Syncthing Can't Write to SMB Share

[arretx]

This is the first time I've installed Syncthing outside of Ubuntu and inside this Truenas system, so it's a bit new to me.

I've created a share in Truenas. The pool is "Marvel". Below that is a dataset called "Superheroes". Below that is another dataset called "Ironman"

/Marvel/Superheroes/Ironman

I installed Syncthing which was placed in a Jail. The default sync folder for syncthing is /Sync inside of the jail.

I stopped the Jail and added a mount point that connected the Jail to my share:

SMB Share = /Marvel/Superheroes/Ironman/familyMedia

My goal is to send my MacBook Pro /Users/<user>/Pictures folder to this SMB share. If I leave Syncthing alone completely, I can sync from my macbook to the /Sync folder. However, with the Mount Point defined in the Jail, Syncthing is unable to write to the SMB share.

Normally I run Syncthing on Ubuntu as syncthing@syncthing.service and then I "setfacl" on all folders that need to sync with that service so syncthing has access.

In this case, I don't know how to make the connection between the Jail and the SMB share to give the Jail's syncthing user full access to the SMB share for the sync'd files.

How do I:

a) determine which user account syncthing is running under inside of the Jail.
b) setfacl on the SMB share such that this Jail user can have access to the SMB share?

Thanks!

 

[stanamas]

Same here. Any solution so far?

 

[arretx]

Nope. Not sure how to apply acl permissions correctly...so...nothing.

 

[pumapanzer]

Hopefully this will help as I have a similar issue.

Here's what my setup looks like:

1. Installed Syncthing in a Jail on TrueNAS Core (This instance of Syncthing is what all my devices connect to to sync to the NAS, so I call it "syncthing-master")
2. Mounted datasets in Jail to give Syncthing access for Folder syncing
3. Added ACL permissions to datasets, and use "Restricted" ACL Mode since these same datasets are used for SMB shares, too
4. The UID and GID in the Syncthing Jail match the same UID and GID used in the dataset's ACLs (I manually installed Syncthing in the Jail, so I chose my UID and GID--this is not possible when using the Syncthing Jail Plugin AFAIK)

Issue:
Any changes synced to the Syncthing Jail (e.g. connected device creates a new file) result in "Out of Sync" for the Syncthing Folder with a permissions error. SMB shares work as expected when accessed from an SMB client on Windows/Linux/macOS.

I believe this issue exists because (see links below) Syncthing will only use 'chmod' for changes to filesystem permissions. So, if the Syncthing Jail's mounted dataset uses ACLs, and the dataset is using "Restricted" ACL Mode (which is optimal for SMB sharing), when the Syncthing process ID, that has full control permission, attempts to change the permissions, it fails because the 'chmod' operation can only express a "trivial" ACL, which is a violation of the "Restricted" ACL Mode.

Please see these Syncthing Issue links for exactly what I am experiencing:

• https://forum.syncthing.net/t/freenas-syncthing-plugin-permissions-strangeness/12622
• https://forum.syncthing.net/t/many-out-of-sync-items-after-inital-sync/7199/5

Workaround:
In the second link above, the last comment gave me a clue for a workaround. Basically, for each Syncthing Folder there is an option on the Advanced tab to "Ignore Permissions". I checked that box so my "syncthing-master" instance ignores permissions. So far, with all my testing, Syncthing is now working as expected, and the SMB share is still working as expected. The permissions on the "end" devices seem to be expressed correctly whether the file/folder changes are made via SMB share or via a Syncthing device.


@anados - perhaps you can confirm my understanding of this issue? I know you have a bunch of experience working with SMB shares and ACLs. Thanks in advance!

 

[anodos]

Not all application developers go through the trouble of understanding OS they "support". If it truly only attempts chmod, then it shows a fundamental misunderstanding of ways that permissions may be configured in FreeBSD and Linux.

 

[pumapanzer]

I

Not all application developers go through the trouble of understanding OS they "support". If it truly only attempts chmod, then it shows a fundamental misunderstanding of ways that permissions may be configured in FreeBSD and Linux.

I think you are likely correct.

I was thinking that if I were an open source developer for something like Syncthing (would love to find out how to get training/mentorship to become a developer), and I were researching ACLs on FreeBSD/Unix/Linux, when compared to ACLs on Windows, it's likely no small undertaking to understand.

On Windows NTFS permissions/ACLs are, I assume, fairly similar from Windows 7 on. Especially compared to open source OSs where basic "Unix file permissions" are more ubiquitous, at least in my experience. I had never heard of ACLs on FreeBSD/Unix/Linux until learning about TrueNAS CORE and in-turn ZFS.

Maybe the Syncthing devs thought, "'chmod' will be on most open source OS, but ACL support can vary, so, if 'chmod' is everywhere, and they need ACL support, let the users just click "Ignore Permissions" so we don't have to program for every permutation of ACL implementation."

I could be way off the mark here. This is just what my "gut" is telling me.

At any rate, thanks for your response. Take care!

 

[anodos]

I

I think you are likely correct.

I was thinking that if I were an open source developer for something like Syncthing (would love to find out how to get training/mentorship to become a developer), and I were researching ACLs on FreeBSD/Unix/Linux, when compared to ACLs on Windows, it's likely no small undertaking to understand.

On Windows NTFS permissions/ACLs are, I assume, fairly similar from Windows 7 on. Especially compared to open source OSs where basic "Unix file permissions" are more ubiquitous, at least in my experience. I had never heard of ACLs on FreeBSD/Unix/Linux until learning about TrueNAS CORE and in-turn ZFS.

Maybe the Syncthing devs thought, "'chmod' will be on most open source OS, but ACL support can vary, so, if 'chmod' is everywhere, and they need ACL support, let the users just click "Ignore Permissions" so we don't have to program for every permutation of ACL implementation."

I could be way off the mark here. This is just what my "gut" is telling me.

At any rate, thanks for your response. Take care!

Well, there are a fairly limited way that permissions are implemented in OSes. Ideally, their application would either (1) check permissions types supported on both ends and only try to sync if they are identical pathconf/fpathconf on FreeBSD can be used for this, or (2) translate from the one type to the other.