SOLVED Probably permission issues?

[vzbptbcs]

Hello,
I've TrueNAS installed as a VM in Proxmox. (Disks attached directly via HBA PCIe passthrough)
Then I've setup a SMB share and mounted that via Proxmox GUI.
Now I want Proxmox to backup all the VMs (except TrueNAS VM itself) to this SMB share.
But I can't. The process freezes after some time. (For more information see here)

Permissions with TrueNAS and especially with SMB / ACLs are a bit overwhelming to me and I wanted to take a deeper look into it after my basic setup is running so I can do stuff now and optimize later.

Could you just tell me if I did this right and if my backup problem could be a permission issue?
Here's what I did:

/mnt/TANK/Backup
Options: Sync: Always, Exec: Off, Atime Off, ACL Passthrough
ACL: (owned by root:wheel) Group "folder_backup" allow traverse inherit

/mnt/TANK/Backup/Proxmox
Options: Inherit
ACL: (owned by root:wheel) Group "proxmox" allow modify inherit

The user accessing these shares is "proxmox" with primary group "proxmox".
He is also in "folder_backup" group.

I can mount that share on Proxmox and if I go to that share in the terminal I can do rw actions.

However permissions look a bit weird to me:

Code:

root@proxmox:/mnt/pve/backup/test# ls -al
total 18
drwxr-xr-x 2 root root     0 Nov  7 09:54 .
drwxr-xr-x 2 root root     0 Nov  7 09:53 ..
-rwxr-xr-x 1 root root 10240 Nov  7 09:54 test2.html
-rwxr-xr-x 1 root root 20480 Nov  7 09:54 test.tar
-rwxr-xr-x 1 root root     6 Nov  7 09:53 test.txt

Why does group not have write permissions but everyone can execute??

 

[JohnDigital]

Do the user users and groups specifically the UID/GIDs match on both/all systems? I would first look into this.

 

[vzbptbcs]

Do the user/group need to be the same on the client and server?
Why is that? I know that from NFS but I thought I don't need to care about this with SMB since I authenticate with username/password anyway.

On the server:

Code:

root@truenas[~]# id proxmox
uid=1004(proxmox)
gid=1008(proxmox)
groups=1008(proxmox),545(builtin_users),1009(folder_backup)

On the client there is no user "proxmox". (I guess) root is accessing the share here.

 

[JohnDigital]

Ive never used proxmox so not exactly sure. However proxmox is mounting the share as root:root, not root:wheel. TN has no idea what the group root is. I feel like on the proxmox host you should also have a matching proxmox user/group. Whatever user/group you are using to mount these shares likely should all match--name, password, UID/GID. This goes for Windows/Linux/Mac machines as well. Once this is complete id allow the user proxmox to just own the backup datasets in question on the TN VM. Also make sure proxmox owns the mount folder /mnt/pve on the Proxmox machine.

I digress because im out of my element. But my gut is saying that the proxmox host has no idea who TrueNAS user proxmox is, or the groups you are trying to use. Let alone the other VMs you are likely running.. Try to stick a common user/groups as much as possible to avoid these issues.

 

[vzbptbcs]

But if that is so wrong, why can I successfully mount the share and then read/write to the share?
Shouldn't I get a permission error much earlier then?

Also I've mounted several other shares on Debian VMs and clients through fstab with similar methods.
There UID/GIDs don't match either and it just works fine.

Also on my Synology NAS it worked with different usernames/groups on client/server for years.

Maybe you have misunderstand this? I'm talking about SMB/CIFS, not NFS.
Someone else could clarify this please? Now I'm more confused than before.

 

[JohnDigital]

I still think you should have proxmox user/group on the proxmox machine and when you run the backup run it as the user proxmox with identical UID/GID to TN.

I guess maybe I am confused, but it looks like its getting ready to write the backup but it cant. This also points to permissions as it can read, but not write, which you showed.

 

[vzbptbcs]

Actually I am super stupid.

The proxmox user had only the group "folder_backup" assigned.
The primary group "proxmox" was removed for some unknown reason...
But I made the ACL so that the group "proxmox" does have access to the child dataset.

Didn't notice that for several times.

It works now.

@John Digital So I was right, user/group doesn't have to be the same on client and host.