Unable to browse share with "read only" user

[spett]

Running TrueNAS 13.0 U1 with one dataset and two shares. This is my private NAS solution and I am trying to set it up with two users. One with full access and one with read only access.
All access is from Win10/11 and rsync from another NAS.

Full access works fine for both users, but if I try to set read or traverse for the user and/or group I want to restrict to read only access I get a message like (somewhat translated from Norwegian) "You dont have permission to access this share, please contact your system administrator". The share mounts, but I cant browse/access it.

 

[winnielinnie]

Running TrueNAS 13.0 U1 with one dataset and two shares.

One dataset besides the top-level root dataset?

 

[spett]

One dataset besides the top-level root dataset?

Not sure I know what you mean there... But here is a screenshot of my pool

 

[winnielinnie]

So I take it you configured two SMB shares, one that points to CNC and the other to Data?

but if I try to set read or traverse for the user and/or group I want to restrict to read only access I get a message like (somewhat translated from Norwegian) "You dont have permission to access this share, please contact your system administrator". The share mounts, but I cant browse/access it.

You're doing this from Windows?

Sounds like an issue with ACL permissions. But that's one down @anodos's alley. I was trying to rule out if you configured a share to point to the top-level root dataset, in this case "DataPool".

 

[spett]

So I take it you configured two SMB shares, one that points to CNC and the other to Data?



You're doing this from Windows?

Sounds like an issue with ACL permissions. But that's one down @anodos's alley. I was trying to rule out if you configured a share to point to the top-level root dataset, in this case "DataPool".

That is correct, I have two share that points to CNC and Data.

Yes, I am using Windows 10 and 11 to connecto to the shares.

Thank you for your help and pointing my post to anodos!

 

[Samuel Tai]

Make sure your shares aren't configured with 770 permissions, but with 755. See https://www.truenas.com/community/threads/cannot-add-second-group-to-acl-for-smb-share.102731/.

770: rwxrwx----
755: rwxr-xr-x-

 

[spett]

Make sure your shares aren't configured with 770 permissions, but with 755. See https://www.truenas.com/community/threads/cannot-add-second-group-to-acl-for-smb-share.102731/.

770: rwxrwx----
755: rwxr-xr-x-

thank you for your suggestion. I see that my shares are configured with 775, would that also cause trouble?

 

[Samuel Tai]

No, 775 will also work.

 

[anodos]

What about permissions on the pool? There are unfortunately some tutorials out there that say to chmod 770 /mnt/DataPool (which obviously breaks access).

 

[Davvo]

Can you post your ACL settings for the dataset you are having issues with?

 

[spett]

What about permissions on the pool? There are unfortunately some tutorials out there that say to chmod 770 /mnt/DataPool (which obviously breaks access).

Both /mnt and /mnt/DataPool have 755 permissions set.

Can you post your ACL settings for the dataset you are having issues with?

I have attached the ACL setting for the CNC dataset. "ruser" is supposed to be the read only user. I noticed now the everyone@ is listed twice when runnning getfacl. Tried removing everyone@ from within dataset permissions but that did only remove the one with read and execute permissions.
Is there a reason for why there is a everyone@ without any permissions listed?

 

[Davvo]

In order to exclude ACL misconfig try stripping ACL and then selecting home preset, then changing the everyone group/user that has read only with the ruser group/user.
Also make sure you check apply user, apply group and if you have data in the dataset apply recursively.
Btw, if you don't want to set different permissions for the ruser user and the ruser group, you don't have to config both.

edit: I suggest you to change ruser group name to rgroup for consistency and clarity, so that you have a ruser in a rgroup but that's your call.
Edit2: spelling corrections

 

[anodos]

Before stripping ACL (I don't think that's relevant in this case), can I see the SMB server configuration ("testparm -s").

 

[spett]

In order to exclude ACL misconfig try stripping ACL and then selecting home preset, then changing the everyone group/user that has read only with the ruser group/user.
Also make sure you check apply user, apply group and if you have data in the dataset apply recursively.
Btw, if you don't want to set different permissions for the ruser user and the ruser group, you don't have to config both.

edit: I suggest you to change ruser group name to rgroup for consistency and clarity, so that you have a ruser in a rgroup but that's your call.
Edit2: spelling corrections

Actually I have tried stripping ACL several times. Does not change anything in the end. Althoug I have not tried home preset..

Before stripping ACL (I don't think that's relevant in this case), can I see the SMB server configuration ("testparm -s").

Here is the ouput from "testparm -s":

# Global parameters
[global]
aio max threads = 2
bind interfaces only = Yes
disable spoolss = Yes
dns proxy = No
enable web service discovery = Yes
kernel change notify = No
load printers = No
logging = file
max log size = 5120
nsupdate command = /usr/local/bin/samba-nsupdate -g
registry shares = Yes
restrict anonymous = 2
server multi channel support = No
server role = standalone server
server string = TrueNAS Server
unix extensions = No
idmap config *: range = 90000001-100000000
idmap config * : backend = tdb
directory name cache size = 0
dos filemode = Yes


[cnc]
ea support = No
kernel share modes = No
path = /mnt/DataPool/CNC
posix locking = No
read only = No
smbd max xattr size = 2097152
vfs objects = streams_xattr shadow_copy_zfs ixnas zfs_core aio_fbsd
nfs4:chown = true


[Data]
ea support = No
kernel share modes = No
path = /mnt/DataPool/Data
posix locking = No
read only = No
smbd max xattr size = 2097152
vfs objects = streams_xattr shadow_copy_zfs ixnas zfs_core aio_fbsd
nfs4:chown = true

 

[anodos]

Did you install the 13.0-U1.1 update? (This has some ACL fixes) If so please PM me a debug.

 

[spett]

Did you install the 13.0-U1.1 update? (This has some ACL fixes) If so please PM me a debug.

No. I'm on TrueNAS-13.0-U1.

 

[spett]

Did you install the 13.0-U1.1 update? (This has some ACL fixes) If so please PM me a debug.

Heeey! Just updated to 13.0-U1.1 and now it seems to work as it should. Thanks!!