Hello all,
I'm running TrueNAS-SCALE-22.12.3. I have set up an active directory with Samba on Debian and I want to use TrueNAS as a home share. I have managed to get TrueNAS to auto-create a home directory when a user accesses the special home share. Unfortunately I can't seem to get it to have the default permissions I need. TrueNAS seems to force the "group" to have modification privilieges no matter what I do.
Context:
Here is how I set up the home share (a slightly adapter version of the linked "Setting Up SMB Home Shares" documentation, as the linked posts indicate the documentation is incorrect):
Now, this ACL seems correct to me. The owner is the correct user and the group is the correct group. The owner has full control which is also expected.
It seems wrong though that the "domain users" group as well as "everyone" else have read-only access (I was going for "traverse only").
Furthermore, if I use a Windows 11 client to access "\\nas.home.local\myuser" and create a folder "testfolder" with Windows Explorer, it gets the following permissions:
Suddenly the group has write access as well, even though I was trying to get "traverse only" to be the inheritable default...
What am I doing wrong? Is this an SMB issue or an ACL issue?
I'm running TrueNAS-SCALE-22.12.3. I have set up an active directory with Samba on Debian and I want to use TrueNAS as a home share. I have managed to get TrueNAS to auto-create a home directory when a user accesses the special home share. Unfortunately I can't seem to get it to have the default permissions I need. TrueNAS seems to force the "group" to have modification privilieges no matter what I do.
Context:
- I have found these forums posts to be relevant:
- And these documentation pages:
Here is how I set up the home share (a slightly adapter version of the linked "Setting Up SMB Home Shares" documentation, as the linked posts indicate the documentation is incorrect):
- I stop the SMB service before making any changes
- Add a dataset called "personal"
- Set the "Share Type" to SMB
- Enable advanced options while adding
- Make sure the "ACL Type" is set to "SMB/NFSv4" (my default is "Inherit" and I guess people may have different types in the parent dataset). This is because the ACL Primer guide indicates it is more compatible with Windows clients.
- This is important: Set the "ACL Mode" to "Discard". Even though the documentation reads "Setting the ACL Mode to Restricted is typically used to optimize a dataset for SMB sharing" I found that this value causes the directory to be created with owner "root" and the actual domain user that was accessing it would not be able to do so (imagine the username is "UserX", when accessing the home share TrueNAS would create a folder "/mnt/tank/personal/MYDOMAIN/UserX", but the owner would be set to "root" leaving "UserX" locked out of that folder).
- Edit the new dataset's permissions
- Press the "Use Preset" button and select "NFS4_HOME"
- Set the "Owner Group" at the top to be "MYDOMAIN\domain users" because an ixSystems member replied that "Looks like the guide is wrong. Dataset should be created with Domain Users (not domain admins) as owning group" in one of the linked posts. (I make sure to tick the "Apply Group" checkbox).
- I set the Permissions for "owner@ - root" to "No Inherit" because otherwise I have the same problem as (2.4) above, meaning that for newly connecting user the owner remains user "root" instead of the actual connecting user.
- I set the Permissions to "Traverse" and "Inherit" because I want by default all files/directories created by the user to not be readable, but the directories to still be traverseable.I do this for:
- "group@ - MYDOMAIN\domain users"
- "everyone@"
- "Group - builtin users"
- "Group - MYDOMAIN\domain users" (not sure how this is different from 1 above)
- In Shares section I would add a new SMB share with:
- Path "/mnt/tank/personal"
- Purpose "No Presets"pers
- In Advanced options:
- Tick "Use as Home Share"
- Untick "Browseable to Network Clients"
- I start the SMB service
Code:
root@NAS[~]# ls -ld /mnt/family-tank/personal/HOME/myuser drwxr-xr-x 2 HOME\myuserHOME\domain users 5 Jun 19 23:52 /mnt/family-tank/personal/HOME/myuser root@NAS[~]# nfs4xdr_getfacl /mnt/family-tank/personal/HOME/myuser # File: /mnt/family-tank/personal/HOME/myuser # owner: 100001104 # group: 100000514 # mode: 0o40755 # trivial_acl: true # ACL flags: none owner@:rwxpD-aARWcCos:-------:allow group@:r-x---a-R-c--s:-------:allow everyone@:r-x---a-R-c--s:-------:allow
Now, this ACL seems correct to me. The owner is the correct user and the group is the correct group. The owner has full control which is also expected.
It seems wrong though that the "domain users" group as well as "everyone" else have read-only access (I was going for "traverse only").
Furthermore, if I use a Windows 11 client to access "\\nas.home.local\myuser" and create a folder "testfolder" with Windows Explorer, it gets the following permissions:
Code:
root@NAS[~]# ls -ld /mnt/family-tank/personal/HOME/myuser/testfolder drwxrwxr-x 2 HOME\myuserHOME\domain users 2 Jun 19 23:56 /mnt/family-tank/personal/HOME/myuser/testfolder root@NAS[~]# nfs4xdr_getfacl /mnt/family-tank/personal/HOME/myuser/testfolder # File: /mnt/family-tank/personal/HOME/myuser/testfolder # owner: 100001104 # group: 100000514 # mode: 0o40775 # trivial_acl: true # ACL flags: auto-inherit: owner@:rwxpD-aARWcCos:-------:allow group@:rwxpD-a-R-c--s:-------:allow everyone@:r-x---a-R-c--s:-------:allow
Suddenly the group has write access as well, even though I was trying to get "traverse only" to be the inheritable default...
What am I doing wrong? Is this an SMB issue or an ACL issue?