Home shares ACL nightmare

[karypid]

Hello all,

I'm running TrueNAS-SCALE-22.12.3. I have set up an active directory with Samba on Debian and I want to use TrueNAS as a home share. I have managed to get TrueNAS to auto-create a home directory when a user accesses the special home share. Unfortunately I can't seem to get it to have the default permissions I need. TrueNAS seems to force the "group" to have modification privilieges no matter what I do.

Context:

• I have found these forums posts to be relevant:
  • Home directory share - NFS and SMB - How to set ACL correctly?
  • Setting up SMB home shares does not work
• And these documentation pages:
  • Setting Up SMB Home Shares
  • ACL Primer
  • Setting Up Permissions

Here is how I set up the home share (a slightly adapter version of the linked "Setting Up SMB Home Shares" documentation, as the linked posts indicate the documentation is incorrect):

1. I stop the SMB service before making any changes
2. Add a dataset called "personal"
   1. Set the "Share Type" to SMB
   2. Enable advanced options while adding
   3. Make sure the "ACL Type" is set to "SMB/NFSv4" (my default is "Inherit" and I guess people may have different types in the parent dataset). This is because the ACL Primer guide indicates it is more compatible with Windows clients.
   4. This is important: Set the "ACL Mode" to "Discard". Even though the documentation reads "Setting the ACL Mode to Restricted is typically used to optimize a dataset for SMB sharing" I found that this value causes the directory to be created with owner "root" and the actual domain user that was accessing it would not be able to do so (imagine the username is "UserX", when accessing the home share TrueNAS would create a folder "/mnt/tank/personal/MYDOMAIN/UserX", but the owner would be set to "root" leaving "UserX" locked out of that folder).
3. Edit the new dataset's permissions
   1. Press the "Use Preset" button and select "NFS4_HOME"
   2. Set the "Owner Group" at the top to be "MYDOMAIN\domain users" because an ixSystems member replied that "Looks like the guide is wrong. Dataset should be created with Domain Users (not domain admins) as owning group" in one of the linked posts. (I make sure to tick the "Apply Group" checkbox).
   3. I set the Permissions for "owner@ - root" to "No Inherit" because otherwise I have the same problem as (2.4) above, meaning that for newly connecting user the owner remains user "root" instead of the actual connecting user.
   4. I set the Permissions to "Traverse" and "Inherit" because I want by default all files/directories created by the user to not be readable, but the directories to still be traverseable.I do this for:
      1. "group@ - MYDOMAIN\domain users"
      2. "everyone@"
      3. "Group - builtin users"
      4. "Group - MYDOMAIN\domain users" (not sure how this is different from 1 above)
4. In Shares section I would add a new SMB share with:
   1. Path "/mnt/tank/personal"
   2. Purpose "No Presets"pers
   3. In Advanced options:
      1. Tick "Use as Home Share"
      2. Untick "Browseable to Network Clients"
5. I start the SMB service

Now, with all this when I browse "\\mynas.mydomain.local" I see the special share with the name matching the user name of the logged in user (e.g. when I am logged in as "myuser" I see "\\mynas.mydomain.local\myuser" and I can create files in it. The permissions are:

Code:

root@NAS[~]# ls -ld /mnt/family-tank/personal/HOME/myuser
drwxr-xr-x 2 HOME\myuserHOME\domain users 5 Jun 19 23:52 /mnt/family-tank/personal/HOME/myuser

root@NAS[~]# nfs4xdr_getfacl /mnt/family-tank/personal/HOME/myuser
# File: /mnt/family-tank/personal/HOME/myuser
# owner: 100001104
# group: 100000514
# mode: 0o40755
# trivial_acl: true
# ACL flags: none
            owner@:rwxpD-aARWcCos:-------:allow
            group@:r-x---a-R-c--s:-------:allow
         everyone@:r-x---a-R-c--s:-------:allow

Now, this ACL seems correct to me. The owner is the correct user and the group is the correct group. The owner has full control which is also expected.

It seems wrong though that the "domain users" group as well as "everyone" else have read-only access (I was going for "traverse only").

