How to configure NFSv4 SMB shares with proper default/inheritable new file/directory permissions?

[Xaymar]

After migrating from TrueNAS Core (previously FreeNAS) to TrueNAS Scale, all my SMB shares started behaving weird. Newly created files and directories ignore all default and/or inheritable permissions, and they all end up as 0700, which is way too restrictive. The expected restrictions were 0666 for files and 0777 for directories, but this does not appear to apply to NFSv4 ACL anymore. How can I fix this odd behavior that appeared with TrueNAS Scale?

Looking through the forums, I found very similar instances, for which I've tried the solutions, but found that none of them fix the issue I am encountering. Here's my current configuration, in case it helps: SMB Service, Dataset #1, Dataset #2, SMB Share, Dataset ACL. I am aware I can switch to an ACL Type of POSIX, but this would make certain ACL structures completely impossible, so at the moment I have not switched over yet.

 

[anodos]

You're using wrong tool. nfs4xdr_getfacl do that for paths in question. Do note that owner@ and group@ and everyone@ entries can be impacted by umask of process creating them (and chmod() operations by applications or user intervention).

 

[Xaymar]

While I don't believe that changing which tool reads the ACL changes what ACL is assigned on create/copy, here is nfs4xdr_getfacl anyway:

Exact same result with effective permissions of 0700, which is not 0666 and also not any of the inherited permissions.

 

[anodos]

While I don't believe that changing which tool reads the ACL changes what ACL is assigned on create/copy, here is nfs4xdr_getfacl anyway:

Exact same result with effective permissions of 0700, which is not 0666 and also not any of the inherited permissions.

What is ACL for parent directory? ACL should be calculated based on it. nfs4xdr_getfacl /mnt/nas/documents.

 

[Xaymar]

What is ACL for parent directory? ACL should be calculated based on it. nfs4xdr_getfacl /mnt/nas/documents.

Identical to the one shown in the first post, and identical to all other datasets:

 

[anodos]

If you touch a file within that directory locally (not via SMB), does ACL inherit correctly? (this might be a regression in upstream samba vfs module that's being used here).

 

[Xaymar]

If you touch a file within that directory locally (not via SMB), does ACL inherit correctly? (this might be a regression in upstream samba vfs module that's being used here).

It appears so:

 

[anodos]

It appears so:

Then it might be an issue in generic NFSv4 code in samba (which we're using for now is SCALE), 12 had custom module. I'll PM you an updated debian package later today to try (to see if it fixes the issue).

 

[Xaymar]

Then it might be an issue in generic NFSv4 code in samba (which we're using for now is SCALE), 12 had custom module. I'll PM you an updated debian package later today to try (to see if it fixes the issue).

Alright, I'll wait on that. For now I've set up a duplicate share with POSIX permissions for the shared information with family as it works.

 

[anodos]

Alright, I'll wait on that. For now I've set up a duplicate share with POSIX permissions for the shared information with family as it works.

Well, you can also check whether assigning explicit permissions to the group, e.g group:100 rather than group@ gives you what you want. I'm somewhat behind on some other work, but will try to send you something by PM by end of day.

 

[Xaymar]

Well, you can also check whether assigning explicit permissions to the group, e.g group:100 rather than group@ gives you what you want. I'm somewhat behind on some other work, but will try to send you something by PM by end of day.

Sorry for the late reply. I've tried this now and it made no difference for files created via SMB shares. For now I've switched all shares to POSIX and added extra shares for the more private directories.

 

[darklink87]

Does anyone have any new information on this issue by chance? I'm hitting the exact same behavior of new files and directories being created with 0700 permissions instead of the default values over SMB. Using touch while in a shell creates a file with the expected permissions from the dataset's ACL settings. Manually setting the auxiliary parameters for directory and create masks does nothing, files and folders will still get created with 0700 permissions.

 

[Xaymar]

Does anyone have any new information on this issue by chance?

As far as I know this bug hasn't been fixed so far. I've mostly resolved to just using POSIX shares, as TrueNAS/FreeNAS tends to break more things than it fixes - even more than setting up services, containers and VMs directly.