Apply a mapping to translate windows file permission entries to a different domain name

I’m trying to acheive the following:

  1. Get some proprietary software to store and delete files on the TrueNas.
  2. Critically: Do NOT allow the windows administrator access to zfs snapshots. I therefore do not want active directory or LDAP integration as it’s probably going to cause some sort of backdoor to be created. I want to keep it simple, there’s only one windows user accessing this NAS.
  3. Synchronize, using zfs sync, over an SSH connection. This part still works.

After upgrading to Dragonfish, my setup broke and I have no idea how to get it to work again, as part of it worked out of the box before. I’m not sure what settings file to change, and where. It could also be related to a simultaneous windows upgrade.

Either way, currently, the SMB share connects, and can be mounted. I can see the files inside on Windows, but can’t edit/delete anything, due to windows now deciding that the permissions are based on ‘TRUENAS/[username]’ instead of ‘ACME/[username]’.

I’d like my unix permissions to remain the same, so that the sync target can have the same UID actually mean something, instead of getting a random inaccessible UID (which, due to the birthday paradox and this host accepting syncs from multiple sources will inevitably lead to fun with collisions).

Is there some way to map this back on the NAS’ side? Ideally, a supported way so that updating it doesn’t wipe the config?

Edit: I’ve been experimenting a bit and I’m finding some strange results. It gets weirder and weirder with each experiment, with no rhyme or reason to random ‘permission denied’ errors. As an administrative user from a windows server, I can:

  • Create new files in some existing folder ‘A’
  • Create new folders
  • Move certain files into folders (both new and existing).
  • Remove newly created files

But I can’t

  • Create a file in one existing folder ‘B’
  • Remove a file in that existing folder. ‘B’
  • Rename the file created in folder ‘A’.

(Yes, those folders have the exact same unix ACL of 770 and rwx for user/group/builtin_administrators/builtin_users/mask/default…, just different names, if you wanted to ask).

I’ve also tried some options to override the default configuration, such as ‘force user’ via the cli, with no results.

Then I tried setting the permissions on one such directory to ‘777’, both ACL (posix) and non-ACL (standard unix) based on the linux side. No change.

I’m kind of scratching my head at this point.