I
think I have a working solution. The gist is, you can set different ACLs for files and directories, as well as control inherit policies (i.e. how new files/directories are treated).
I'm assuming the answer to my first question above is "yes". That is, I believe it's not possible to have Samba sharing to a Win11 PC work without ACLs. So I'm focusing on the second question, trying to make ACLs work for NFSv4 as I want.
This post on superuser was particularly helpful:
How do I set default (not inherit) acl permissions on file creation?. Here's the first paragraph of the answer, emphasis mine:
There is no "default ACL" in NFSv4 ACLs. However, you have a precise control over what is inherited and by what. In particular,
you can add ACEs to be inherited by files, and another set that can be inherited by directories. Like this - the first three will apply to directories, the following three - to files. Note that directories will inherit both, but the "file" entries will have the "i" (inherit_only) flag set, so they won't apply to the directory itself - they are there only to be inherited by files in the directories. So, this is the ACL on the parent directory:
Code:
owner@:rwxp----------:-di----:allow
group@:r-x-----------:-di----:allow
everyone@:r-x-----------:-di----:allow
owner@:rw-p----------:f-i----:allow
group@:r-------------:f-i----:allow
everyone@:r-------------:f-i----:allow
owner@:rwxp--aARWcCos:-------:allow
group@:r-x---a-R-c--s:-------:allow
everyone@:r-x---a-R-c--s:-------:allow
Here's what I did. First, I set the the acltype at the dataset config level:
- Select Datasets from the left-hand navigation pane
- Select the target dataset
- Select Edit in the Details pane
- In the Edit Dataset pane, select Advanced Options
- Set ACL Type to SMB/NFSv4
- Set ACL Mode to Discard. Note: I'm not 100% sure about this. It appears to be working, but I semi-guessed on this one
- Save
Now we should be back at the main
Datasets screen. Now we can actually edit the ACL per the suggestion above. First step is to set an NFS4 preset:
- Select Edit from the Permissions pane
- Check the Apply permissions recursively box
- Click on Use Presets
- Use NFS4_HOME or NFS4_DOMAIN_HOME. Notes: I'm not sure what the difference between these two presets is. I tried with both, and I couldn't see any obvious difference. Other presets may be more suitable for your use-case. But for me, it is a network-shared home directory.
- Click Save Access Control List
This puts me back in the main Datasets screen. Now we need to go in and actually tweak the preset ACL:
- Click on Edit in the Permissions pane
- I first modified the owner@ - root ACE: I changed the Flags Type to Advanced, then checked the Directory Inherit and Inherit Only boxes. See screenshot below.
- Then I created a new ACE - it is nearly the same as the one we just modified, except: Flags Type is Advanced, with File Inherit and Inherit Only selected; Permissions Type is also Advanced and all permissions except Execute are selected. See screenshot below.
- Click Save Access Control List
Lastly, you can verify the ACL from the commandline:
Code:
root@fileserver[~]# nfs4xdr_getfacl /mnt/ssdpool/ssdhome
# File: /mnt/ssdpool/ssdhome
# owner: 0
# group: 0
# mode: 0o40111
# trivial_acl: false
# ACL flags: none
owner@:rwxpDdaARWcCos:-di----:allow
group@:rwxpDdaARWc--s:-din---:allow
everyone@:--x---a-R-c---:-------:allow
group:builtin_users:rwxpDdaARWc--s:fd-----:allow
group:builtin_administrators:rwxpDdaARWcCos:fd-----:allow
owner@:rw-pDdaARWcCos:f-i----:allow
Side note: this post,
ACL - NFSv4 - NFSv4xdr, seems to suggest all the above can be done from the commandline using
nfs4xdr_setfacl
and
nfs4xdr_winacl
, but I didn't try that.
Here's the screen of the default ACE being modified:
And here's the screen of the new ACE:
Note that the TrueNAS GUI is flagging it as an error (triangle with the exclamation point). But my GUI also exhibits the same behavior discussed here,
Is ACL editor bugged in 22.12.2?. So I'm not sure if this is truly an error, or a display issue. If it is indeed truly an error, I'm hoping someone can give me a hint as to what is wrong!
Anyway, I hope this is helpful. Note that I'm not 100% sure it's truly the right way to do what I want, but it seems to be working correctly. I'll update this thread if I find any issues.
If this is correct, I might suggest that the NFS4_HOME and/or NFS4_DOMAIN_HOME preset ACLs be tweaked to be similar to what I've done. I can't imagine anyone using NFS for their home directory wants all new files defaulting to having the execute permission bit set.