Can´t get group permissions to work on NFS share with NFSv4 ACL

chrolish · June 14, 2025, 6:23pm

My System: ElectricEel-24.10.2.1

In my plans to transition from SMB to NFS shares due to problems with hardlink detection in SMB, I created a test dataset with the following params:

Path: /mnt/nas/test
Dataset Preset: Generic (this is how my working dataset has been created)
ACL Type: SMB/NFSv4
ACL Mode: Restricted

I have several credentials that have been using the smb share so far:

Users: chrolish (3000), share (3001)
Groups: share (3001)
both users are members of the group share

To set up my test environment, I created several directories inside the dataset using the root shell, here is the relevant output of ls -l:

drwxrwx--- 2 chrolish share 2 Jun 14 18:14 from_truenas_chrolish
drwxrwx--- 2 root     share 2 Jun 14 18:14 from_truenas_root
drwxrwx--- 2 share    share 2 Jun 14 18:14 from_truenas_share

I successfully tested access locally with all 3 different users.

I set up an ACL list on the dataset, allowing full control access to owner@ - share, group@ - share as well as the group share specifically, using the GUI. I applied the ACL recursively, leaving Apply Owner/Group unchecked, as I wanted to leave them as above.

This resulted in the ACL looking like this for all 3 directories, except for the owner id, obviously:

root@truenas[/mnt/nas/test]# nfs4xdr_getfacl from_truenas_share -v
# File: from_truenas_share
# owner: 3001
# group: 3001
# mode: 0o40770
# trivial_acl: false
# ACL flags: none
       group:share:read_data/write_data/execute/append_data/delete_child/delete/read_attributes/write_attributes/read_xattr/write_xattr/read_acl/write_acl/write_owner/synchronize:file_inherit/dir_inherit/inherited:allow
            owner@:read_data/write_data/execute/append_data/delete_child/delete/read_attributes/write_attributes/read_xattr/write_xattr/read_acl/write_acl/write_owner/synchronize:file_inherit/dir_inherit/inherited:allow
            group@:read_data/write_data/execute/append_data/delete_child/delete/read_attributes/write_attributes/read_xattr/write_xattr/read_acl/write_acl/write_owner/synchronize:file_inherit/dir_inherit/inherited:allow

So I assume the ACL has been applied correctly.

The path was exported using NFSv4 only. I don´t plan on syncing all user and group ids on all my systems, nor am I considering setting up a directory service right now. With that in mind, I opted to squash all clients to the local user share (3001) and the group share (3001), which I figured would allow me to access everything at least owned by the group share as I observed testing locally.

The resulting export looked like this:

"/mnt/nas/test"\
        *(sec=sys,rw,anonuid=3001,anongid=3001,all_squash,no_subtree_check)

On the client-side, the share was mounted successfully using the defaults. I was able to cd into the mountpoint and even create a directory from_client. It was correctly created as owned by 3001:3001, as intended.

root@client:/mnt/test# ls -l
total 3
drwxrwx--- 2 3001 3001 2 Jun 14 16:31 from_client
drwxrwx--- 2 3000 3001 2 Jun 14 16:14 from_truenas_chrolish
drwxrwx--- 2 root 3001 2 Jun 14 16:14 from_truenas_root
drwxrwx--- 2 3001 3001 2 Jun 14 16:14 from_truenas_share

But once I try to access or read the acl of the directories owned by different users than 3001, I am getting permission denied errors:

root@client:/mnt/test# ls -l *
from_client:
total 0

ls: cannot open directory 'from_truenas_chrolish': Permission denied
ls: cannot open directory 'from_truenas_root': Permission denied

from_truenas_share:
total 0

From where I am allowed to read the ACL on the client, it looks like this:

root@client:/mnt/test# nfs4_getfacl from_truenas_share/
A:fdgO:3001:rwaDdxtTnNcCoy
A:fdO:OWNER@:rwaDdxtTnNcCoy
A:fdgO:GROUP@:rwaDdxtTnNcCoy

So that is basically it: I am unable to access data owned by the same group although I actually should (afaik).

