Issue with access rights through SSH (ACLs and LDAP)

[beharim]

Greetings all :)

I've got a little issue using TrueNAS Core (13.0-U5) that gives me headache..
I've created a whole true structure of datasets , with specific ACLs according to users and groups defined in a samba domain controller. Then, using SMB, everything is shared on the network and it's working fine, from the user point of view at least.

Yet, I have noticed some inconsistencies when the user is connected through SSH, when I try to go back to the parent dataset. Despite the exact same ACLs, some datasets throw a Permission denied error, some others work fine. I guess I have made a mistake somewhere but I can't find out where..

Here is a screenshot to show the problem (I'm forced to use the absolute path if I want to go back to the DonneesAcquisition dataset) :

Another screenshot to show the ACLs on both datasets :

It isn't a major issue, I could live with it.. but I'm kinda bothered not to be able to understand why it does not work the way I expect it to work, which means either I'm wrong somewhere in my understanding of TrueNAS and its configuration, or there is problem on my server ^^
If you ever have any idea to investigate more, I'm interested !

Thanks in advance,
Regards,

 

[sretalla]

SSH is a direct connection to the server, not a sharing protocol.

Permissions from shares will not apply in any way at all to file browsing done on the host over SSH, which applies only UNIX permissions (the ones you see with ls -l), not ACLs (which you see with getfacl)

 

[beharim]

Thanks for your reply.

I'm sorry, I guess it was not very clear in my post but the ACLs are set on datasets not on shares. Maybe I understood it wrong, but I thought it corresponded to extended UNIX permissions. At least, it works that way as, when I connect to my TrueNAS server through SSH, the user only has the rights I set up through the dataset's ACL menu.

If I do a ls it only shows this :

 

[sretalla]

when I connect to my TrueNAS server through SSH, the user only has the rights I set up through the dataset's ACL menu

maybe have a look at ls -la (which should also show the . and .. entries).

 

[beharim]

So here is the result of ls -al on the different datasets :

Despite the fact Atmosphere and Geochimie have been created the same way, I got a permission denied on Geochimie..

 

[sretalla]

It looks like that ".." entry has permissions issues... maybe try to set it (maybe need sudo) to what matches the rest.

 

[anodos]

Possible lack of read permissions on parent dir. Provide getfacl output for it (using root).

 

[beharim]

Parent dir :

Subdir with the problem :

Sudbir without the problem :

I just don't see where the problem could come from ^^

 

[anodos]

What is getfacl output for /mnt/OVPF-NAS?

 

[beharim]

Here :

On other sub datasets of OVPF-NAS, I have no problem about rights. This is really weird to me, as I thought I ahve mastered TrueNAS ACLs, I was able to set up very specific rights for several groups, all is working perfectly. But on this dataset, which is supposed to be simpler, I don't succeed to make it right and it really bothers me.. ^^

 

[beharim]

No idea ? Anyone ?

 

[anodos]

A few suggestions since I don't see anything immediately obvious.
1. use `getfacl -n` to display numeric IDs on the ACLs rather than names (and repeat above) Since you mention LDAP it's possible you have a user that exists both locally and on the LDAP server. If you have a local user 3000 that is `sysop` and an LDAP user 5000 that is also `sysop` then getpwuid will return sysop for both, but access will appear erratic because authorization depends on UID / GID rather than names.

2. during your SSH session run command `id` to see your user/group/grouplist for the currently-authenticated user.

 

[beharim]

Thanks for your help, here is the screenshot :

The result is the same as root. I don't have a local user sysop, this is really weird..