NFS and access permissions to subdatasets

[nival_d]

Hi all,

I am running a fresh node of TrueNAS running TrueNAS-12.0-U4 and having some strange issues with NFS shares and access permissions.

I am trying to set up a share that is exposed with NFS and SMB and has permissions applied.
My layout is the following:

MEDIA - main disk pool, it is also exposed with SMB and NFS.
MEDIA/Inbox - a dataset that contains a number of sub datasets with different access priviledges applied using ACLs in the TrueNAS GUI:

MEDIA/Inbox/Media
MEDIA/Inbox/Scans
MEDIA/Inbox/Transmission jobs

I set up the permissions in the UI allowing access to all of these datasets to the members of family_seniors group and the permissions are working ok in shell when I log in under my user

Code:

truenas% sudo getfacl /mnt/MEDIA/Inbox/*
Password:
# file: /mnt/MEDIA/Inbox/Media
# owner: root
# group: wheel
            owner@:rwxpDdaARWcCos:fd-----:allow
            group@:rwxpDdaARWc--s:fd-----:allow
group:family_seniors:rwxpDdaARWcCos:fd-----:allow
         everyone@:--------------:fd-----:allow

# file: /mnt/MEDIA/Inbox/Scans
# owner: root
# group: wheel
            owner@:rwxpDdaARWcCos:fd----I:allow
            group@:rwxpDdaARWc--s:fd----I:allow
group:family_seniors:rwxpDdaARWcCos:fd----I:allow
         everyone@:--------------:fd----I:allow

# file: /mnt/MEDIA/Inbox/Transmission jobs
# owner: root
# group: wheel
            owner@:rwxpDdaARWcCos:fd-----:allow
            group@:rwxpDdaARWc--s:fd-----:allow
group:family_seniors:rwxpDdaARWcCos:fd-----:allow
         everyone@:--------------:fd-----:allow

truenas% sudo getfacl /mnt/MEDIA/Inbox
# file: /mnt/MEDIA/Inbox
# owner: root
# group: wheel
            owner@:rwxpDdaARWcCos:fd-----:allow
            group@:rwxpDdaARWc--s:fd-----:allow
group:family_seniors:rwxpDdaARWcCos:fd-----:allow
         everyone@:--------------:fd-----:allow

truenas% touch /mnt/MEDIA/Inbox/Scans/2
truenas% touch /mnt/MEDIA/Inbox/Media/2
truenas% touch /mnt/MEDIA/Inbox/Transmission\ jobs/2

However when I mount the MEDIA dataset on my local linux machine, I do not have access to anything in the Inbox

Code:

➜  ~ ls data/Inbox     
➜  ~ ls data/Inbox
➜  ~ ls data
'Family data'   Inbox   Media  'old Movies'   transmission
➜  ~ ls data/Inbox
➜  ~

My fstab to mount the location looks like the following:

Code:

192.168.50.131:/mnt/MEDIA                 /home/user/data nfs    async 0 0

Interestingly, inbox is the only location where I want to have ACL based access, all the other places look like that:

Code:

drwxr-xr-x  6 root  wheel     6B Jun 23 21:55 .
drwxr-xr-x  4 root  wheel   192B Jan  1  2000 ..
drwxrwx---  3 root  wheel   213B Jun 23 03:11 Family data
drwxrwx---+ 5 root  wheel     5B Jun 23 21:47 Inbox
drwxr-xr-x  2 root  wheel     2B Jun 22 21:23 Media
drwxr-xr-x  2 root  wheel     2B Jun 23 01:10 old Movies

In the NFS properties I am doing Mapall to root. I have no issues accesssing any of the folders other than Inbox.

I have a feeling I am doing something very wrong, I would appreciate any hints on how I can fix the access priviledges for the Inbox folder using NFS.

Thanks in advance!

 

[nival_d]

Hi all,

I found a solution to my problem.

The root cause of the issue was not around the ACLs and permissions to the directories or NFS permissions, but rather the structure of nested filesystems.
In my case I created 3 separate datasets under the Inbox/ point that was a filesystem itself. I did that to leverage the fantastic GUI of Truenas to create ACLs.
Hoewer with that setup I broke compatibility with NFS. In order to share the filesystems mounted under a particular point, some implementations of NFS implement crossmnt functionality. FreeBSD, however doesn't implement that.
So my gutfeeling about a fundamental mistake was correct - I treated datasets as folders to use the UI, while I should have just gone to the CLI and created them manually and assigned the necessary permissions using setfacl. Which I did in 5 minutes after realizing what the root cause was, and it was even faster than using the GUI.

Hope that helps someone.