Hi everyone,
I need some advice on setting up folder-based permissions in TrueNAS. I have several folders, each located in different datasets, and I want to share them via SMB while controlling access independently for each folder for specifics users
Any step-by-step guidance, best practices, or examples would be greatly appreciated!
Thanks in advance!
If your using local users and groups on TrueNAS then this should be fairly straightforward.
I’d create a group per dataset giving them the same or similar name to the datasets and then assign those groups access to the relevant datasets. I like to use the presets so would personally recommend ‘restricted’ and then leave the defaults and just addd your group to the ACL with modify access if that’s appropriate.
After that it’s just a simple case of creating your users and assigning them to the relevant groups. Then share out each dataset via SMB leaving the defaults.
I’ve already set up local users and groups as suggested, but I’m a bit confused about managing folder-based permissions across different datasets. For example, let’s take a user named TEST. I want him to have access only to the Music
folder in Dataset1
and the Movies
folder in Dataset2
, but not the rest of the content in those datasets. How can I achieve this?
Ah good question. I do this in Active Directory by nesting groups and then joining TrueNAS to AD but don’t believe groups can be members of other groups in TrueNAS so not sure if it’s possible. Goes without saying but you could have a dataset per level of access required like Music etc.
Linux and FreeBSD don’t allow you to nest groups. Users can, however, be in more than one group - so in your example you can create a Music
group and a Movies
group and put user TEST
into both groups. You could wind up with a lot of groups, but the granularity would let you have say user TEST2
have access to just Music
but not Movies
.
Ok I got it. So here goes.
Create a dataset called (for example) Share1 and change dataset preset to SMB and let it auto create the share.
Now edit the dataset permission making sure the group ‘builtin_users’ has Read with No Inhert. This allows users to access the Share1 dataset but not its contents.
Now create your ‘Music’ group and assign all users that need access.
Now you need to make sure at least one of your TrueNAS users is in the ‘builtin_administrators’ group (which you can do within credentials, users) as this by default has Full Control of the dataset.
Now hop onto your Windows machine and map the drive as that admin user. Create the ‘Music’ folder then right click it ‘Properties’, ‘Security’ and add your ‘Music’ group granting Modify access.
This should allow all users to map to Share1 but only access the ‘Music’ folder. For other folders just rinse and repeat.
PS: you don’t have to use the ‘builtin_users’ group and could create your own if you wish to be more granular about who can access the folder but it’s there by default.