Problem with ACLs in Personal datasets

TrueNAS General
, ,
1

Hello,

First of all I am on TrueNAS SCALE 25.04.01 and this is a home user setup. I have connected TrueNAS to my Samba domain that has 4 users (home family setup) and the Active Directory integration was quite painless: users show up in the Credentials → Users screen as “HOME\username”.

I followed the instructions in Creating the Share and Dataset starting from the “Shares” screen and now I have a “private” dataset and a share by the same name (I used “Private SMB Dataset and Share” purpose when creating the dataset during the share creation process).

Now, the ONLY deviations were that: (1) I enabled the “Use as Home Share” because I want to be able to SSH into the NAS so I need to the user to have a home directory, and (2) I enabled “Time Machine” because my wife has a Mac and I want her to simply backup to the share which will be simpler for her.

After restarting the service I am now stuck in the Setting Dataset ACL Permissions section. The instructions basically ask you to do 3 things:

  1. “Set the permission for the private dataset to allow additional users or a group if others are permitted to access the private directory share.”

I am not sure what this use case would be so I did nothing. For starters, I am happy for each family member to only access their own share.

  1. Click the Owner dropdown, select the administration user with full control, then repeat for Group. You can set the owning group to your Active Directory domain admins. Click Apply Owner and Apply Group to apply the changes.

The web admin user I created is called “nasadmin” so I set the following:

image
image1395×1012 91.3 KB

The problem is I am not sure about the preset: As you can see I have NFS4_HOME and NFS4_DOMAIN_HOME options. I am not sure if mine is a POSIX ACL so I set it to NFS4_HOME as per the instructions default.

  1. Next, click Add Entry to add entries for each user that needs access to the dataset. To assign required permissions, select User in Who and locate the user name on the User dropdown list. Select the required permissions. Repeat for each user that needs access. Alternatively, if you added users to a group, select, set Who to Group and locate the group on the dropdown list.

Here I actually clicked on “Add Item” and set the Group to “HOME\Domain Users” and gave them read-only access. I did not want to add each of the 4 users individually and I suppose the owner will have modify permission by default?

Anyway, after all this was said and done, here is the main problem:

I visited smb://truenas/myusername and created a folder called “test” and this is what I found in the actual filesystem running ls as root:

root@NAS[~]# ls -al /mnt/family-tank/private/HOME/myuser
total 35
drwxrwx--- 4 root         root 5 Jun  7 18:35 .
drwxrwx--- 6 root         root 6 Jun  7 18:35 ..
-rwxrwx--- 1 root         root 0 Jun  7 18:35 .profile
drwxrwx--- 3 HOME\myuser root 3 Jun  7 18:35 .recycle
drwxrwx--- 2 HOME\myuser root 2 Jun  7 18:35 test

As you can see:

  1. The folder is actually owned by root
  2. There is a .profile file owned by root
  3. The directories I created luckily have the proper user/owner but the group is still set to root
  4. The recycle bin (created automatically) is the same as (3)

Have I done something wrong? Should I start over? What step should I change to make the group be “HOME\domain users”?

2

Maybe this is a requirement if you use an AD, but as someone who doesn’t use AD I can say that I did not need to enable “Use as Home Share” to be able to use SSH. I made a home directory when I made my admin user (in the Credentials->User screen) and have had no issues SSHing in from the very get-go.

3

Thank you @neofusion but I am trying to configure this properly for “any AD user” rather than create datasets/shares one-by-one.

I made a breakthrough:

  • I created new dataset with ACL type set to “POSIX” which I called family-tank/posix.
  • I then created family-tank/posix/private, again with POSIX for ACL type and
  • I then created a share private picking that existing dataset by the same name and set the role to “Private SMB datasets and shares”
  • Finally, I set the ACLs as per the screenshot below:

EDIT: forgot the screenshot, added below

image
image1395×1012 70.2 KB

This finally has things working! As soon as I started the SMB service with this setup, it started creating proper folders with correct permissions!

EDIT 2: even logging in with SSH as a domain user is fine now

$ pwd
/mnt/family-tank/posix/private/HOME/myuser
$ ls -al
total 39
drwxr-xr-x+ 3 HOME\myuser HOME\domain users    6 Jun  7 20:45 .
drwxr-x--x+ 6 root        root                 6 Jun  7 20:44 ..
-rw-r--r--  1 HOME\myuser HOME\domain users  220 Jun  7 20:44 .bash_logout
-rw-r--r--  1 HOME\myuser HOME\domain users 3526 Jun  7 20:44 .bashrc
-rw-r--r--  1 HOME\myuser HOME\domain users  807 Jun  7 20:44 .profile
drwxrwx--x+ 3 HOME\myuser HOME\domain users    3 Jun  7 20:44 .recycle

The preset used was POSIX_HOME instead of NFS4_HOME.

I am not sure why this is. It seems a bit counter-intuitive, but I guess the instructions need some fixing?

Can anyone knowledgeable comment? For now this seems to have solved my issue (everyone has a private folder share on the windows network, which is also their home directory if they log in via SSH).