What forces could be at play here? I even tried setting up user-group-relations as they are on the server, but to no avail!

I am at my wits end here and really sank a lot of hours into this. Any help or pointer in the right direction would be appreciated

Johnny_Fartpants · June 14, 2025, 6:28pm

Hi and welcome to the forums.

Have you tried removing the owner@ and group@ from the ACL in the UI just leaving your group permission entry and leaving default owner and group to root/wheel and see if that changes things?

chrolish · June 14, 2025, 6:41pm

Thank you, and thank you for having me!

I tried that just now. Leaving just the group, without any owner@ or group@, I wasn´t even able to access the mountpoint from the client.

When I tried adding owner@root and group@wheel via the GUI, it jumped straight back to owner@share and group@share after applying it, leaving me with the exact same state as before. I didn´t tick Apply Owner/Group though, because that would overwrite ownership of the data afaik, which I wouldn´t like to do to my working set, tbh

Johnny_Fartpants · June 14, 2025, 6:54pm

I’d be temped to create a new dataset and have a play first. Try leaving default ownership and losing the owner@ and group@ groups and just add your group entry and see how that looks with a new dataset.

chrolish · June 15, 2025, 10:03am

Creating a new dataset, stripping the @ special ACLs and then recreating the test directory structure leads to the dataset still being owned by root:root, which makes it inaccessible for the mapped user share:share.

I additionally had to apply ownership to user and group share for the dataset to be accessible by the nfs client.

Doing that, when trying to access the files, I noticed that absolutely no user permission had been applied to anything.

root@truenas[/mnt/nas/test2/tn_share]# ls -l
total 2
d---rwx--- 2 admin    share 2 Jun 15 11:54 admin
d---rwx--- 2 chrolish share 2 Jun 15 11:54 chrolish
d---rwx--- 2 root     share 2 Jun 15 11:54 root
d---rwx--- 2 share    share 2 Jun 15 11:54 share

This resulted in the directorynot being accessible either. So I reintegrated only owner@ - share into the ACL, applied it recursively without resetting ownership of the directories and files. After that, I was able to access the shared dataset again, but the rest of the behavior was like in my initial problem description:

root@client:/mnt/test# ls -l
total 1
drwxrwx--- 2 root 3001 2 Jun 15 09:53 tn_default
drwxrwx--- 6 3001 3001 6 Jun 15 09:54 tn_share
root@client:/mnt/test# ls -l *
ls: cannot open directory 'tn_default': Permission denied
tn_share:
total 2
drwxrwx--- 2 3000 3001 2 Jun 15 09:54 chrolish
drwxrwx--- 2 root 3001 2 Jun 15 09:54 root
drwxrwx--- 2 3001 3001 2 Jun 15 09:54 share
root@client:/mnt/test# cd tn_share/
root@client:/mnt/test/tn_share# ls -l *
ls: cannot open directory 'chrolish': Permission denied
ls: cannot open directory 'root': Permission denied
share:
total 0

So either I misunderstood you or that just didn´t change anything

Johnny_Fartpants · June 15, 2025, 10:30am

Ah ok I was clutching at straws a bit tbh so not shocked, soz.

My NFS knowledge is somewhat limited and I generally just create ‘Generic’ dataset type when creating NFS shares leaving default perms and set ‘Maproot User’ to root and ‘Maproot Group’. to wheel. Assign the relevant IP/s access and trust the admin of the client server to manage the rest.

chrolish · June 17, 2025, 7:59am

Thank you anyway for trying

I have bit the bitter apple (german saying, hope this translates :D) and applied the ownership on all the data on the working set. As everyone uses share:share anyway, this shouldn´t matter much. I just have to take care to not modify data on the root shell of TN.

I still believe my problem should be solvable somehow.