My ACL woes?

[George51]

Since FreeNAS had its face lift, I've decided to move all my shares onto the ACLs as I share via SMB to windows computers.

I have one problem, and would like a sanity check on the rest please.

I have two users, Alice & Bob, a Family Group (of which both Alice and Bob are members), and a Syncer group (which I use on a Ubuntu VM).

Alice has her own data set - data set permissions are Alice:Alice with the ACL rules being:
group@ Allow, Basic, Full Control, Basic, Inherit.
group Syncer Allow, Basic, Full Control, Basic, Inherit.

Bob has his own data set - data set permissions are Bob:Bob with the ACL rules being:
group@ Allow, Basic, Full Control, Basic, Inherit.
group Syncer Allow, Basic, Full Control, Basic, Inherit.

We have a media data set - data set permissions are nobody:Family with the ACL rules being:
group@ Allow, Basic, Full Control, Basic, Inherit.
group Syncer Allow, Basic, Full Control, Basic, Inherit.

So far so good. On our windows computers, I can see Bob and Media, and Alice can see Alice and Media.
On the Ubunutu VM, it can see Bob, Alice and Media and it utilises Syncthing to sync with offsite locations.

However if one of those offsite locations modifies a file, for example in the media share. Alice and bob can't see the file from the windows computer. On the VM, it is there, and when I ls -l from the shell it is there.

For example

A file that is viewable from Bob and Alices windows computers, and the VM.

Code:

SSH@freenas:~ % sudo ls -l /mnt/Tank/Media/Movies/Aladdin\ \(2019\)
total 20628748
----rwx---+ 1 nobody  Family  10563359688 Jan 16 13:14 Aladdin (2019) - [BLURAY-1080P][DTS 5.1][X264].mkv

But here is an example of a file that has been modified via syncthing. It is browser able on the VM, but the folder is empty on the windows machines. And I can not understand why, the permissions are exactly the same.

Code:

SSH@freenas:~ % sudo ls -l /mnt/Tank/Media/Movies/Alien\ \(1979\)
total 3978656
----rwx---+ 1 nobody  Family  2038312572 Jan  4 03:19 Alien (1979) - [BLURAY-1080P][AAC 5.1][X264].mp4

Any ideas where I have gone wrong?
Is this the 'best' way to have ACLs set up?

Cheers

 

[Basil Hendroff]

You have a permissions issue. Can you screenshot the Windows ACL for both files from a Windows PC from an account that has full privileges on FreeNAS (Right-click the file > Properties > Security > Advanced > Permissions).

 

[George51]

You have a permissions issue. Can you screenshot the Windows ACL for both files from a Windows PC from an account that has full privileges on FreeNAS (Right-click the file > Properties > Security > Advanced > Permissions).

Thanks for the quick reply. Here is the screen shot of Aladdin

I am struggling to get windows to forget my Bob Credentials and sign in with root, once I figure that out I will post the Alien screenshot

For full clarity uvmconfig = Syncer from my explanation above. dl = a second Ubuntu VM access.

 

[George51]

Okay so when I use the root credentials (confirmed because I can now see Alices share) I still can't see the Alien file on windows!?

 

[Basil Hendroff]

Just for s&g, give Everyone access to the Alien file via the Unix mode bits What do you now see?

 

[George51]

Just for s&g, give Everyone access to the Alien file via the Unix mode bits What do you now see?

Sorry to be dense, I was about to edit the ACL to do this, however applying that recursively, would that potentially undo whatever the issue is? If not I will do this now

 

[Basil Hendroff]

I'm thinking just change it on that file through the shell using chmod 775.

 

[George51]

Make sense... done

Code:

SSH@freenas:~ % sudo ls -l /mnt/Tank/Media/Movies/Alien\ \(1979\)                                                            total 3978656
-rwxrwxr-x+ 1 nobody  Family  2038312572 Jan  4 03:19 Alien (1979) - [BLURAY-1080P][AAC 5.1][X264].mp4

Appears like it worked.... however Bob still can't see it from windows share

 

[Basil Hendroff]

On the Ubunutu VM, it can see Bob, Alice and Media and it utilises Syncthing to sync with offsite locations.

How are files being accessed by the Ubuntu VM and offsite location? Through NFS or SMB?

 

[George51]

How are files being accessed by the Ubuntu VM and offsite location? Through NFS or SMB?

Offsite via syncthing in docker on the VM. The VM is seeing the files through a CIFS share. Mount via fstab using the following command:

Code:

//IP/tank /media cifs username=uvmconfig,password=**,uid=1000,gid=1000    0    0

 

[Basil Hendroff]

From the Shell, compare the output of getfacl for a viewable file and a file syncthing modifies.

 

[George51]

The alien file - I can't access

Code:

# file: /mnt/Tank/Media/Movies/Alien (1979)/Alien (1979) - [BLURAY-1080P][AAC 5.1][X264].mp4
# owner: nobody
# group: Family
      group:Family:rwxpDdaARWcCos:------I:allow
          group:dl:rwxpDdaARWcCos:------I:allow
   group:uvmconfig:rwxpDdaARWcCos:------I:allow
            owner@:rwxp--aARWcCos:-------:allow
            group@:rwxp--a-R-c--s:-------:allow
         everyone@:r-x---a-R-c--s:-------:allow

The Aladdain file I can:

Code:

# file: /mnt/Tank/Media/Movies/Aladdin (2019)/Aladdin (2019) - [BLURAY-1080P][DTS 5.1][X264].mkv
# owner: nobody
# group: Family
      group:Family:rwxpDdaARWcCos:------I:allow
          group:dl:rwxpDdaARWcCos:------I:allow
   group:uvmconfig:rwxpDdaARWcCos:------I:allow
         everyone@:--------------:------I:allow

So that output has gone beyond my knowledge (shock) but I can tell there are some differences!

 

[Basil Hendroff]

I'm at the limits of my knowledge as well. Calling @anodos

 

[anodos]

What are permissions on /mnt/Tank/Media/Movies/Aladdin (2019) and /mnt/Tank/Media/Movies/Alien (1979)?

 

[George51]

What are permissions on /mnt/Tank/Media/Movies/Aladdin (2019) and /mnt/Tank/Media/Movies/Alien (1979)?

The result of getfacl on the folders:

Th one I can't see:

Code:

sudo getfacl /mnt/Tank/Media/Movies/Alien\ \(1979\)
# file: /mnt/Tank/Media/Movies/Alien (1979)
# owner: nobody
# group: Family
      group:Family:rwxpDdaARWcCos:fd----I:allow
          group:dl:rwxpDdaARWcCos:fd----I:allow
   group:uvmconfig:rwxpDdaARWcCos:fd----I:allow
         everyone@:--------------:fd----I:allow

The one I can see:

Code:

sudo getfacl /mnt/Tank/Media/Movies/Aladdin\ \(2019\)
# file: /mnt/Tank/Media/Movies/Aladdin (2019)
# owner: nobody
# group: Family
      group:Family:rwxpDdaARWcCos:fd----I:allow
          group:dl:rwxpDdaARWcCos:fd----I:allow
   group:uvmconfig:rwxpDdaARWcCos:fd----I:allow
         everyone@:--------------:fd----I:allow

 

[George51]

Any one else have any ideas? I am still suffering the same issue