SOLVED SMB and ACL out of sync ?

[stmcknig]

Version:
TrueNAS-12.0-U8.1

I have a pool /mnt/BigDisk which has sub folders shared as SMB to Windows and Mac clients. Some of the folders are accessible, others are not yet the GUI looks the same as far as I can tell. I dropped into the CLI and ran a couple of getfacl with this output

root@freenas[~]# getfacl /mnt/BigDisk

# file: /mnt/BigDisk

# owner: root

# group: guest

owner@:rwxp--aARWcCos:-------:allow

group@:rwxp--a-R-c--s:-------:allow

everyone@:r-x---a-R-c--s:-------:allow

root@freenas[~]# getfacl /mnt/BigDisk/Applications

# file: /mnt/BigDisk/Applications

# owner: root

# group: guest

owner@:rwxp--aARWcCos:-------:allow

group@:rwxp--a-R-c--s:-------:allow

everyone@:rwxp--a-R-c--s:-------:allow

"Applications" is accessible and clearly the everyone is different but I'm not clear after reading many posts and the docs on where this could be corrected or how it got out of whack. Should this be fixed with setfacl or chmod ? Or both. Or neither.

It all used to work but not sure what changed along the way apart from an update to TrueNas core - not an upgrade from FreeNas by the way.

Is setfacl -R -b /mnt/BigDisk my "turn it off andback on again" fix ?

 

[Nick2253]

I'm confused as to exactly what's going wrong.

Usually, you don't want to share the main dataset (BigDisk, in your case). You want to share the sub-datasets, like Applications. What behavior are you getting when you access Applications that you are not expecting?

There's no requirement that the ACLs match between two datasets, so having mis-matching datasets does not mean that anything is "out of sync".

 

[stmcknig]

I'm confused as to exactly what's going wrong.

Usually, you don't want to share the main dataset (BigDisk, in your case). You want to share the sub-datasets, like Applications. What behavior are you getting when you access Applications that you are not expecting?

There's no requirement that the ACLs match between two datasets, so having mis-matching datasets does not mean that anything is "out of sync".

I'm sorry for passing along my confusion!

What I am looking for (and had been doing previously) was sharing all the folders in BigDisk. It's my understanding that creating a dataset of something like Applications would not actually show anything already inside it ? And I can't see anything in my BigDisk dataset that would allow me to make all the folders under/in it accessible. I don't want to delete the BigDisk dataset as I understand that would delete all the files within ?

I don't need authentication on anything, guests can read/write/delete/create folders as it's just my internal network. I'm not sure if somewhere I painted myself into a corner hence my "just start over" but without losing the files already on the system question. The documentation on setting up a SMB share is very simple and I don't see anything amiss with that but there are ACL entries lurking somewhere it seems that I can't find to change. Hence my dumb confused question.

And Windows machine is giving a variation of the Mac folder with a no entry symbol -

 

[stmcknig]

At one point I did have the Plex plugin installed and that may have been responsible for the "plexmedia" dataset. I no longer have the plugin installed as I moved over to a separate VM instance running Plex server calling the plexmedia folder as a mapped drive and that works.

Maybe the "sync" in my question was irrelevant but I couldn't think of a better term...

 

[Nick2253]

I see what you're doing. You have just one dataset (BigDisk), and everything else is just files inside of BigDisk.

If you don't really care about permissions, then the easiest thing to do would be to just reset all the permissions for all the files in BigDisk. I don't remember the exact interfaces off the top of my head, but there should be a "Recursive" option to apply the permissions all the way down.

 

[stmcknig]

I see what you're doing. You have just one dataset (BigDisk), and everything else is just files inside of BigDisk.

If you don't really care about permissions, then the easiest thing to do would be to just reset all the permissions for all the files in BigDisk. I don't remember the exact interfaces off the top of my head, but there should be a "Recursive" option to apply the permissions all the way down.

Yes that’s exactly it.

is permission here a dataset thing, smb or other, that’s my problem…

 

[stmcknig]

the edit permissions is greyed out because “root dataset permission cannot be edited “

so I guess that’s a cli/shell fix then. If I want everything for anybody, what should I use for chmod or setfacl?

 

[Samuel Tai]

The root dataset is protected, and can't have permissions nor ACLs applied via CLI or UI. Move your data into a daughter dataset for sharing.

 

[stmcknig]

The root dataset is protected, and can't have permissions nor ACLs applied via CLI or UI. Move your data into a daughter dataset for sharing.

I guess that explains where the change came in - this was something added in 12.x ?

But thanks for the work around - I created a sub dataset then moved the required folders and then was able to apply the recursive change via the GUI.

 

[anodos]

I guess that explains where the change came in - this was something added in 12.x ?

But thanks for the work around - I created a sub dataset then moved the required folders and then was able to apply the recursive change via the GUI.

I believe the change was made in 11.3 days (maybe 11.2). It was a while ago.

 

[Samuel Tai]

It was 11.3, coincident with the new ACL manager.

 

[anodos]

It was 11.3, coincident with the new ACL manager.

Ah yes, it was probably that early in testing permissions editing users were recursively setting permissions on their pools breaking plugins / jails. Generally sharing out the entire pool is bad practice (as anyone who has had to take over managing a NAS array where someone has done this in an enterprise environment has probably experienced). It really limits the admin's options regarding creating new shares.

 

[Nick2253]

The root dataset is protected

Ahh, I should have remembered this. But it's such engrained best practice to always use sub-datasets, that I suppose I haven't had the opportunity to run into that feature in a while

I'm glad you got your issue resolved @stmcknig!