New to TN. Need better understanding and help with setting up a share folders with access to Windows, OSX, and Linux.

[aah57]

Hello all,

I am positive that this subject has been discussed before, and I know re-asking answered questions are frowned up. However, I haven't been successful in finding the applicable solution to my situation.
I have a QNAP NAS that I intend to sell and bring all my data within my server machine. Therefore, I need to have a NAS VM replacement, so I turned to giving TN a go. To keep it short, I want to setup a number of datasets that are "easily" accessible from my Windows machines, Macbook laptop, and a couple of Linux VMs. For instance, I want one dataset for my Plex/Media content that is accessible across all devices (computers [OS-agnostic], Apple and Android phones and tablets, as well as my TV and Nvidia Shield box). I also need to have two groups to have access to this dataset. One with Full permission (i.e. me), and one with just read and execute permissions (i.e. home residents). Now this part seems to be pretty straightforward with ACLs, although I don't quite grasp the concept of "@" at the end of Who* definitions (because I can define either group@ or group). By easily at the beginning of this paragraph I meant without having to go into each machine and manually mounting the share with or without CLI. Is it possible to just put in the UN/Pass and be done with it?
Now, I don't need to be spoon-fed. But, if you could kindly please steer me in the right direction or lay out a clear roadmap, I'd be more than grateful. In QNAP, this setup was extremely quick and easy. With TN it appears to be some what of a learning curve - and quite a steep one at that for a newcomer. Thank you again.
TrueNAS-13.0-U3.1 installed on VMWare ESXi 8.0
All Windows are 10 or 11 Pros.
macOS 13
Linux distros: MX and Ubuntu

 

[aah57]

Well, forum rules dictate to wait 48 hours before bumping a thread. I have no intention to bump the OP; however, in do intend to share a couple of points, which in the past couple of days I have come to realize:
A) 80+ views and zero replies for a pretty basic two liner response just goes to show how supportive this community is. What a shame.
B) The granularity of TN Core makes it a fantastic piece of software for micromanagement of a NAS OS. But the buck stops just there. Why? The documentation is horrendous: Generic, simple, and borderline cursory. All the fine details that explain what's what have been left out.
C) Searching through the forum doesn't help much either. Even the most basic questions, i.e. "what is a dataset?" end up confusing the person searching for answers even further - consider it a partition; no it's not analogous to a partition; think of it as a master folder; it can't really be explained; huh?!
D) For an absolute newcomer both to TN and somewhat to the Linux world, understanding how TN works, specifically when it comes down to ACL, POSIX and Windows sharing permissions, the tediousness of creating cross-platform shared folders and everything else surrounding it, there's an evident shortcomings in the support system for getting said individual through and over the learning curve. For instance, what is the difference between group and group@ ? No "clear" and easy-to-locate documentation exists. Why there are two sets of permissions for Filesystem ACL and share ACL for shared folder? And what are the significance of each? What is the difference between Default Share parameters and other presets? The list goes on and on. For many of you these are very mundane questions. Remember I am referring to newcomers.
E) Frankly ,as a "newcomer" I'm hugely disappointed. If it weren't for my personal craving to learn new things, I would have dropped the truenas project on day one, and be on my way to other venues. Just to be clear here, I am not bashing the program, I am simply criticizing the guide and reference structure supporting it.
And finally F) For all those that are new to TN, who want a cross-platform shared folder, such as the likes you establish on QNAP and Synology NAS OS's: Wrong or right this method so far has worked for me. First create your users and groups. If you want to have a user that only has read access, remove the aux group "built-in users" from his/her account by re-selecting their own group again. Create a Dataset with SMB share type. Then edit ACL permissions for the intended Dataset. Delete Everyone@. Leave Owner@ and Group@ and Group (built-in users) as is. Replace user "root" and group "wheel" with your newly created user and group that carries full permission. Next, go to the Sharing tab click create a folder under Windows Shares (SMB) and save it with Default Share Parameters.

Good luck.

 

[jgreco]

A) 80+ views and zero replies for a pretty basic two liner response just goes to show how supportive this community is. What a shame.

Forum statistics​

Threads: 89,376
Messages: 710,234

Doing the math, that seems to show an average of about 7 messages responding per thread. I'd say that's pretty supportive.

B) The granularity of TN Core makes it a fantastic piece of software for micromanagement of a NAS OS. But the buck stops just there. Why? The documentation is horrendous: Generic, simple, and borderline cursory. All the fine details that explain what's what have been left out.

If you say so. The product is intended to make NAS more accessible to end users, so "simple and borderline cursory" would seem to make a certain amount of sense.

https://www.truenas.com/docs/core/printview/

C) Searching through the forum doesn't help much either. Even the most basic questions, i.e. "what is a dataset?" end up confusing the person searching for answers even further - consider it a partition; no it's not analogous to a partition; think of it as a master folder; it can't really be explained; huh?!

