SOLVED Cannot add second group to ACL for SMB share

[abishur]

I am using TrueNAS Scale v22.02.2.1

I have created a dataset for a samba share

For ACL type I left it as the default NFSv4

For ACL mode I likewise left it as the default restricted

I've set up two groups I want to be able to access it, Family and Family_Kids

User group Family has full control over the files, Family_Kids will only have read access

On the dataset permissions I have left the owner as root and set the owner group to Family.

Owner@ has full control

group@ has full control

I can add individual users that are not in the family group, but when I try to add a second Group I get this error message:

I have tried to change the owner from root to another user account (one I created) but I still get the same error.

Any ideas on what I'm doing wrong?

 

[anodos]

I think that error message is pretty explicit. We're preventing the ACL from being set because the permissions on /mnt/LWM-64TB-Z3 would prevent them from being effective. Did you perhaps chmod 770 that path from the shell? What are the permissions there?

 

[abishur]

Wow, yeah I never would have thought about that (clearly) from the error message. I had not done a chmod 770 from the shell but that is exactly what the permissions are.

I made that storage pool a couple of days ago, it has ten 10 TB hard drives using RAID-Z3 and an NVME drive I set up as a cache.

I made a vdev for the pool (that's my /mnt/LWM-64TB-Z3), but I didn't mess about with permissions I just left things as the defaults. But yes looking at the storage pool's permissions it is owned by root with rwx, the group is builtin_users with rwx, and other is set to none.

Then today I added a dataset to the LWM-64TB-Z3 to be a samba share and that's where I hit the problem. The users I added in worked since those users were part of the builtin_users which is the group that owns /mnt/LWM-64TB-Z3, but obviously I couldn't add other groups, okay that checks out.

So my question is, is there a recommended permission setting to put it at or is this just a "whatever you need for your situation" kind of thing? Since I'm using ACLs to control access to this share is the recommendation to make the permissions 777 then use the ACLs to limit things as I deem fit?

 

[anodos]

Wow, yeah I never would have thought about that (clearly) from the error message. I had not done a chmod 770 from the shell but that is exactly what the permissions are.

I made that storage pool a couple of days ago, it has ten 10 TB hard drives using RAID-Z3 and an NVME drive I set up as a cache.

I made a vdev for the pool (that's my /mnt/LWM-64TB-Z3), but I didn't mess about with permissions I just left things as the defaults. But yes looking at the storage pool's permissions it is owned by root with rwx, the group is builtin_users with rwx, and other is set to none.

Then today I added a dataset to the LWM-64TB-Z3 to be a samba share and that's where I hit the problem. The users I added in worked since those users were part of the builtin_users which is the group that owns /mnt/LWM-64TB-Z3, but obviously I couldn't add other groups, okay that checks out.

So my question is, is there a recommended permission setting to put it at or is this just a "whatever you need for your situation" kind of thing? Since I'm using ACLs to control access to this share is the recommendation to make the permissions 777 then use the ACLs to limit things as I deem fit?

chmod 755 the path from shell should fix the problem. This is new validation check added for recent SCALE versions.

 

[abishur]

755 is fine

Thanks! Just to make sure I understand how file permissions work in conjunction with ACLs, if I were to set 755 then I could give full permission to the owner, but the group owner and additional individuals/groups could only get read/execute privileges, correct?

 

[anodos]

Thanks! Just to make sure I understand how file permissions work in conjunction with ACLs, if I were to set 755 then I could give full permission to the owner, but the group owner and additional individuals/groups could only get read/execute privileges, correct?

Well generally we don't encourage sharing the root dataset. If you are doing that and the dataset is NFSv4, then you'll need to add an `everyone@:xaRc:allow` entry.

 

[abishur]

Am I sharing the root dataset? I have the root of /mnt/LWM-64TB-Z3, but I created a dataset 'Family Shares' to that and that's what I'm sharing. Is that still considered the root?

Interestingly, I just looked at my permissions and the family shares is still set to 770 but it's let me add users and groups freely after I set the root to 755 per your suggestion

 

[anodos]

Am I sharing the root dataset? I have the root of /mnt/LWM-64TB-Z3, but I created a dataset 'Family Shares' to that and that's what I'm sharing. Is that still considered the root?

Interestingly, I just looked at my permissions and the family shares is still set to 770 but it's let me add users and groups freely after I set the root to 755 per your suggestion

No. Root dataset in this case is LWM-64TB-Z3, you're sharing LWM-64TB-Z3/Family Shares. This is fine. The issue is that if a user lacks execute for a path component leading to your share he will be unable to access it (traverse is denied).

This is a fairly common misconfiguration (not helped in the least by some influencers who tell people to chmod 770 the root dataset thus breaking access to server data), and so I added strict validation when setting permissions.

 

[abishur]

gotcha, thanks for helping me understand this better!