I'm new to TrueNas and I've been scratching my head for some time trying to figure this out, I hope there are some seasoned users out there that can assist.
I've joined my TrueNas instance to my windows domain controller (no issues seeing users or groups), created my pool and a dataset for SMB shares and set my permissions - so far so good. The issue is that no matter what options/settings I use, the "Domain Users" group from AD is always added to new files/directories with modify permissions (when its not listed in the ACL), which means any user can delete files.
My setup.
TrueNAS-SCALE-22.02-RC.2
Clients:
- Windows 8.1
- Windows Server 2016
Dataset
- ACL mode = Restricted
- ACL Type NFSv4
- Case Sensitivity = Insensitive (default)
Filesystem ACL:
Windows SMB Share Permissions
A user in GroupA can create files and directories, and "Domain\Domain Users" is added with modify permissions. A user in GroupB is not able to create files/directors (as expected) but can delete files/folders created by a user in GroupA. I can't figure out why "Domain\Domain Users" group is added, I've even tried to explicitly add an entry for that group and grant it only READ access, but that didn't work either. If I go back and re-apply the permissions to the dataset, it does remove the "Domain\Domain Users" group and things work as expected, but again any new files receive the group.
Playing with the ACL for Windows SMB share gets me close, but according to my interpretation it's purpose is for Access Based Share Enumeration. If i add an entry for GroupB with only READ access in the SMB share, it does prevent the user from deleting the file, but domain users is still listed as having modify permissions. I don't want to use this as a workaround in the event that what I've read is correct and that it's only used for Access Based Enumeration and one day it starts working as intended.
Source: https://www.truenas.com/docs/core/sharing/smb/smbshare/
Any ideas? And sorry for the long post.
Thank you
I've joined my TrueNas instance to my windows domain controller (no issues seeing users or groups), created my pool and a dataset for SMB shares and set my permissions - so far so good. The issue is that no matter what options/settings I use, the "Domain Users" group from AD is always added to new files/directories with modify permissions (when its not listed in the ACL), which means any user can delete files.
My setup.
TrueNAS-SCALE-22.02-RC.2
Clients:
- Windows 8.1
- Windows Server 2016
Dataset
- ACL mode = Restricted
- ACL Type NFSv4
- Case Sensitivity = Insensitive (default)
Filesystem ACL:
Object | Permission | Permission Type | Flags |
---|---|---|---|
owner@ - root | Full Control (Inherit) | Basic | Basic |
group@ - root | Modify (inherit) | Basic | Basic |
Domain\GroupA | Modify (Inherit) | Basic | Basic |
Domain\GroupB | Read (Inherit) | Basic | Basic |
Domain\GroupB | Traverse (Inherit) | Basic | Basic |
Windows SMB Share Permissions
Group | Permission | Type |
---|---|---|
Everyone | Full | Allowed |
A user in GroupA can create files and directories, and "Domain\Domain Users" is added with modify permissions. A user in GroupB is not able to create files/directors (as expected) but can delete files/folders created by a user in GroupA. I can't figure out why "Domain\Domain Users" group is added, I've even tried to explicitly add an entry for that group and grant it only READ access, but that didn't work either. If I go back and re-apply the permissions to the dataset, it does remove the "Domain\Domain Users" group and things work as expected, but again any new files receive the group.
Playing with the ACL for Windows SMB share gets me close, but according to my interpretation it's purpose is for Access Based Share Enumeration. If i add an entry for GroupB with only READ access in the SMB share, it does prevent the user from deleting the file, but domain users is still listed as having modify permissions. I don't want to use this as a workaround in the event that what I've read is correct and that it's only used for Access Based Enumeration and one day it starts working as intended.
Source: https://www.truenas.com/docs/core/sharing/smb/smbshare/
Any ideas? And sorry for the long post.
Thank you