ACL Issue – permissions not recursive

[C800]

I seem to be having an issue with ACL’s in one of my pools. I’m running FreeNAS-11.3-U4.1 (I’m holding off the update to 12 for now…) and I discovered the issue because one of my backups using Duplicati in a jail was failing.

Essentially, I’ve got a number of datasets, which are also SMB shares and Duplicati accesses these using FreeNAS group name "hub-backup" (which includes user name "duplicati" [UID 1001]). This has been working fine.

I recently modified the permissions of one dataset (the one now causing the problem) by “Edit ACL” and applied permissions recursively. I left the main User as “root” and the Group as “wheel”. I also left the “owner@” and “group@” permissions unchanged. All I did was change one of the other User permissions. It seems that this did not work. When I check the permissions of files using Windows File Explorer it seems to have stripped some of the other permissions (which I guess is why Duplicati now has an issue). It shows the new User that I added, but not for example the “Unix Group\wheel” that exists for other un-amended shares.

Is there an issue with recursively changing ACL’s?

 

[anodos]

I seem to be having an issue with ACL’s in one of my pools. I’m running FreeNAS-11.3-U4.1 (I’m holding off the update to 12 for now…) and I discovered the issue because one of my backups using Duplicati in a jail was failing.

Essentially, I’ve got a number of datasets, which are also SMB shares and Duplicati accesses these using FreeNAS group name "hub-backup" (which includes user name "duplicati" [UID 1001]). This has been working fine.

I recently modified the permissions of one dataset (the one now causing the problem) by “Edit ACL” and applied permissions recursively. I left the main User as “root” and the Group as “wheel”. I also left the “owner@” and “group@” permissions unchanged. All I did was change one of the other User permissions. It seems that this did not work. When I check the permissions of files using Windows File Explorer it seems to have stripped some of the other permissions (which I guess is why Duplicati now has an issue). It shows the new User that I added, but not for example the “Unix Group\wheel” that exists for other un-amended shares.

Is there an issue with recursively changing ACL’s?

If you have not restarted middleware since the issue happened, can you run the command midclt call core.get_jobs | jq and scroll back through the log for the actual set command.

 

[C800]

Thanks for the reply. Unfortunately the system has been rebooted since as it was a couple of weeks ago, so I can't see the actual set command.
I actually just restarted again & re-ran the ACL permissions recursively. Strangely, this time the root & wheel permissions are now showing on each file in the dataset, as is the "hub-backup" group used by Duplicati. I've double-checked that Duplicati is still in that group, but for some reason it still can't access the files. It works for all of the other backups/datasets.
Within the Duplicati jail, using SSH I can navigate to the folders in the problem dataset, so the Mount Point mapping is working fine. For some reason the Duplicati 'user' is unable to access the folders / files though (the UID in the jail & for FreeNAS are both definitely correct though [1001]).

 

[Titou43]

Hi
Could you explain to me how to put duplicati in the users for access to my folders ?

 

[C800]

Hi
Could you explain to me how to put duplicati in the users for access to my folders ?

Duplicati runs with UID 1001 inside the jail, so you just need to make a new User within FreeNAS / TrueNAS called "duplicati" and assign it a UID of 1001. If you allow the User "duplicati" access to your shares (using ACL's) and also set the Mount Points within the jail so that the share is available to the jail then it should work fine!
(eg /mnt/yourPoolName/yourSharedDirectoryName mapped to /mnt/yourJailPool/iocage/jails/yourDuplicatiInstanceName/root/mnt/yourPoolName/yourSharedDirectoryName).
I hope that makes sense! I worked it out after following the advice in other posts.