SOLVED NFSv4 ACL inheritance differences in SMB vs. Unix

[bcat]

Hello all! I've been trying out Truenas Scale for a little while now and am currently running 22.02.4. SMB clients are various Windows 10 machines (with latest updates). Overall, I'm really happy with how NFSv4 ACLs work and how they're presented over SMB, but there's one weird thing I can't figure out. I've searched around the forums, but haven't found anything specific about this, so I figured I'd ask here.

To repro, first create a new dataset with "Share Type" set to "SMB" (all other options default).

Show : Dataset setup

Scale sets a default NFSv4 ACL with four inherited entries.

Show : Default ACL

Then create a new SMB share with "Default share parameters".

Show : Share setup

Now create two files in the share, one from the command line (e.g., via touchover SSH) and one from a Windows client via SMB, then look at their ACLs through Windows Explorer. The file created directly from Unix has inheritance enabled, but the file created over SMB from Windows does not.

Show : Unix file ACL

Show : Windows file ACL

It seems that even though ACL entries in the root of the share have inheritance enabled, files (and folders) created over SMB end up with non-inherited ACL entries. Here are the differences in the file ACLs as viewed from the TrueNAS side:

Code:

$ nfs4xdr_getfacl /mnt/data-pool/files/test/unix-file.txt
# File: /mnt/data-pool/files/test/unix-file.txt
# owner: 1000
# group: 0
# mode: 0o100770
# trivial_acl: false
# ACL flags: none
            owner@:rwxpDdaARWcCos:------I:allow
            group@:rwxpDdaARWc--s:------I:allow
group:builtin_users:rwxpDdaARWc--s:------I:allow
group:builtin_administrators:rwxpDdaARWcCos:------I:allow

$ nfs4xdr_getfacl /mnt/data-pool/files/test/smb-file.txt
# File: /mnt/data-pool/files/test/smb-file.txt
# owner: 1000
# group: 0
# mode: 0o100700
# trivial_acl: false
# ACL flags: none
            owner@:rwxpDdaARWcCos:-------:allow
group:builtin_users:rwxpDdaARWc--s:-------:allow
group:builtin_administrators:rwxpDdaARWcCos:-------:allow

This isn't a big deal for me in practice because my ACL setups are quite simple, and recursively updates ACLs from the dataset root whenever I need to change them is realistically fine, but this behavior doesn't match my (admittedly naive) understanding of how NFSv4 ACLs "should work", and so I'd like to understand the mismatch, if only for my own education. :)

 

[bcat]

(Sorry for the extra post; I don't think I can edit posts yet.) Also, it's odd that files created over SMB are missing the group@ ACE. It's like almost like something is applying a mask that strips out group permissions and removes the "inherited" flag from the other ACEs. But I've no idea what (in Samba? in Windows?) would cause that behavior.

 

[Tugdwal]

I have encountered the same issue myself, and I was in fact writing a new thread about it until I found yours.

Have you also noted that new folders created over SMB have 2 identical (apart from inheritance) owner@ ACEs ?

 

[bcat]

Have you also noted that new folders created over SMB have 2 identical (apart from inheritance) owner@ ACEs ?

Indeed, I observe the same behavior:

Code:

$ nfs4xdr_getfacl /mnt/data-pool/files/test/SMB\ Test
# File: /mnt/data-pool/files/test/SMB Test
# owner: 1000
# group: 0
# mode: 0o40700
# trivial_acl: false
# ACL flags: none
            owner@:rwxpDdaARWcCos:-------:allow
            owner@:rwxpDdaARWcCos:fdi----:allow
            group@:rwxpDdaARWc--s:fdi----:allow
group:builtin_users:rwxpDdaARWc--s:fd-----:allow
group:builtin_administrators:rwxpDdaARWcCos:fd-----:allow

I guess it's time to file a bug in Jira. Feel free to do so if you beat me to it. :) (Otherwise, I'll try to have when I have some free cycles.)

 

[user0241233]

@bcat @Tugdwal I have the same issue, see File and Directory ACL Permissions difference when created from Linux vs Windows. Please share the link if you have submitted a bug report. I'll update it with my observations. If you've not created any, let me know and I'll create one.

 

[bcat]

@bcat @Tugdwal I have the same issue, see File and Directory ACL Permissions difference when created from Linux vs Windows. Please share the link if you have submitted a bug report. I'll update it with my observations. If you've not created any, let me know and I'll create one.

Work + life have been busy lately, so I haven't had time to create a Jira account nor file a bug yet. So... go for it!

Otherwise, I can probably file one this weekend, but if you have time first, do not wait for me. All I know (which is not much) is on this thread anyway. :)

 

[MrGuvernment]

Looks like I am not crazy. I had created some shares for SMB and NFS, I copied contents over from a Windows system, into the share, via SMB, but then anything over NFS, could not see any of the new directories I had copied over...

Figured I must of been doing something wrong!

 

[user0241233]

@bcat I've created a bug report here: https://ixsystems.atlassian.net/bro...hMjhiNDRlYzgwNzgxMzNhYzU1ODRkMTAiLCJwIjoiaiJ9

 

[bcat]

It seems the linked issue was closed, but I still don't understand how the particular behavior (in particular, the inconsistent behavior over SMB vs. not) reported here is actually WAI. But the fact that the unexpected behavior is SMB specific seems like a hint.... I suppose the next step to understand this inconsistency is to dig into Samba's handling of NFSv4 ACLs.

I'm not sure if TrueNAS SCALE uses vanilla Samba or a fork. (Though I vaguely recall at least some of the NFSv4 support on SCALE wasn't fully upstreamed yet, that may not be accurate.) I'll see what I can find, and code pointers are welcome if anyone has any. :)

Edit: It seems there is indeed a Samba fork, so that's probably a good next area to investigate. Code in and around this neighborhood seems like it might be relevant, but I've not yet verified that's if that runs on SCALE, on Core, or on both/neither.

 

[bcat]

Per the bug, it looks like this may be fixed in Bluefin.

 

[MrGuvernment]

Per the bug, it looks like this may be fixed in Bluefin.

Appreciate you digging into this for sure, I am using CORE so hopefully it also finds its way into CORE, or I am just doing something wrong! :D

 

[mattheja]

Per the bug, it looks like this may be fixed in Bluefin.

I was having some trouble squaring Linux/Windows and SMB/NFSv4 permissions/ACL's in my head last time I reviewed all of this prior to configuring some apps and PC's that needed network storage with restricted permissions. I was going to add a new app with different users, and I remember my previous conundrums... then I found this thread. The back and forth in the jira ticket was useful, in addition to re-reading the updated documentation since Bluefin release. All is well for me.

Also, I really like your server names in your signature based on the Dresden books. :)

 

[bcat]

Also, I really like your server names in your signature based on the Dresden books. :)

Glad it was useful to you, and I'm happy somebody noticed that. All my PCs are named after characters from books I like, and I've been reading Dresden Files recently, so it just made sense.