checked the Directory Inherit and Inherit Only boxes. See screenshot below.
3. Then I created a new ACE - it is nearly the same as the one we just modified, except: Flags Type is Advanced, with File Inherit and Inherit Only selected; Permissions Type is also Advanced and all permissions except Execute are selected. See screenshot below.
4. Click Save Access Control List

Lastly, you can verify the ACL from the commandline:

Code:

root@fileserver[~]# nfs4xdr_getfacl /mnt/ssdpool/ssdhome
# File: /mnt/ssdpool/ssdhome
# owner: 0
# group: 0
# mode: 0o40111
# trivial_acl: false
# ACL flags: none
            owner@:rwxpDdaARWcCos:-di----:allow
            group@:rwxpDdaARWc--s:-din---:allow
         everyone@:--x---a-R-c---:-------:allow
group:builtin_users:rwxpDdaARWc--s:fd-----:allow
group:builtin_administrators:rwxpDdaARWcCos:fd-----:allow
            owner@:rw-pDdaARWcCos:f-i----:allow

Side note: this post, ACL - NFSv4 - NFSv4xdr, seems to suggest all the above can be done from the commandline using nfs4xdr_setfacl and nfs4xdr_winacl, but I didn't try that.

Here's the screen of the default ACE being modified:

And here's the screen of the new ACE:

Note that the TrueNAS GUI is flagging it as an error (triangle with the exclamation point). But my GUI also exhibits the same behavior discussed here, Is ACL editor bugged in 22.12.2?. So I'm not sure if this is truly an error, or a display issue. If it is indeed truly an error, I'm hoping someone can give me a hint as to what is wrong!

Anyway, I hope this is helpful. Note that I'm not 100% sure it's truly the right way to do what I want, but it seems to be working correctly. I'll update this thread if I find any issues.

If this is correct, I might suggest that the NFS4_HOME and/or NFS4_DOMAIN_HOME preset ACLs be tweaked to be similar to what I've done. I can't imagine anyone using NFS for their home directory wants all new files defaulting to having the execute permission bit set.

 

[RandomPrecision]

A quick follow-up. I mentioned above that, at the dataset level, I set ACL Mode to Discard. I have since changed that to Passthrough. I found a post while searching these forums for a related issue that suggested Passthrough is the best ACL Mode for Samba shares (sorry, I lost that post so can't link it).

I also further tweaked my ACL, in particular getting rid of the builtin_users and builtin_groups entries. If I understand correctly, these are really only needed if the filesystem is to be used locally (i.e. directly) on the TrueNAS system. Rather than detail the steps to achieve my current ACL, I'll just post the final result here:

Code:

root@fileserver[~]# nfs4xdr_getfacl /mnt/ssdpool/ssdhome
# File: /mnt/ssdpool/ssdhome
# owner: 0
# group: 0
# mode: 0o40171
# trivial_acl: false
# ACL flags: none
            owner@:rwxpDdaARWcCos:-di----:allow
            group@:rwxpDdaARWc--s:-------:allow
         everyone@:--x---a-R-c---:-------:allow
            owner@:rw-pDdaARWcCos:f-i----:allow

I am using this share for a home directory: NFS to my Linux system, and Samba to my Windows PC. On the Linux system, I run fetchmail + procmail to retrieve and sort email from my provider. I discovered this had stopped working about the time I started messing with ACLs on this system.

Again, I'm just trying to hopefully help others out. I found that there are a lot of ACL-related questions and few answers.