How to restrict Access to SMB Shares and Datasets - Share ACL?

[cap]

I have created a user who should only have read-only access to a certain dataset or directory. I have set up an extra read-only SMB share for this purpose.

In addition, I have adjusted the permissions for a dataset to which the above-mentioned user should not have access.
Dataset => Edit ACL => ACL Type: Deny => Permissions => Read

I would then also have to do this for other datasets to which the user should not have access (read or write).

Is it not possible to restrict the SMB shares themselves?

- The user mentioned above should only be able to use the read-only smb-share.
- The read-only share only has access to the desired dataset or directory.

How do I do this? With "Edit Share ACL" in Sharing?

 

[Daisuke]

Take a look at this documentation section, refer to POSIX only. You will need both read and execute, keep write disabled.

 

[cap]

Take a look at this documentation section, refer to POSIX only. You will need both read and execute, keep write disabled.

That is basically what I did above.

I have only given the user read rights for the (child) datasets that he is allowed to access. For all other datasets as well as the parent datasets I have denied read rights. This works.

I had tried to solve this on another level with Share ACL: https://www.truenas.com/docs/scale/...es/smb/smbsharesscreens/#smb-share-acl-screen

But I could not manage that.

 

[oblivioncth]

Overall it sounds like you accomplished what you wanted, but your issue is having to replicate these steps on future datasets and hoping you can manage this user in a simpler way instead.

It might be helpful to share your zpool structure, noting which dataset(s) you're talking about here (in terms of which are shared and which you don't want this user to be able to use) so that exactly what you're trying to accomplish is clearer. Ultimately, you will have to set ACLs appropriately where necessary, there's not much getting around that. The only way to potentially simply things is to restructure your pool or use multiple shares at a finer granularity, but even there you would still need to mark which datasets a user can't have access to.

If you can structure your pool in a certain way though, it might become as easy as selecting the top most dataset where you want these restrictions to apply and then applying the ACLs there, being sure to select apply recursively and apply to child datasets.

Of course if you'd have to redo this if you add child datasets later.

Using share ACLs is generally not recommended, and in my opinion overly complicated what can already be accomplished by using dataset ACLs directly. The share ACLs are ultimately limited by dataset ACLs anyway: https://www.truenas.com/community/t...mb-acls-and-filesystem-acls.90046/post-623196

TrueNAS does feature preset ACLs, and what certainly would help is if you could create your own so that you can rapidly apply them where ever you want (even recursively), but at the moment this isn't possible AFAIK. Datasets can't inherit ACLs of parent datasets so custom presets would be a good alternative.

EDIT:
This change makes it sound like custom templates were added to the backend, and this bug (that was patched) makes it sound like that in the current nightliess it has been made available in the UI. The fix version mentioned 22.12.1 so perhaps it will be available in the February update. At the very least it seems certain it will be part of Cobia (23.10.0).