SOLVED Managing permissions from Windows

P

PabloUserT38

Dabbler
Joined
Apr 7, 2021
Messages
12
I find the permissions manager for SMB shares in TrueNAS very confusing.

Can I just manage permissions on Windows by using the folder properties secutiry tab on the mounted share?
 
P

PabloUserT38

Dabbler
Joined
Apr 7, 2021
Messages
12
Thank you very much. It has saved my life. For some reason, TrueNAS wasn't understanding my ACLs to give full control to a group of users. I had to give full control from Windows and now it works.

EDIT: Very interesting the link on your signature.
 
anodos

anodos

Sambassador
iXsystems
Joined
Mar 6, 2014
Messages
9,553
PabloUserT38 said:
Thank you very much. It has saved my life. For some reason, TrueNAS wasn't understanding my ACLs to give full control to a group of users. I had to give full control from Windows and now it works.

EDIT: Very interesting the link on your signature.
Click to expand...
There shouldn't be any difference between the GUI and doing it through Windows (both eventually translate into the same OS system calls). There will be some effort to improve UI ACL manager in future.
 
P

PabloUserT38

Dabbler
Joined
Apr 7, 2021
Messages
12
My joy didn't last much. While this worked for a few minutes, it stopped working. I'm back to square one.

Here's the situation:

I have two datasets A and B. B is a child of A. Both are shared with the exact same respective names for the SMB shares.

I have two Windows domain groups: Advanced and Basic. (Advanded is for a higer rank group of employees, while Basic corresponds to a lower ranked group.)

Both datasets A and B have user:group as root:wheel, which is fine to deal with SSH access.

Now I select a restricted ACL preset, then add Full Control permission to group Advanced and check both "Apply permissions recursively" and "Apply permissions to child datasets". Now I check on a Windows workstation and everything is working as expected.

Next, I go with share B. Open its Filesystem ACL, where I find the previously given permissions for group Advanced, then add full control to group Basic too.

This should provide full control to the whole of A, (including share B, since it's a child of A) to Advanced users, but also access to B for Basic users.

But it doesn't.

First, when checking permissions of A on Windows, I can see the Basic group has not been given Full Control permission, but all the rest are checked. I check Full Control and apply. Go back to TrueNAS GUI and nothing seems to have changed there. At first, B got access from this operation (that's when I thanked you for your help), but a few minutes later, it had no more access.

I don't know if there's a bug in TrueNAS or I'm doing something wrong.

Since Advanced seems to have full access to the A share and it worked from the beginning just fine, I'm tempted to simply move B outside A and reshare, but I'm not sure how that would change things, since B will still need to have permissions for two different groups (Advanced and Basic), unless I make the whole group Advanced a member of group Basic (which I haven't tried, honestly).

Sorry for the winding explanation. I hope I made myself clear, but if not, please don't hesitate to ask.

Thanks in advance.
 
anodos

anodos

Sambassador
iXsystems
Joined
Mar 6, 2014
Messages
9,553
So you have
/mnt/tank/a
/mnt/tank/a/b

"Advanced" needs access to a/b, and "Basic" needs access to only "b".
You need to grant "Basic", the "TRAVERSE" permissions set on "/mnt/tank/a" with the "INHERIT" flag set to "NOINHERIT". This basically allows him to go through "a" to "b".
 
P

PabloUserT38

Dabbler
Joined
Apr 7, 2021
Messages
12
That seems to have made it. Didn't know about the "traverse" concept, but makes sense (shouldn't it be applied automatically when a group is given permissions to read a dataset that's inside another?).

Thank you so much. I must buy you a coffee, man. :smile:

EDIT: I'm new to these forums. Should I edit the title to "mark this thread as SOLVED"?
 
anodos

anodos

Sambassador
iXsystems
Joined
Mar 6, 2014
Messages
9,553
PabloUserT38 said:
That seems to have made it. Didn't know about the "traverse" concept, but makes sense
Click to expand...
Windows has a similar concept with the "Bypass traverse checking" security option.You can think of Unix as having this permanently disabled.

(shouldn't it be applied automatically when a group is given permissions to read a dataset that's inside another?).
Click to expand...
I'd rather avoid automated permissions changes because a bug in that area can be catastrophically bad for users.
 
Last edited:
Redcoat

Redcoat

MVP
Joined
Feb 18, 2014
Messages
2,925
PabloUserT38 said:
EDIT: I'm new to these forums. Should I edit the title to "mark this thread as SOLVED"?
Click to expand...
As the OP it's yours to do - see the top right corner of the thread above post #1
 
zerowalker

zerowalker

Cadet
Joined
May 19, 2019
Messages
9
Oh gotta try this, couldn't make figure out how to make the permissions work.
Does this require that the truenas is joined in the domain?
cause i can't seem to make that work, i can make ldap work i think (at least it doesn't fail)
 
You must log in or register to reply here.

Important Announcement for the TrueNAS Community.

The TrueNAS Community has now been moved. This forum will now become READ-ONLY for historical purposes. Please feel free to join us on the new TrueNAS Community Forums.

Related topics on forums.truenas.com for thread: "Managing permissions from Windows"

Similar threads

tauronux
  • Poll
Recommended way of setting different permissions to folders inside SMB shared Dataset + Access Based Enumeration?
Replies
3
Views
5K
tauronux
tauronux
R
Seeking advice for new office set up Windows Server 2019 and TrueNas
Replies
1
Views
2K
Jessep
J
P
Users can modify owner's permissions on SMB share of dataset
Replies
5
Views
3K
Pheggas
P
R
Messed up with creating SMB share; cron chmod not permitted
Replies
0
Views
1K
RonRN18
R
K
Nested shares permissions?
Replies
1
Views
2K
Koguni
K
Top