Creating a new folder on SMB share creates multiple new folders without permissions

I’m running TrueNAS-SCALE-24.04.2.2 and I have a dataset which contains user home folders. On my main user (haven’t tested others) I suddenly started having a problem today where creating a new folder suddenly creates 4 of them with broken permissions. I have the home folder mounted over SMB to a windows 11 (mapped network drive). I can access some of my existing folders, but creating new folder anywhere results in a folders that are not accessible, can’t be renamed or deleted (over the SMB).

Using the shell to access the folder I can see following:

root@hilla[/mnt/taiga/home/oskari]# ls -al
total 1707776
drwx------ 35 oskari oskari         47 Oct  1 10:59  .
drwxrwx---  4 root   root            4 Mar 30  2024  ..
-rwxrw-r--  1 oskari oskari      10244 Apr 14 20:09  .DS_Store
-rw-r--r--  1 oskari oskari        220 Mar 28  2024  .bash_logout
-rw-r--r--  1 oskari oskari       3526 Mar 28  2024  .bashrc
-rw-r--r--  1 oskari oskari        807 Mar 28  2024  .profile
----------  1 oskari oskari          0 Oct  1 10:59 'New Text Document.txt'
d---------  2 oskari oskari          2 Oct  1 09:51 'New folder'
d---------  2 oskari oskari          2 Oct  1 09:43 'New folder (3)'
d---------  2 oskari oskari          2 Oct  1 09:43 'New folder (4)'
d---------  2 oskari oskari          2 Oct  1 09:43 'New folder (5)'
d---------  2 oskari oskari          2 Oct  1 09:43 'New folder (6)'
d---------  2 oskari oskari          2 Oct  1 09:43 'New folder (7)'
d---------  2 oskari oskari          2 Oct  1 09:43 'New folder (8)'
d---------  2 oskari oskari          2 Oct  1 09:51 'New folder (9)'

And getfacl:

root@hilla[/mnt/taiga/home/oskari]# getfacl 'New folder'
# file: New folder
# owner: oskari
# group: oskari
user::---
group::---
other::---

Trying to set permissons with setfacl or with chmod result in same error :

root@hilla[/mnt/taiga/home/oskari]# setfacl -m u:oskari:rw 'New folder (3)'
setfacl: New folder (3): Operation not supported

I can use rm -fr to delete them or mv them to rename as a root. Creating a new folder with mkdir works but the resulting folder is not accesible over SMB either.

I suspect this is somekind of permission issue, but I haven’t touched them since I installed and configured this about a year ago.

I’ve tried:

  • Rebooting truenas
  • Updating truenas (24.04.2 → 24.04.2.2)
  • Rebooting windows
  • Disconnecting and remapping mounted SMB share

I suspect the problem is somewhere in truenas permissions, any ideas how to fix it?

Yes, this is a permissions issue that can occur if you have removed DELETE and DELETE_CHILD permissions from a directory. Windows servers do the same thing actually.

nfs4xdr_getfacl is command to read it from shell.

I don’t believe that I have deliberately changed or removed any permissions regarding this (or anything else, I haven’t really had reason to touch them).

I guess my root/home directory, which is shared, already has the permissions wrong and the created folders inherit them?

Directory with broken permission and the shared home directory:

root@hilla[/mnt/taiga/home/oskari]# nfs4xdr_getfacl 'New folder (10)'      
# File: New folder (10)
# owner: 3001
# group: 3001
# mode: 0o40000
# trivial_acl: false
# ACL flags: none
group:NT Authority\system:rwxp--aARWc--s:fd----I:allow
         everyone@:--------------:fd----I:allow
root@hilla[/mnt/taiga/home/oskari]# nfs4xdr_getfacl .      
# File: .
# owner: 3001
# group: 3001
# mode: 0o40700
# trivial_acl: false
# ACL flags: none
group:NT Authority\system:rwxp--aARWc--s:fd-----:allow
            owner@:rwxpDdaARWcCos:-------:allow
            group@:------a-R-c--s:-------:allow
         everyone@:------a-R-c--s:-------:allow
         everyone@:--------------:fd-----:allow

Directory which is working:

root@hilla[/mnt/taiga/home/oskari]# nfs4xdr_getfacl ajuirit          
# File: ajuirit
# owner: 3001
# group: 3001
# mode: 0o40775
# trivial_acl: true
# ACL flags: auto-inherit:
            owner@:rwxpD-aARWcCos:-------:allow
            group@:rwxpD-a-R-c--s:-------:allow
         everyone@:r-x---a-R-c--s:-------:allow

What is my best course of action on rectifying this? Should I just move the home directory, create new thru truenas gui and move my stuff over?

This is broken. You have explicitly configured the ACL so that only NT Authority\system has access to new files and directories. Moreover, you have explicitly removed DELETE and DELETE_CHILD from its permissions set.

You should grant the file owner or a group it’s a member of the MODIFY permissions set, and if you deem NT Authority\system as needing access to the path it should also have MODIFY.