Did you read the Introduction to ZFS that is available in the Resources section?

Introduction to ZFS

This is a short introduction to ZFS. It is really only intended to convey the bare minimum knowledge needed to start diving into ZFS and is in no way meant to cut Michael W. Lucas' and Allan Jude's book income. It is a bit of a spiritual...

www.truenas.com

Datasets
A dataset is a ZFS filesystem. It can be viewed as a construct that combines the advantages of a traditional directory (datasets form a tree, share space from the underlying pool, etc.) with the advantages of a disk partition (datasets can be treated separately and can be used to partition storage) and adds unique management capabilities. Every ZFS pool has a top-level dataset, named after the pool. From there, an arbitrary number of datasets can be created as children of an existing dataset. Datasets are typically the unit of management – in other words, ZFS properties apply to datasets. These include features such as compression, checksums, quotas and reservations6 . Snapshots and ZFS replication, explained below, also operate on entire datasets. The rule of thumb is to use datasets instead of plain directories for data that is treated differently: Different owner, different snapshot schedule, different compression, different quota, etc. When in doubt, it is typically better to use more datasets rather than fewer.

Seems reasonably clear to me.

D) For an absolute newcomer both to TN and somewhat to the Linux world, understanding how TN works, specifically when it comes down to ACL, POSIX and Windows sharing permissions, the tediousness of creating cross-platform shared folders and everything else surrounding it, there's an evident shortcomings in the support system for getting said individual through and over the learning curve. For instance, what is the difference between group and group@ ? No "clear" and easy-to-locate documentation exists. Why there are two sets of permissions for Filesystem ACL and share ACL for shared folder? And what are the significance of each? What is the difference between Default Share parameters and other presets? The list goes on and on. For many of you these are very mundane questions. Remember I am referring to newcomers.

This seems like a general compsci question. Permissions and ACL's are not something that TrueNAS invented, but nevertheless has to support. Their interactions can be annoying and complicated, but you would be better off complaining at their inventors, such as Microsoft. There are lots of resources available on the 'net to help you with these "basics" for Samba, etc. This community is powered by members of the community, so if anyone wants to actually write a primer for Samba and ACL's, I'll be happy to help get it into the Forum Resources section. But someone actually has to write it.

E) Frankly ,as a "newcomer" I'm hugely disappointed. If it weren't for my personal craving to learn new things, I would have dropped the truenas project on day one, and be on my way to other venues. Just to be clear here, I am not bashing the program, I am simply criticizing the guide and reference structure supporting it.

This isn't a beginner-level product. You are expected to invest time and effort into it, to learn about ZFS and how to protect your data. If you have never driven anything but a basic automatic transmission car, and you sit down in a race car with manual transmission, it will be daunting and you might not even be able to figure it out. TrueNAS isn't for everyone. We're fine if you go do QNAP or unRAID instead. Each alternative has strengths and weaknesses.

 

[Davvo]

Please read the Forum Rules:

Forum Rules

Welcome to the TrueNAS Community! Updated 11/28/2023 First and foremost I want to thank you for joining the TrueNAS community! My name is JoshDW19 and I'm the Community Manager here at TrueNAS. The TrueNAS Community is a friendly place to discuss open source software, technology, and products...

www.truenas.com

TrueNAS-13.0-U3.1 installed on VMWare ESXi 8.0

Please Read the following resource:

"Absolutely must virtualize FreeNAS!" ... a guide to not completely losing your data.

[---- 2018/02/27: This is still as relevant as ever. As PCIe-Passthru has matured, fewer problems are reported. I've updated some specific things known to be problematic ----] [---- 2014/12/24: Note, there is another post discussing how to deploy a small FreeNAS VM instance for basic file...

www.truenas.com

TrueNAS isn't supposed to be run on all kinds of hardware, please read the following resources:

What's all the noise about HBA's, and why can't I use a RAID controller?

This is relevant to FreeNAS and TrueNAS CORE. Some parts of it might also be relevant to Scale, but I don't really know how reliable the Linux drivers are. 1) An HBA is a Host Bus Adapter. This is a controller that allows SAS and SATA devices to be attached to, and communicate directly with...

www.truenas.com

Multiply your problems with SATA Port Multipliers and cheap SATA controllers

In the last year or two, we've had a resurgence of users asking about SATA Port Multipliers and cheap SATA controllers. Please, do NOT use port multipliers, and use cheap SATA controllers only after extensive research. SATA controllers and SATA...

www.truenas.com

Is my Realtek ethernet really that bad?

One of the longest running issues faced here in the forums may be people who come to these forums, wanting to recycle an old PC into a NAS. In general, this is a bad idea because typical PC hardware isn't optimized towards the task. However...

www.truenas.com

Hardware Recommendations Guide

This is the latest edition of the FreeNAS Community hardware recommendations guide. The current major version is R2, dated January 2021, with the last minor update on 2021-01-24. The format has moved away from the forum post form factor, to...

www.truenas.com

If you also read the Introduction to ZFS you have now a somewhat comprehensive understanding of ZFS and TN.

