How to configure consistent dataset permissions for multiple users

I’m sure this question has been asked and answered before, but I can’t seem to find it. Probably partly because I’m not searching for the right thing. My subject could be misinterpreted for what I’m looking to do.

I am trying to figure out how to handle permissions on datasets when there might be multiple users accessing / writing files etc.

For example if I have 2 users, and put them both in the group “shareusers”, when they write files to a dataset that gives the group shareusers full control, the file will be owend by them and have a group of shareusers. But what if I want to just make files always owned by root and group shareusers?

I’m trying to make sure permissions for files / folders stay consistent on shared datasets and not run into issues where one user might write a file and somehow the another user can’t modify it / delete it / etc. This problem has been exacerbated recently by me setting up a container to run some scripts (had to do it in a container cause Truenas lacks some useful file handling / transfer apps like lftp for one example). Today after a bunch of trial and error I was finally able to get consistent permissions to even read and write by the container (ended up having to use NFSv4 ACL because no matter what I did the default POSIX ACL would have permission problems). But now, when I write a file with the root user on that container, sometimes it will be owned by the 2147000001 ID and have a group of shareusers, but sometimes it will be owned and have the group of 2147000001. The 2nd seems to happen more if I’m modifying an existing file rather than creating a file. But this is a rather annoying problem that sometimes I’ll go in and a file that was modified in the container can’t be accessed by other users of the datasets and the only way for me to fix it is to go in as root and chown the file.

I’ve tried various configurations of mapping my shareusers group to various gids in the container. Created the shareusers group in the container and tried mapping to it. But no mappings seem to work.

So, I’m wondering if there is simply a way to force files in a dataset to always be owned by root and have a group of shareusers, regardless to who / where it gets edited or created?

I find it best for SMB shares to leave the owner and group fields alone and focus on the ACL to provide access. I use the restricted preset but then remove the owner@ and group@ entries. I simply add the group/groups that require access and give them the relevant permissions and you’re good to go. I’ve used this model for years across hundreds of datasets with thousands of users and it works great.

This isn’t just for SMB shares though. The container doesn’t access the storage through an SMB share. It just maps the drives directly.

So, I’m a little confused how your permissions work. Lets say for example you have one dataset that has two groups requiring access to it.

GroupA and GroupB

If a user from GroupA creates a file, it’s going to be owned by that user and have a group of GroupA (assuming GroupA is the users primary group).

If a user from GroupB is not in GroupA also, tries to access that file, are they not going to get permission denied, unless you make the file other read / write by default which I definitely don’t want to do.

In my old NAS system I was only using SMB shares and got around this problem using SMB config properties like create mask. But I don’t see any way in truenas to configure these options. And even if I could, again also I have to consider the non SMB access from the containers since TrueNas is missing tools that I require and I can’t simply install them on TrueNas like in other NAS Systems I’ve used.

I’m sure there is some fundamental simple thing I’m missing here because I can’t imagine there not being a solution to this, especially for enterprise customers that might have hundreds of users in many groups.

I think you’re coming from POSIX to NFSv4 ACLs and they are fundamentally different. Forget about ownership and grant access via the ACL

In my opinion force user and force group is the only sane way to go. Unfortunately that was removed from TrueNAS.

You authenticate successfully for the “foo” share –> all files you write should belong to user and group “foo”. No hassle, everything looks the same. You can tar, sync, backup, restore … I never needed more than posix groups.