I’m rather sure I have not done this from command line or truenas gui. Could this be done over SMB? I have recently tried making OS backups from my windows, over the SMB to the shared directory which is when I noticed the problem. Other possibility is that something has broken in one of the updates. I’m 100% sure I’ve never changed any permissions in the truenas gui for NT Authority\system

I managed to copy the correct ACL from another user home directory with nfs4xdr_getfacl /foo/bar/user2 | nfs4xdr_setfacl -S - /foo/bar/user1. After checking which directories were affected with nfs4xdr_getfacl * in the directory, I noticed that only the ones created today were problematic. Either the problem manifested only now, or acronis true image caused the problem somehow.

So, the problem is fixed for now but I’m not sure
a) How it actually happened
b) How can I avoid it in future

what is output of get-acl <path> | format-list for the local path in Windows (via powershell)?

PS C:\Users\nahkiss> get-acl z:\ | format-list


Path   : Microsoft.PowerShell.Core\FileSystem::Z:\
Owner  : O:S-1-5-21-765346133-732012693-1929961291-20074
Group  : G:S-1-22-2-3001
Access : Everyone Allow  ReadExtendedAttributes, ReadAttributes, ReadPermissions, Synchronize
         S-1-5-21-765346133-732012693-1929961291-20074 Allow  FullControl
         S-1-22-2-3001 Allow  ReadExtendedAttributes, ReadAttributes, ReadPermissions, Synchronize
Audit  :
Sddl   : O:S-1-5-21-765346133-732012693-1929961291-20074G:S-1-22-2-3001D:P(A;;0x120088;;;WD)(A;;FA;;;S-1-5-21-765346133
         -732012693-1929961291-20074)(A;;0x120088;;;S-1-22-2-3001)

I was asking about the source, not the SMB share.

I had a very similar issue with permissions a number of months ago when trying to use windows built in backup system to save OS backups over to a SMB share on Truenas. If I remember it set some internal windows11 system to be the only access but don’t remember it it was NT Authority\system. It was caused by windows11 through the backup system. The issue was repeatable and came from the OS backup process of Windows11 not from Truenas.

I’m not entirely sure to what you refer as “source” in this context. Is this it?

PS C:\> get-acl . | format-list


Path   : Microsoft.PowerShell.Core\FileSystem::C:\
Owner  : NT SERVICE\TrustedInstaller
Group  : NT SERVICE\TrustedInstaller
Access : NT AUTHORITY\Authenticated Users Allow  AppendData
         NT AUTHORITY\Authenticated Users Allow  -536805376
         NT AUTHORITY\SYSTEM Allow  268435456
         NT AUTHORITY\SYSTEM Allow  FullControl
         BUILTIN\Administrators Allow  268435456
         BUILTIN\Administrators Allow  FullControl
         BUILTIN\Users Allow  ReadAndExecute, Synchronize
         S-1-15-3-65536-1888954469-739942743-1668119174-2468466756-4239452838-1296943325-355587736-700089176 Allow  Rea
         dData, ExecuteFile, ReadAttributes, Synchronize
Audit  :
Sddl   : O:S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464G:S-1-5-80-956008885-3418522649-1831038044-185
         3292631-2271478464D:(A;;LC;;;AU)(A;OICIIO;SDGXGWGR;;;AU)(A;OICIIO;GA;;;SY)(A;;FA;;;SY)(A;OICIIO;GA;;;BA)(A;;FA
         ;;;BA)(A;OICI;0x1200a9;;;BU)(A;;0x1000a1;;;S-1-15-3-65536-1888954469-739942743-1668119174-2468466756-423945283
         8-1296943325-355587736-700089176)

What is our SMB server config testparm -s on TrueNAS?

root@hilla[~]# testparm -s
Load smb config files from /etc/smb4.conf
lpcfg_do_global_parameter: WARNING: The "syslog only" option is deprecated
Loaded services file OK.
Weak crypto is allowed by GnuTLS (e.g. NTLM as a compatibility fallback)

Server role: ROLE_STANDALONE

# Global parameters
[global]
        bind interfaces only = Yes
        disable spoolss = Yes
        dns proxy = No
        load printers = No
        logging = file
        max log size = 5120
        netbios aliases = HILLA
        netbios name = TRUENAS
        obey pam restrictions = Yes
        passdb backend = tdbsam:/var/run/samba-cache/private/passdb.tdb
        printcap name = /dev/null
        registry shares = Yes
        restrict anonymous = 2
        server min protocol = NT1
        server multi channel support = No
        server string = TrueNAS Server
        winbind request timeout = 2
        idmap config * : range = 90000001 - 100000000
        fruit:zero_file_id = false
        fruit:nfs_aces = false
        rpc_server:mdssvc = disabled
        rpc_daemon:mdssd = disabled
        idmap config * : backend = tdb
        create mask = 0775
        directory mask = 0775


[homes]
        ea support = No
        path = /mnt/taiga/home/%U
        posix locking = No
        read only = No
        smbd max xattr size = 2097152
        vfs objects = streams_xattr shadow_copy_zfs ixnas zfs_core io_uring
        zfs_core:zfs_auto_create = true
        tn:vuid = 
        fruit:time machine max size = 0
        fruit:time machine = False
        nfs4:chown = True
        tn:home = True
        tn:path_suffix = %U
        tn:purpose = PRIVATE_DATASETS

What are the permissions you set on /mnt/taiga/home? nfs4xdr_getfacl