About your questions:
owner@ and group@ refer respectively to the user and the group you set on the left of the ACL (Filesystem/Dataset) panel, while group allows you to choose which group to apply the permissions from the existing groups; user does the same for the users.

Show : example

The user duccio is the owner@ and the group regaz is the group@

I suggest you watching the following video, it should be helpful:

TrueNAS Core: Configuring Shares, Permissions, Snapshots & Shadow Copies

https://lawrence.video/truenasZFS Is a Cowhttps://youtu.be/nlBXXdz0JKAOur TrueNAS Tutorialshttps://lawrence.technology/truenas-tutorials/Connecting With Us--...

youtu.be

Do note that SMB standard behaviour is to use sync writes when it talks to macOS.

For more resources please look in my signature or directly in the resourcer section of the forum.
Do note that the attitude you showed in your second post won't get you far here.

 

[Redcoat]

The content of this post https://www.truenas.com/community/threads/who-is-group.106782/#post-736334 might be a useful addition to your knowledge base - particularly the info found in the four links in @anodos post at the end of the string.

 

[anodos]

The content of this post https://www.truenas.com/community/threads/who-is-group.106782/#post-736334 might be a useful addition to your knowledge base - particularly the info found in the four links in @anodos post at the end of the string.

If there is a problem with existing official documentation, I think best course is to fix it (official docs). TrueNAS / FreeNAS has a long heritage of outdated / abandoned documentation and how-tos (that often end up tripping up new users) :)

ACLs are pretty well documented in general and as jgreco mentioned are not something we made up. That said, there seem to be an increasing number of people administering servers in professional / business environments who lack requisite knowledge. :/

 

[jgreco]

administering servers in professional / business environments who lack requisite knowledge.

That would be me, which is why I totally avoid Microsoft style ACL's to the maximum extent possible. I know that will sound funny to some forum members who may regard me as a fountain of knowledge, but it is quite possible that I know less about Windows ACL's than you do. Just a matter of knowing your limits.

 

[anodos]

That would be me, which is why I totally avoid Microsoft style ACL's to the maximum extent possible. I know that will sound funny to some forum members who may regard me as a fountain of knowledge, but it is quite possible that I know less about Windows ACL's than you do. Just a matter of knowing your limits.

Right. It's also common for people who use NFS professionally to not use it with v4 + kerberos (which is the case where more complex permissions setups get used in pure Unix environments).

That said, the most common permissions issue I see is users running chmod 0770 /mnt/tank with said path being owned by root:wheel, which most sysadmins should realize is not a terribly great idea on a multi-user system :)

 

[jgreco]

That said, the most common permissions issue I see is users running chmod 0770 /mnt/tank with said path being owned by root:wheel, which most sysadmins should realize is not a terribly great idea on a multi-user system :)

Okay, you just broke my brain. WTF is the point of *that*? I could maybe see 0771 as that would at least allow tank to be traversed.

 

[winnielinnie]

Okay, you just broke my brain. WTF is the point of *that*? I could maybe see 0771 as that would at least allow tank to be traversed.

Why would you want anything below /mnt/tank to be traversable? That's how the hackers will win. Do you want the hackers to win?

 

[anodos]

Why would you want anything below /mnt/tank to be traversable? That's how the hackers will win.

I more blame the youtuber who promoted this idea in a fairly commonly-viewed TrueNAS / FreeNAS video. It's pretty clear he didn't know how unix permissions work at all, which is okay, but one should probably do proper research before making how-to videos. Especially ones advising doing things through shell because our webui prevents it.

 

[anodos]

Why there are two sets of permissions for Filesystem ACL and share ACL for shared folder?

These exist on all SMB servers (whether Windows or Samba-based). The reason why goes back to the days before NTFS (when WIndows didn't have filesystem ACLs at all). And they are still used by Windows admins to this day :) So the question is whether we choose to hide away share ACLs from the administrator in the webui so that there's a layer of permissions they may not be aware of (and may still be modified by an RPC client) or make them visible and configurable.

 

[anodos]

Hmm... looks like documentation on ACLs may have been refactored away. I filed a ticket to add docs for `who` field.

Log in with Atlassian account

Log in to Jira, Confluence, and all other Atlassian Cloud products here. Not an Atlassian user? Sign up for free.

ixsystems.atlassian.net

 

[danb35]

It's pretty clear he didn't know how unix permissions work at all, which is okay, but one should probably do proper research before making how-to videos.

I think Linus' (from LTT) ears are burning.

 

[anodos]

I think Linus' (from LTT) ears are burning.

Actually, no, in this case it was not LTT (though I have not reviewed their content).