Problems with user access and permissions

Hello everyone,

As of late I’ve been having a whole host of issues with permissions or user access on my Core server. As far as I can tell from reading previous posts, following guides, and reading the documentation, I’m doing things correctly, but regardless I’m having difficulty accessing my data. I think the issue is probably related to years of improper use from when I didn’t know any better, but the problem is now I don’t know how to fix things!

I have a dataset “dead” and then some child datasets under it, “Music”, “Documents”, and “Photos”, among others. I’ve been using a smb share to access the root dataset (which seems to be a poor choice, from what I’ve found online.) I’ve been using a user “Jon” to access the share. However, I can only access the share if the user is a member of the wheel group. This is how the user has been for a while now (I dont know why) and no matter what I do with ACL permissions, it seems to remain a requirement. Right now, all of my child datasets have the same permissions/ACL, but I cant delete or modify files in one of them.

I’ve tried stripping ACLs and reapplying them with the owner/group as “Jon”, I’ve tried mounting just the child datasets, I’ve tried stripping all ACLs from all datasets and reapplying, I’ve even tried different ACL permissions. I’ve also tried new smb shares, in case there was a problem there. I’ve had the pool and datasets I’m trying to access for almost 10 years now and migrated them over from FreeNAS, and they’ve been through a number of versions of TrueNAS as well. I’ve had this server for a long time and leaned a lot with it, but I’m sure I’ve made mistakes at some point. I think there may have been a point where I modified permissions in shell, but I cant recall for sure.

I’ve spent close to 8 hours trying to fix this on my own and I’m good and stuck now. I’d just like to get this to a point where I can have one or two users accessing the data, with correct permissions and ownership for those datasets. I’m happy to share more information and screenshots of my ACLs or user setups, I just dont know what would be best to include so I wanted to wait and see what would be needed before going nuts with it. I’m losing my mind over this and I’d appreciate any help!

This would most likely be because you’ve removed execute permissions from some parent path. SSH into the server, then su Jon to switch to the Jon user. Then use cd to walk up to the path to the share

cd /mnt
cd /mnt/tank
cd /mnt/tank/share
cd /mnt/tank/share/jon
(substitute correct paths)

The step where it fails at is where you have broken traverse by removing the “other” execute bit.

1 Like

Thanks for the help! I used the main user, Jon, to ssh in. I’m able to go through all the directories just fine with this user, but it’s still part of the wheel group. I switched to a different user that should be the same, except not being part of the wheel group. With that user, permission is denied at the top level dataset. So I guess that means I’ve somehow removed the “other” execute bit? I’m not sure what that means, to be honest. Where should I start looking to try and fix the permissions?

What is output of getfacl /mnt/<pool name> ?

Heres’s the output!

truenas% getfacl /mnt/dead
# file: /mnt/dead
# owner: root
# group: wheel
            owner@:rwxp--aARWcCos:-------:allow
            group@:rwxp--a-R-c--s:-------:allow
         everyone@:------a-R-c--s:-------:allow

Okay. You manually ran chmod 770 on /mnt/dead and broke access for all users that aren’t a member of wheel. Why did you do this? Some how-to guide? Run the command chmod 755 /mnt/dead.

Ah ha this seems to have fixed the issue! I’ve got some clean up to do with the ACLs it seems, but after setting them users now have the access I would expect. Thank you so much! As to why I had run chmod 770, I seem to recall following along with a blog post, not so much a guide. There’s many loose ends with this server I’m slowly trying to close up after 10 years of “if it works, dont ask questions” :sweat_smile:. Permissions aside, moving forward with permissions and sharing the datasets, from what I can tell it’s best practice not to share the top level dataset, correct? In my case that’s dead, with child datasets such as Music, Photos, Documents, etc. I should apply ACLs and create SMB or other shares for the Music, Photos, Docs, and not for dead, Sorry if this would be best in a new thread or a general. Figured I’d try and sneak one more question in here if I could. Thank you so much again!