I had the same issues, and finally just figured out how to solve it.
what my issue was, and appears your issue is, the mix of ACL and non-ACL permissions. I didn’t realize some datasets took ACL’s on my servers, so I executed chmod and things got messed up.
I don’t know if this is the best, right, or even a good method, as I had to piece together information from all over the place. Nonetheless it got me out of the nightmare.
note: you’ll have to do some manual busywork, as it appears setting ACL’s recursively via command line, is not possible. Adding the -R argument, resulted in invalid argument.While the UI allows for it in the edit ACL tab, I found this did not work every time, for whatever reason it may be.
since the permissions were obviously broken for me, my approach was to do what I could to get a completely fresh start, using ACL’s.
First, I executed a recursive chown on the root dataset, ie /mnt/tank. Proceed at your own risk on this. For me, root and wheel owned it. This was causing issues for me. I changed owner to my username and left group as wheel (which is my main group).
chown -R username /mnt/tank
From there, I executed a wide-open ACL for /mnt/tank, again proceed with caution.
I executed:
setfacl -m owner@:rwxpDdaARWcCos::allow /mnt/Tank
setfacl -m group@:rwxpDdaARWcCos::allow /mnt/Tank
setfacl -m everyone@:rwxpDdaARWcCos::allow /mnt/Tank
That sets wide-open ACL’s for the entire root dataset, thus why caution is needed. I found this to be the only way to solve the trickle down effect. once you finish with the rest, you can go back and set permission as needed.
I then executed the same 3 setfacl commands for each main dataset.
this allowed me to then set recursive ACL permissions from the UI, for each dataset. You can keep the advanced permissions, or return them to basic once you’re back in the UI. For each parent data set, set the check box to recursive and apply to all child datasets.
then, make sure under the dataset options tab, you set it to ACL passthrough, this was another important step for me.
I then spun up a windows 10 vm. Accessed the shares from windows, and noticed in security settings, windows wasn’t picking up all the permissions from FreeNAS. I don’t know why this was. I restarted FreeNAS then restarted client machines, and the VM. An increased amount of shares were fixed, but some still had wonky permissions. But from windows, I was then able to go through each share that hadn’t yet updated permissions, and I could set them from windows, and it worked to set them recursively. You can do this from the CLI, which I didn’t, so I can’t post the commands. I just edited from the windows properties tab for each directory. Properties —> security —> edit permissions. I added what was missing, edited or removed the wrong items, then assigned the correct permissions.
I then went back to FreeNAS and changed ACL’s , as needed via UI and/or CLI. Back to the CLI to edit root dataset ACL. I left the root dataset as me as the owner, do what is proper for you.
just be careful doing the recursive ACL from CLi, my understanding is it can mess up permissions in iocage dataset. I don’t use jails, so I didn’t have to worry.
Like I said, there may be other or better ways to do it. If so, I couldn’t find detailed instruction set. I had to execute all steps, otherwise it didn’t work when i fixed my other four server’s permissions.
note: sorry I couldn’t figure out how to put the commands in a box, so they could be cut and paste. If it doesn’t work when you cut and paste, just type the commands manually, it isn’t too much to transcribe.
