Share / Access / ACL Permissions incomprehensability

[NugentS]

Background1 - I have been using TN Core for a while now and have generally figured out how to apply permissions to datasets without causing myself too many issues. I am now experimenting / testing with Scale and am having issues.

Background2 - I have Active Directory on my network, log into that domain and Scale is attached to the AD. I wish to use AD to control access to shares/data etc on Scale. I am happy with root being able to see everything on the server - I just want to be able to control the share access

Background3 - I have a windows background

Scale seems to have two three sets of permissions - Unix Permissions and ACL, and share ACL. This is giving me a headache

Now for the practical example / scenario - I have a dataset called Plex - it contains a couple of movies, some test files & documents and a program installer in different folders. I would like to apply the following permissions to it at the share level and any folders beneath that.

Currently the permissions are:

These work for the plex container that I have managed to get working. The dataset is shared through a windows share

TheShare ACL is:

So everyone in the world has access to the share - not that they can use it

• TN Core users root & apps should have read, write and execute permissions obviously
• "domain administrators group" should have read, write and execute permissions
• "domain user group" should have read and execute permissions
• "domain/accounts group" should have read, write and execute permissions

And thats all I really want as I should be able to extrapolate from there

How - what should the permissions look like as this is really doing my head in. TN Scale keeps insiting on masks, defaults etc and I have no idea what I am doing. Is there a right way of doing this / a wrong way of doing this.

 

[anodos]

Scale seems to have two three sets of permissions - Unix Permissions and ACL, and share ACL. This is giving me a headache

There are two dataset ACL types in SCALE. NFSv4 and POSIX1E. The former is the same as we have in Core/Enterprise, the latter is what is used in other Linuxes. You can think of the "unix permissions" as a simplified view of the on-disk ACL, and not as a separate thing.

Having both ACL types is an absolute requirement for compatibility with different environments. For example, if a user decides to rsync data to / from a Synology NAS and wants to preserve ACLs.

Based on your complaints about masks, you have selected POSIX1E acltype for your ZFS datasets. Try using NFSv4 for SMB and SMB/plex.
It's important to note that when using SMB, users _must_ have execute (x) on each component of the path that is being shared.
So execute must be granted on:

/mnt/GoodHDD
/mnt/GoodHDD/SMB

as well as

/mnt/GoodHDD/SMB/Plex

Since you're most familiar with NFSv4 acltype from core/enterprise, I'd probably just:
1. change the acltype on GoodHDD/SMB and GoodHDD/SMB/Plex to NFSv4
2. set the following acl on /mnt/GoodHDD/SMB recursively and with traverse:
Owner@ - FULL_CONTROL - INHERIT (file's owner)
group@ - FULL_CONTROL - INHERIT (file's owning group)
GROUP - Domain Users - MODIFY - INHERIT (your domain users)
GROUP - builtin_users - MODIFY - INHERIT (any local NAS users you created)
GROUP - apps - MODIFY - INHERIT
UID - 1000 - MODIFY - INHERIT (this is UID that plex process runs as in SCALE)

 

[NugentS]

@anodos I was really hoping to grab your attention here - so thank you. I am going to do this slowly as its clear to me that I am missing something (along with what I believe is a bug - but we can get to that when I get to the right section)

So I leave the share ACL and S-1-1-0 everyone full allowed - so anyone can use the share but limited by the ACLs on the dataset (which is how I use Core)

I click on GoodHDD, view permissions - I cannot change these

SMB looks like - the Other RWX was set off - which I had probably done whilst flailing around

Plex looks like

As far as I can tell, at this point everyone has access to everything - which is great for testing, but not so hot for when trying to set things up properly.

I then click on SMB again, view permissions and SetACL which then asks me to Select a preset ACL which I ignore (cancel). But I think I am going down the wrong rabbit hole here as this seems to be POSIX which you imply I should avoid

Where do I set your "2. set the following acl on /mnt/GoodHDD/SMB recursively and with traverse"?
or a better question would be How do I "1. change the acltype on GoodHDD/SMB and GoodHDD/SMB/Plex to NFSv4" as I cannot see a way of doing that at the moment unless I am missing something

 

[anodos]

Well, general rule of thumb is to not use share ACLs (like on a Windows server). I think pretty much everyone just sticks to using NTFS ACLs there.
Regarding acltype, it's a ZFS dataset property. You need to change it on both datasets.

 

[NugentS]

Aha - problem number 1. Explains why I couldn't find it (looking in the wrong place) - Thank you
When you say change on both datasets - I assume you mean (in my example) /mnt/GoodHDD/SMB and /mnt/GoodHDD/SMB/Plex (only Plex is shared out via SMB - I use SMB to indicate that this is where the SMB shares live)

And now problem number 2 (and subject of a Jira bug report): https://jira.ixsystems.com/browse/NAS-115817
Attempting to apply a group (domain/etc) - the dropdown does not contain any domain entries and user contains no domain entries either

wbinfo -g or -u does show valid data - but its not populating to the GUI

 

[anodos]

Aha - problem number 1. Explains why I couldn't find it (looking in the wrong place) - Thank you
When you say change on both datasets - I assume you mean (in my example) /mnt/GoodHDD/SMB and /mnt/GoodHDD/SMB/Plex (only Plex is shared out via SMB - I use SMB to indicate that this is where the SMB shares live)

And now problem number 2 (and subject of a Jira bug report): https://jira.ixsystems.com/browse/NAS-115817
Attempting to apply a group (domain/etc) - the dropdown does not contain any domain entries and user contains no domain entries either

wbinfo -g or -u does show valid data - but its not populating to the GUI

Are groups visible in `getent group` output?

 

[NugentS]

Well, general rule of thumb is to not use share ACLs (like on a Windows server). I think pretty much everyone just sticks to using NTFS ACLs there.
Regarding acltype, it's a ZFS dataset property. You need to change it on both datasets.

Yeah - on Windows I use the share ACLs and leave the file permissions wide open - access control at the share level only. But I am happy with control at the dataset level - at least I would be if it worked!!!

Are groups visible in `getent group` output?

Yes - fully present as far as I can tell. NO domain users, just groups

 

[NugentS]

@anodos Any further thoughts?
I would love this to be me being stupid

 

[NugentS]

For the moment I have just added everyone@ with full control which at least allow me to use the share for testing.

 

[William Bravin]

Hello all,

one of my servers died and i had to rebuild it.

i have 4 computers using the data stored on the truenas servers

this is a home environment so i try to keep all things simple

all my acl, for all my datasets are identical same owner and group same basic and full control acces

I have 4 datasets
documents
music
tv shows
movies

all my windows credential are identical and on the debian i log in with my username and password used in my window credential

3 pcs are windows (2 of them win10 and 1 of them on win 7) and one is on debian

on all pcs exept one of the (win 10) i can access all the dataset and all the files

the strange win 10 pc can access documents music and movies (with the windows credential) when i go to access the tv show dataset i get a pop up asking me to enter UID and password. IU enter my UID and passord and explorer does not provide me with accxess to that dataset.

I even tried to use root as a UID and the root password to no avail.

i have been at this all day with nothing to show for it. I ever rebuilt the acl for that dataset (just in case) with no joy

what am i missing

thank you in advance for your help