Furthermore, if I use a Windows 11 client to access "\\nas.home.local\myuser" and create a folder "testfolder" with Windows Explorer, it gets the following permissions:

Code:

root@NAS[~]# ls -ld /mnt/family-tank/personal/HOME/myuser/testfolder
drwxrwxr-x 2 HOME\myuserHOME\domain users 2 Jun 19 23:56 /mnt/family-tank/personal/HOME/myuser/testfolder

root@NAS[~]# nfs4xdr_getfacl /mnt/family-tank/personal/HOME/myuser/testfolder
# File: /mnt/family-tank/personal/HOME/myuser/testfolder
# owner: 100001104
# group: 100000514
# mode: 0o40775
# trivial_acl: true
# ACL flags: auto-inherit:
            owner@:rwxpD-aARWcCos:-------:allow
            group@:rwxpD-a-R-c--s:-------:allow
         everyone@:r-x---a-R-c--s:-------:allow

Suddenly the group has write access as well, even though I was trying to get "traverse only" to be the inheritable default...

What am I doing wrong? Is this an SMB issue or an ACL issue?

 

[karypid]

After reviewing the documentation again, and adding:

• Flag setting in Edit ACL Screen
• Datasets Screen (Other Option Settings - Advanced Options)

It seems to me that I need non-trivial ACLs for inheritance to work properly? Anyway, I changed step 1.4 to use "Restricted" instead of "Discard" and my problem now is different:

1. The bad: when the folder for the user is created, it belongs to user "root" instead of the actual user.
2. The good: if I fix the owner with "chown 'MYDOMAIN\myuser'" after it is created, everything works as intended (neewly created folders by the user inherit permissions properly and the group does not suddenly get write access).

Does anyone know how to get both to work (i.e. auto-created folder has correct owner, but "Restricted" mode is used)?

 

[karypid]

Hmm, I think this is a bug and if I have understood correctly it must be the same as what is discussed here:

• TrueNAS user home not working with windows server 2022 domain

I use Samba as my AD, not Windows Server but the description seems to match what I experience when using "Restricted" mode...

So I guess I should follow this bug report then:
https://ixsystems.atlassian.net/browse/NAS-115631

It looks like I mistook a completely unrelated issue for the same thing I am experiencing.

Can anyone help me get TrueNAS to create home folders for newly connecting AD users with the proper owner (i.e. the user the folder was created for, not the user root).

I am using "ACL Mode" Restricted as it seems to be the only one that gets inheritance etc to work properly with SMB and Windows...

 

[nutrient2314]

I tried using your approach but was stuck on step 4 as TrueNAS-SCALE-23.10.2 would not allow Discard with SMB/NFSv4 however, I tried using Restricted which still had the dreaded permission denied. In fact folders were being created for each user.

I've tried using the following approach, however, the local and domain users are denied access even though ownership is set correctly. Domain administrators is the only group that works perfectly fine.

Create a new dataset named "personal" and leave the share type as Generic.

Add the following to the new dataset's permissions

1. Mask Read | Write | Execute
2. Group – builtin_users Read | Write | Execute
3. Group – domain users Read | Write | Execute

I haven't changed anything else inside.

Add a SMB Share

1. Purpose: No Presets
2. Browsable to Network Clients: Uncheck
3. Use as Home Service: Check

Code:

root@nas[/mnt/tank/homes]# ls -ld
drwxrwxr-x+ 4 root root 4 Mar 10 18:38 .

Code:

root@nas[/mnt/tank/homes/CORP]# ls -ls
total 9
9 drwxr-xr-x 2 administrator domain users 5 Mar 10 18:39 administrator

CORP.example.net is the active directory domain

Code:

root@nas[/mnt/tank/homes/CORP]# ls -ld administrator
drwxr-xr-x 2 administrator domain users 5 Mar 10 18:39 administrator

Notice the owner user is administrator and not CORP/administrator
Accessing administrator's home folder works.

Code:

root@nas[/mnt/tank/homes/CORP]# ls -ld domain.user1
drwxr-xr-x 2 domain.user1 domain users 5 Mar 10 19:21 domain.user1

Notice the owner user is domain.user1 and not CORP/domain.user1
Unable to access domain.user1's home folder works. Permission denied.

Code:

root@nas[/mnt/tank/homes]# ls -ld localuser1
drwxrwx--- 2 localuser1 localuser1 5 Mar 10 19:03 localuser1

Accessing user1's home folder yields network path not found.

Any help is highly appreciated!

P.S. regarding your question under 3.4.4: "group@ - MYDOMAIN\domain users", this format is typically used to represent a group from an Active Directory or LDAP directory service. So I think, it will not make a difference even if you add if you add "Group - MYDOMAIN\domain users".