andrea.fait
Cadet
- Joined
- Nov 7, 2023
- Messages
- 1
Greetings, I'm currently going sligthly mad on ACL permissions handling from the Nextcloud plugin installed on a TrueNAS Core (which is a VM in Proxmox because I like it complicated...) ... I was wondering if you could hint at what I'm doing wrong.
Specifically:
Specifically:
- on Proxmox 7.4-3 I installed a VM hosting TrueNAS Core version 13.0-U5.3 (the idea behind it is that since Proxmox runs a cluster of 3 servers, I'd be able to live migrate the VM in a HA scenario);
- on said VM I set up a dataset (called rootlevel) into a Pool (myPool), creating a number of subdatasets as required;
- I also set up a number of user groups to cover the following ACL setup, and a couple of users to test it;
- I also set up a SMB share on said dataset with a strict group policy (at least, it was strict at the very beginning), because I have a scenario as follows:
- rootlevel (every group and their mother can traverse it)
-- folder 1 (only group A can write in it, group B can read its content, group C cannot access it)
-- folder 2 (group A and C can read it, group B can write in it)
--- folder 2.1 (only group C can access it and has full control of it)
... and so on, it's not terrible but at its base it is that different group may have different permissions
getting directly to the SMB share thru Explorer works like a charm (as expected), with every policy applied nicely;
- following the dozens guides/tutorials I found on the subject, I also added "www" in the ACL both as a user and as a group with Full Control on every dataset (which I find mostly irritating, but if that is required for it to work...);
- on TrueNAS I installed the Nextcloud plugin. The TrueNAS UI does not provide a version for the plugin, it states N/A; the plugin itself once installed states in the same UI "13.1-RELEASE-p9"; more on this, once installed I checked thru the shell of the jail related to the plugin and it states version 27.1.3.2;
- I mounted my dataset on the jail created during the plugin installation, setting "/mnt/myPool/rootlevel" as source and "/mnt/myPool/iocage/jails/SysDesignJail/root/mnt/rootlevel" as destination, with its IP set thru DHCP to keep it simple (I can always complicate it more lately);
- I also set up the trusted domain thru the jail shell and went thru the required steps to limit some nuances (update PHP version, correct X-Robots-Tag); I still have to address HTTPS but as it was not blocking I thought I'll do it later (silly me, I know...);
- on Chrome I logged in on the Nextcloud Web UI (it grumbles on the lack of SSL but it lets me log in), enabled the external storage addon and created the same users I set up on the SMB share;
- I then added the SMB share as external storage in NextCloud Web UI: rootlevel as the folder name, /mnt/rootlevel as configuration, applied to the user I created (I later tried also with "every user", but found no difference);
- logging in as any user I actually see the dataset and all its subfolders... which is kind of wrong since as a user I also see folders I'm not supposed to, or have write permissions where I'm supposed to have a read-only access;
- client side I'm able to connect thru Nextcloud app and it syncs without issues (the more the shame that it does not sync as it should...);
- I was kind of expecting such a behaviour since the jail relates to www:www as the owner:group owner of the service providing the web connection, but it is not what I read on all guides/tutorials I saw (mind, none of those was considering a folder/permission scenario as complx as the one I set up though);
- as a "negative plus", there's no syncronization between the starting dataset and the one handled as destination by the jail (I had to add some further subdatasets, plus what I added from the web UI does not reflect in the starting dataset);