Hi Experts,
We encountered a weird issue: an NTFS ACE (Domain Users) is missing when running the nfs4xdr_getfacl command, yet it appears in both the WebUI and Windows Explorer. How can I locate this ACE within TrueNAS? Is there a more powerful command to list and manipulate these permissions?"
Environment:
25.10.1 - Goldeye,Domain Joined
Is the ACE associated with the owning group (group@). In this case it won’t be resolved typically. Do note that these shell tools were mainly written for the benefit of internal ixsystems use and behavior can change without notice. For example, this underlying library nfs4xdr-acl-tools is removed in truenas 26 and replaced with something different. This isn’t noted in changelog because once again it’s an internal tool.
Thanks for your reply. It is a built-in group in Active Directory, but it is not an owner group for the shared folder.
Here is the background: we added ACEs to the SMB share using the nfs4xdr-acl tool. However, we recently noticed something unusual. After adding permissions to the level 2 shared folder via Windows, the ACLs of the shared folder, its subfolders, and files all contain an additional ACE for Domain Users. It appears to be inherited from a higher-level folder.
We are unable to remove this ACE without disabling inheritance on each folder in Windows. Therefore, we would like to remove it recursively using the nfs4xdr tool. However, this ACE does not appear in the output of nfs4xdr_getfacl.
Thanks for your reply. It is a built-in group in Active Directory, but it is not an owner group for the shared folder.
That’s not what I was referring to. I was referring to the group@ entry in the ACL.
root@testRVODJEHA53[~]# truenas_getfacl /mnt/dozer/foo
# file: /mnt/dozer/foo
# owner: daemon
# group: root
# fhandle: 2147486465:0c000000010000000a00220000000000f9220000
# ACL flags: auto-inherit,acl-is-trivial,acl-is-dir
owner@:rwpRWxD-aAcCos:-------:allow
group@:r--R-x--a-c--s:-------:allow
everyone@:r--R-x--a-c--s:-------:allow
group@ here refers to group owning the specified file / directory.
Yes. the ACE associated with the owning group (group@), the GID is domain users
Well, if you don’t want domain users in the ACL ever you should probably chgrp the dataset recursively (but first validate you’re not going to break everything). Samba auto-expands the group@entry into two ACL entries to match windows behavior here.
You are a lifesaver!