Help understanding ACLs

simon_lefisch · July 3, 2024, 4:55pm

Hello everyone!

Long time lurker (about 2 years or so) but first time poster. Mainly due to being able to figure things out on my own, however I’m hoping someone can help me out with my issue…

I am running TrueNAS Core on my server as a VM. I am reconfiguring a few things and have noticed some changes in how filesystem ACLs are handled so maybe someone can give me insight or guidance.

I have (2) pools…
Pool1 has (3) 6TB drives in RAIDZ1 configuration.
Pool2 has (3) 4TB drives in RAIDZ1 configuration.

Pool1 was created a couple years ago when I first started TrueNAS (FreeNAS at that time). I added Pool2 a couple months ago. I want to move some of the data from Pool1 to Pool2 but I having issues with the ACLs working properly. Seems like things have changed during the updates. Below is how I would like to have the file structure on Pool2:

Users: User1, User2

Basic structure:
>Pool2
    >Dataset01
        >Folder01
        >Folder02

User1 is the admin and should have access to all folders (Dataset01) and is assigned to a group I need “admin”.
User2 should only have access to Folder02.

When I create the filesystem ACL for Dataset01 and assign User1, I can connect fine. However when I assign User2 to Folder2, I get an error when trying to connect stating that the user doesn’t have permissions (this is on a Mac, but needs to work for Windows as well). I’ve also tried assigning a group to the share instead of the user and same error.

Can anyone help me out with this? I fell like I’ve exhausted everything but I’m sure it’s something stupid I’m missing. Let me know if you need any info and I will gladly provide it. TIA

newuser080624 · July 3, 2024, 5:29pm

Folder01 and Folder02 are datasets too, right?

Johnny_Fartpants · July 3, 2024, 5:31pm

Can you show us the permissions config please to sanity check them?

simon_lefisch · July 3, 2024, 9:20pm

@newuser080624 yes both folders are datasets. Folder structure is:

>Pool2
  >dataset03
    >Folder01
    >Folder02

@Johnny_Fartpants I assume you want the permissions as seen from the shell, so here you go:

root@NAS[~]# getfacl /mnt/pool2/dataset03
# file: /mnt/pool2/dataset03
# owner: root
# group: wheel
 group:User1:rwxpDdaARWcCos:fd-----:allow
         everyone@:--------------:fd-----:allow
root@NAS[~]# getfacl /mnt/pool2/dataset03/Folder02
# file: /mnt/pool2/dataset03/Folder02
# owner: root
# group: wheel
 group:User2:rwxpDdaARWcCos:fd-----:allow
         everyone@:--------------:fd-----:allow

Johnny_Fartpants · July 4, 2024, 6:13am

Did you set permissions from the CLI or UI? Can we see UI permissions?

newuser080624 · July 4, 2024, 6:58am

For User2 you have to set at least (filesystem ACL) “traverse” permission for Dataset01. Otherwise navigation to Folder02 will not be possible.

simon_lefisch · July 4, 2024, 3:20pm

@newuser080624 Looks like that did it! Strange that I don’t have that set anywhere in Pool1, yet I can connect to shares in that pool. I figured it was something stupid 0_o thanks for the help on that. Going to go thru and reset permissions on everything now.