Different behavior in datasets with identical ACLs

My third thread in the last week!

Background: I’m in the process of upgrading a 2 drive mirror to a 4 drive RaidZ2. I backed up all the data in the old pool, plugged in the two new drives, disabled all the apps and services that accessed the old 2 drive pool, and built the new 4 drive pool. i gave it the same name as the old one, created the exact same datasets, and then started copying data into it from the backup.

My hope was that, once everything was back in there, i could just turn the apps and services back on, and they’d work as they did before since the data they access in the pool was in the same place. This has not worked out.

Current Issue: i have two datasets that seem like they should behave identically, but don’t. they are both children of the same parent, which is shared via SMB. They both have identical ACLs, do not have any child datasets, but do have data files and folders in them. the only difference i can see is their names, and the exact files and folders they contain.

one of them just contains assorted documents. when i log in to the parent via SMB as a user with full read/write/execute access and open it, things work as expected. i can navigate around, open files and folders, copy and delete, and so on.

the other one is a media library. when i open it, i seem to have read only access. i can see the files and folders in it, but can’t open any of them, can’t create new ones, can’t copy anything down, and so on.

here are their ACL’s side by side. the redacted user names are mine and my wife’s accounts, and i’m logging into the parent SMB as one of them.

How we got here: i used to have read/write/execute access to the media library dataset, because i just restored data to it from the backup. i seem to have lost it when i tried to re-activate my Jellyfin server app that had been disabled during the re-build. i use the stock Jellyfin server app from IX Systems repos. the media folder used to also be a SMB share of it’s own, which was accessed by jellyfin. Jellyfin initially refused to launch, and i had to troubleshoot the permissions for both the SMB share and the dataset to get it to work. I eventually got it to launch, but it couldn’t play anything.

at first, i thought something had gone wrong with copying data from the backup, so i tried opening the media dataset in a file browser with SMB to test if the files in it were readable. and at that point, i ran into the behavior i described above.

at this time, the media library dataset’s settings weren’t identical to the working docs dataset. but since i had that working docs dataset, i figured i could troubleshoot this by walking media dataset’s settings back towards it. i disabled jellyfin, disabled the smb share for the media dataset, and changed its ACL to match the docs ones. but it still isn’t working. so, i’ve reached the limit of what i can troubleshoot, and am hoping the people who actually know how this works can help me.

so, something i did when i was trying to give jellyfin access to the media dataset made it read only. i’ve un-done all of that now, and it’s ACL and other settings look identical to another dataset that is working as expected, but the media dataset is still read only.

Aside: there are other child datasets to this same parent. most of them are working, but there is another that isn’t. it’s problems are slightly different, but since it is also accessed by an app, i assume they have a similar cause. but for now i just want to focus on the media library.

hopefully, whatever solution you all help me find for the media library dataset will also help me fix this other misbehaving one on my own. if i can’t though, i’ll post the details.

You probably have a different owner for the files, etc. Try going to the SMB ACL and setting the owner and groups. See apply user tool tip an apply group. You want it to update all the ownership and group to your new created accounts

Snip is from TrueNAS CORE but gives you an idea.

both the working and non-working datasets are owned by the admin account.

and here’s how it looks in scale’s ACL editor

i just tried changing the ownership of the media dataset to the user i’m logging in as with SMB. that gave me write access to the media folder, but not to any of the sub folders in it.

i could create a new folder in there, open it, and delete it. however, i still can not open the previously existing sub folders, which is where all the media is.

so, i guess those sub folders are owned by … some other user?

In the screenshot above. When you added your two users access, did you have a option to apply the changes retroactively or to the folders inside? You can try deleting the two users permissions and add them back in. I don’t have a Scale system to check here.

You’re trying to strip all the permissions and apply them to all the downstream folders

in scale, the “apply permissions recursively” checkbox applies to the entire ACL, not to individual changes. at one point in my testing, i stripped the ACL entirely so there were only UNIX permissions, then rebuilt the ACL from scratch, and checked apply permissions recursively. that didn’t fix the issue. i also often checked it when i was just trying random changes to see if they helped, and it didn’t fix things then either.

all of that was with the admin account as the owner though. setting my user account as the owner alone didn’t fix it, but setting that and checking apply permissions recursively did, at least in a file browser with SMB. i can get into the previously existing sub folders in the media dataset, and have write access.

now that i know how to walk this back to working in the file browser, i’m going to go back to troubleshooting jellyfin, the other problem dataset, and the app that accesses it. i may come back if i run into further issues, but if i don’t i’ll mark this as solved.

thank you,

1 Like

Update - Jellyfin is working, but i need help with the other one.

Jellyfin likes to mount the media folder with SMB, so i can just have it log in as the same the user i log in as with SMB, which is the owner of the dataset. Jellyfin can read and play the stuff in there, and if i need to move files around or whatever, i can do that under the same user with SMB in a file browser.

the other problem dataset is a Downloads dataset used by qbittorrent that i needed help with yesterday in this thread. i have qbittorrent running as a custom docker compose through dockge as its own user. it mounts this dataset directly instead of with SMB. i need qbittorrent to be able to download to and seed from this dataset, and i also need to be able to go in there myself in a file browser to access the files it downloads. i’ve tried a bunch of different permissions permutations, but i can’t find one that works.

  • when i posted this thread, the qbittorrent user owned the dataset, and my user account had read/write/execute access in the ACL. however, i actually only had read access when i opened it up in a file browser - just like i had with the Media dataset in the OP.
  • if i make my user the owner, and give qbittorrent read/write/execute, then i can access existing files in the folder just fine. qbittorrent can see the existing files in /downloads itself, but can’t see any in /downloads/some_folder. it’s also unclear to me if it can actually seed the files it sees in /downloads. it can download new files, but when it does it owns them, so i can’t access them in a file browser.

it seems like i have two options.

  1. change the docker compose for qbittorrent so it runs as my user, instead of its own (preferably without having my password just there in cleartext in the compose).

  2. keep the users separate, but make it so qbittorrent and i have full permissions on files the other owns in this dataset. maybe that’s something i could do with User groups? i don’t know.

never mind, problem solved.

i was hesitant to have qbittorrent run as my main user because i assumed i’d need to enter that user’s password into the docker compose in the clear. it looks like that’s not true though? i told it to use the PUID and PGID of the user i log into smb with, and it just worked without the password.

so, things seem to be working correctly. the same qbittorrent can download to and seed from the downloads dataset, and i when i open that dataset in a file browser with SMB, i have full read/write/execute permissions.

1 Like