Samba share and multiple users

[wilcomir]

I want to setup a samba share for my family. To keep things reasonably clean, I’d like one account for each person rather than a shared account or a password less sharing, but I cannot wrap my mind around the issue I am seeing.

I have setup two accounts, both are part of the family group. In the smb dataset I have root as user owner, family as group owner, both with full access granted.

I can connect to the share with both accounts, but as soon as I create any file, a new dataset is created inside the main one, owned by the account that created the file, therefore file sharing is not possible.

I chose samba as I will have a mix of client os, Linux - Mac/i/iPad OS - Windows.

Up to now I tested this out with Apple devices only, so I am not sure if this is related to how Apple manages samba shares, or it is something I should fix on truenas side.

I am sure I am missing some details, I will gladly add those as requested.

Thanks for all the help!

Cheers,
V

 

[tauronux]

I have the exact same problem. I've just installed Core version, created DATA set, users, one group and SMB share, have set SMB and share permissions. The connection from Windows machines works, but everytime i add a file or create a folder, it creates it in a subfolder with the user's name, so each user has it's own and they can't share files. I doublechecked to not set it as home folder. I just can't imagine how this simple thing could be this complicated.

Btw. seeing this posted like almost 3 weeks ago without any repliesmakes me worried about this "great community support".

 

[danb35]

Both of these issues sound like you've turned on the option for "Use as Home Share" for the share in question--that's exactly the behavior that will produce.

 

[tauronux]

Both of these issues sound like you've turned on the option for "Use as Home Share" for the share in question--that's exactly the behavior that will produce.

I've doublechecked and it was not turned ON. I'm wondering, if it has anything to do with not setting a user home folder and letting it at /nonexistent during user creation?

 

[anodos]

I've doublechecked and it was not turned ON. I'm wondering, if it has anything to do with not setting a user home folder and letting it at /nonexistent during user creation?

Yes. The homes share relies on pam_mkhomedir to create the share path. If path is undefined, then this will fail.

 

[tauronux]

Yes. The homes share relies on pam_mkhomedir to create the share path. If path is undefined, then this will fail.

I'm not sure what that means as i'm not trying to share user's home directories, but that's probably because i'm new to TrueNAS, FreeBSD or Linux in that regard.

I've started from scratch - all users, groups, shares and datasets were deleted. I've created a new one and set the default ACL permissions (with everyone@ and builtin_users on the list). I've created two new users. I've defined a path to home directory for the first one and let /nonexistent for the second one and created the SMB share with default values.

After that i've connected to the share from Windows10 PC1 with user1 and created a folder and a text file. I've connected also from Windows PC2 with user2 and i could see both files and created another two.
Now it's time to restrict access.

I've created a security group and added both users to it. I've changed the ACL preset on the dataset to SMB share, which removed everyone@ and builtin_users. Then i changed the owner group to that security group, checked Apply group and saved ACL. Tried the access from both machines and although the could see the dataset as a folder, they couldn't access it.

So i edited both users and noticed, that they still had their primary group set to the default one with their usernames, and in the auxiliary ones were added builtin_users and the security group i've created. So i deleted both auxiliary group entries and changed the default one to the security group i've created for the share. Tried connecting to no avail.

So i went again to edit the datasets ACL list - added the security group explicitly (even though, it should get permission based from the group@ ACL item, when set as the owner group, if i understand this correctly?) with Full control permissions. Tried connecting, but the dataset folder is still not accessible.

I'm at the same point as before in terms of settings - but now i don't have access to the shared dataset at all as opposed to the previous state - when i had access, but it created subfolders/datasets for each user.

 

[tauronux]

I went ahead and added user1 explicitly to the ACL items and i still didn't had access. So i loged off of the windows machine, loged back in and voala - after putting in the credentials (as i didn't want to save them), i had access to the folder again. Done the same on the second machine and it worked also with the user2. Now i need to trace it back and log off after each change to find the right settings needed to get it working.

My question is - why did't TrueNAS allow me to access it after i've added the permissions without loging off and on again? When i removed the permissions, it denied access right away, so i'm wondering why do i need to logout from a Windows machine to get a permissions update? Shouldn't this be handled on TrueNAS itself?

 

[tauronux]

Ok, so i remember net_use command, so i don't have to log out every time. Created a 3rd user, to test if the ACL permissions are really working. I didn't create a home folder for him and just selected the builtin_users as his primary group. It didn't allow him to access the folder, so i can safely say, that now it's working. I still don't have a clue why it created subfolder before for each user. More questions had arisen though:

1. I created NAS user with a different name, that i had on my windows machine, bet set the same password. To my surprise i was allowed to get to the shared folder directly without being asked for credentials? How come?

2. When i was deleting user with primary group set to builtin_users as primary group, i was asked if i want to delete that group also. I selected NO. When i was deleting the users with the custom created security group set as their primary, it didn't asked for the group deletion, but it deleted it anyways! I've realised this after creating new user and trying to set the group as his primary. I then had to set a new one and also set it in the ACL permissions list. Why did it delete the group in the first place? Is it a default behavior? If all users of a group are deleted, then it removes the group itself? I saw many things in Windows Server systems, which were ... stupid .. but this one is really close to that

3. Does a user need to be part of builtin_users group? I noticed, that after creating the user with a primary group set to something different, it adss builtin_users to the auxiliary pool. Should i let it be like that or am i safe to delete it.

This whole experience makes me wonder if this platform is reliable. The thing is, i've set it up in the exact same way as the first time, yet it didn't work one time, and worked the other time. Worst thing is, i don't know the reason. What if something similar happens later, with live data on it? I mean .. i've expected everything .. but being stucked at creating users and shares for 5-6 hours ... jeez comon ..

 

[Glorious1]

This whole experience makes me wonder if this platform is reliable.

The platform, TrueNAS, is extremely reliable. However, in my opinion, SMB is a hot mess. It's so complicated and lots of people have trouble with it. AFP has always worked fine for me and is very simple to manage, but it's deprecated so I'm trying to migrate to SMB. It's very complex, mysterious and tricky.

 

[tauronux]

The platform, TrueNAS, is extremely reliable. However, in my opinion, SMB is a hot mess. It's so complicated and lots of people have trouble with it. AFP has always worked fine for me and is very simple to manage, but it's deprecated so I'm trying to migrate to SMB. It's very complex, mysterious and tricky.

I don't believe that Windows is able to manage SMB easily with just a few clicks and other OS needs to be that weird about it. Still .. i'm gonna dive into it tomorrow and see, if i've maybe misclicked something, the first time i was setting it up. I really doubt it, but who knows .. in the mean time. Is anybody able to answer these please?:

1. I created NAS user with a different name, that i had on my windows machine, bet set the same password. To my surprise i was allowed to get to the shared folder directly without being asked for credentials? How come?

2. When i was deleting user with primary group set to builtin_users as primary group, i was asked if i want to delete that group also. I selected NO. When i was deleting the users with the custom created security group set as their primary, it didn't asked for the group deletion, but it deleted it anyways! I've realised this after creating new user and trying to set the group as his primary. I then had to set a new one and also set it in the ACL permissions list. Why did it delete the group in the first place? Is it a default behavior? If all users of a group are deleted, then it removes the group itself?

3. Does a user need to be part of builtin_users group? I noticed, that after creating the user with a primary group set to something different, it adss builtin_users to the auxiliary pool. Should i let it be like that or am i safe to delete it.

 

[wilcomir]

For what it's worth, I started from scratch and it worked quite easily at the second try. I believe in my case I had the option for "Use as Home Share" inadvertently turned on. I confirm that my users do not have an home folder set up, it should work fine without.

Best of luck!