NFSv4 ACL and groups member of groups

[JumpingMarc]

Hi,

Some info on my setup.

• TrueNAS-SCALE-22.12.1
• NFSv4 ACL
• Directory Services using Active Directory

I am trying to understand the way NFSv4 ACL works regarding groups in groups.

A visual representation of my directory tree.

Code:

|->01_Folder    [SMB Share, Everyone, full access]
    |           [NFSv4 permissions DOMAIN\DomainLocalGroupOfAllGroups, Basic-Full Control]
    |-> 02_Folder
                [NFSv4 permissions DOMAIN\DomainLocalGroup(member of DOMAIN\DomainLocalGroupOfAllGroups), Basic-Read]

I have a Dataset shared with SMB and permissions set by NFSv4 ACL. The ACL contains a Domain Local group witch have as members multiples other Domain Local groups. On one child Dataset, the ACL contains a Domain Local group member of the aforementioned Domain Local group. When editing ACL, after hitting "Save Access Control List" I get the following error:
[EPERM] Filesystem permissions on path /mnt/zfs_pool_1/data/01_Folder prevent access for group DOMAIN\DomainLocalGroupOfAllGroups to the path /mnt/zfs_pool_1/data/01_Folder/02_Folder. This may be fixed by granting the aforementioned group execute permissions on the path: /mnt/zfs_pool_1/data/01_Folder.

My question: Is there a way the allow the ACL to take into account the fact that the "DOMAIN\DomainLocalGroup" is a member of the "DOMAIN\DomainLocalGroupOfAllGroups" and therefore should have execute permissions on the path: /mnt/zfs_pool_1/data/01_Folder?

 

[HoneyBadger]

Can you show the ACLs for the 01_Folder and 02_Folder? A screenshot will work, but I'd prefer text output in code blocks of the following commands:

nfs4xdr_getfacl /mnt/zfs_pool_1/data/01_Folder

nfs4xdr_getfacl /mnt/zfs_pool_1/data/01_Folder/02_Folder

 

[anodos]

The check there performs setresuid based on NSS results for uid and getgroups. Latter will give incomplete results because nesting groups is disabled in the NSS plugin for reasons that can be looked up in various places. In principle, SMB access would be unaffected due to how the unix token is being built out, but using nested groups for local FS access outside SMB will be unreliable. Generally speaking, you can view the group memberships of a given user as seen by local processes via `id <username>`.

This isn't an ACL issue, it's an nss issue (how user token generated). ACLs are quite simple. It just has a list of numeric id, tags (user or group) , and permissions. If the user token doesn't have an id matching a rule granting it access, then access will be denied.

 

[JumpingMarc]

Here is for 01_Folder:

Code:

root@tns1[/]# nfs4xdr_getfacl /mnt/zfs_pool_1/data/01_Folder
# File: /mnt/zfs_pool_1/data/01_Folder
# owner: 0
# group: 0
# mode: 0o40770
# trivial_acl: false
# ACL flags: none
            owner@:rwxpDdaARWcCos:-------:allow
            group@:rwxpDdaARWcCos:-------:allow
group:DOMAIN\DomainLocalGroupOfAllGroups:rwxpDdaARWcCos:-------:allow

Here is for 02_Folder:

Code:

root@tns1[/]# nfs4xdr_getfacl /mnt/zfs_pool_1/data/01_Folder/02_Folder
# File: /mnt/zfs_pool_1/data/01_Folder/02_Folder
# owner: 0
# group: 0
# mode: 0o40750
# trivial_acl: false
# ACL flags: none
group:DOMAIN\DomainLocalGroup:rwxpDdaARWc--s:fd-----:allow
            owner@:rwxpD-aARWcCos:-------:allow
            group@:r-x---a-R-c--s:-------:allow

 

[JumpingMarc]

The check there performs setresuid based on NSS results for uid and getgroups. Latter will give incomplete results because nesting groups is disabled in the NSS plugin for reasons that can be looked up in various places. In principle, SMB access would be unaffected due to how the unix token is being built out, but using nested groups for local FS access outside SMB will be unreliable. Generally speaking, you can view the group memberships of a given user as seen by local processes via `id <username>`.

This isn't an ACL issue, it's an nss issue (how user token generated). ACLs are quite simple. It just has a list of numeric id, tags (user or group) , and permissions. If the user token doesn't have an id matching a rule granting it access, then access will be denied.

Thank you. It is much clearer now.