TrueNAS-SCALE-21.09-MASTER-20210908-160307

[NugentS]

Much much better than the 21.08-Beta.1 Things just seem to work (that I have tested so far)
The one thing that confuses me is the permission / ACL
I set up a share called scale-files and I want my domain users to have access - but I end up with this what looks like a mess

This is not what I would describe as intuitive although it does work

1. I assume allows root access
2. I assume allows root access
3. No idea
4. Seems like a duplicate of 1 - needless to say deleting it does not go well
5. Seems like a duplicate of 2 - needless to say deleting it does not go well
6. Hooray - my user group from the domain has access
7. Not a clue
8. No idea

I would have expected 1,2 & 6 should be all that is required. Can anyone shed any light on what these mean / do. I am going to trawl through documentation in the meanwhile - but I haven't found anything substantial yet

 

[anodos]

default means it applies to newly created files and dirs, non-default means it applies to _this_ file. MASK entry specifies the maximum permissions granted to extra users/groups. OTHER is any user that isn't explicitly listed in the ACL (default or access) or isn't a member of one of the groups listed in the ACL.

This is bog-standard POSIX1E ACL behavior that's been in Linux for ages. If you want a more Windows-like experience, you can try NFSv4 ACL type.

 

[vampyren]

This is exactly what i'm wondering about too (made another thread even)
I dont have all the ones you list but the MASK is bothering me....

What does mask group do? why do i need it?

Hi, I cant figure out from documentation why i must have this mask group when adding access for my new group!? When i Add Item the Mask is added automatically. Then i added my group "spawn" in the picture. What is this Mask and why must i have it? Also unless i give write access to mask it...

www.truenas.com

So what i understand is that we just have to live with it. But why not hide it? I mean i use QNAP and they show just what makes sense. It should be user friendly. People wanting more options can always get into command line and do what they do.
Just my opinion. And how does one use the NFSv4 ACL ?

 

[NugentS]

I have started to figure things out - but its neither easy or intuitive. I know that TrueNAS is designed for corporate, and they probably have IX experts to whom this is second nature but complexity breeds mistakes and this is one area (and here I shall speaketh heresy) that Windows got it much much better (not perfect obviously).

Of course its all based on a standard, that isn't a standard as it was never confirmed / signed off (probably because even then they realised that this was overly complex - a conclusion I have absolutely no evidence for).

 

[vampyren]

I have started to figure things out - but its neither easy or intuitive. I know that TrueNAS is designed for corporate, and they probably have IX experts to whom this is second nature but complexity breeds mistakes and this is one area (and here I shall speaketh heresy) that Windows got it much much better (not perfect obviously).

Of course its all based on a standard, that isn't a standard as it was never confirmed / signed off (probably because even then they realised that this was overly complex - a conclusion I have absolutely no evidence for).

Agree. The easier you can make it the better. Plus it wont hurt to expand the user base. I actually build a really powerful PC for this just to move away from qnap so i dont have to keep upgrading my hardware once every 4 year as they drop support so i really hope i can make this work in a way i can feel i have control and understand. The UI is nice but i think they should have some group of tester people who are not linux gurus and just want to setup a nas + vm + plex and stuff like that to test the system and see where they get stuck and stuff like that.
Its a great product and allot of potential so i hope they dont limit it to a small number group of people.

 

[emsicz]

MASK entry specifies the maximum permissions granted to extra users/groups.

This makes absolutely zero sense.

EDIT: OK so I've read this and this, both documents are recommended by members of this forum and while it honestly makes zero sense, it really is how it literally works. You must create mask (and default mask) when making ACLs that serve as a limit of what the ACLs allow. ACLs live on top of the archaic User/Group/Others permission table, so the MASK record limits permissions regardless of what you set for other users. If Andrew gets RWX permissions in ACL, but MASK has a RW-- permission, Andrew's effective permissions will be RW--.

I sort of hoped TrueNAS is the abstraction layer between users and this nonsense, but in this case they just carried it over. It's so convoluted and hence prone to human error it serves no purpose to home users. There is no safety mechanism to validate the permissions are set correctly and there are no presets or abstractions to guide the user through most common scenarios. This way, a user can easily end up with something that they think works but really doesn't.

 

[NugentS]

No you don't (have to that is)
On the dataset Options (advanced options) choese NFSv4 for ACL Type and make sure ACL Mode is restricted.

At that point you can ignore the gibberish that is mask, and ancient, archaic, out of date and frankly garbage (its my opinion - and I am sticking to it) that is the way you are doing it and it becomes much more useable. When that was pointed out to me it turned TN Scale from unuseable rubbish to useable non-rubbish

I also thinks that nfsv4 should have been the default - but there are probably reasons why that isn't the case.

 

[emsicz]

No you don't (have to that is)
On the dataset Options (advanced options) choese NFSv4 for ACL Type and make sure ACL Mode is restricted.

At that point you can ignore the gibberish that is mask, and ancient, archaic, out of date and frankly garbage (its my opinion - and I am sticking to it) that is the way you are doing it and it becomes much more useable. When that was pointed out to me it turned TN Scale from unuseable rubbish to useable non-rubbish

I also thinks that nfsv4 should have been the default - but there are probably reasons why that isn't the case.

Did that, works. Thanks.

 

[crk1918]

default means it applies to newly created files and dirs, non-default means it applies to _this_ file. MASK entry specifies the maximum permissions granted to extra users/groups. OTHER is any user that isn't explicitly listed in the ACL (default or access) or isn't a member of one of the groups listed in the ACL.

This is bog-standard POSIX1E ACL behavior that's been in Linux for ages. If you want a more Windows-like experience, you can try NFSv4 ACL type.

Thanks for the further explanation, this helps me understand a little. because the official website does not describe these relationships, we should update the official documents if anyone knows more about them. I found this and did not even talk about mask and mask - default.

I found this comment by@haydenstith from the YouTube platform: "Mask sets the maximum permissions available to everyone. If the mask is set to just read then everyone with read permissions will be able to read as intended but at the same time everyone with writes or execute privileges will only be able to read the file as well."

I want to set up POSIX ACL with two or more users who can have permission(W/R) to that dataset. How can I do it?


Edit: I seem to have found the answer for POSIX ACLs: YouTube Video by Sauber-Lab UK, I guess the most important thing is to understand the "mask".