Scale error by setting ALCs

saveNAT · December 13, 2024, 7:45am

I replicated in dataset from TrueNAS Core to Scale.
Now I’m having problems setting the ALC rights. The following error message appears.

[EPERM] Filesystem permissions on path /mnt/storage_pool prevent access for group "tester" to the path /mnt/storage_pool/NEW-Rreplication-Test. This may be fixed by granting the aforementioned group execute permissions on the path: /mnt/storage_pool.

How do I reset all ALC permissions from the entire pool to zero?
Or is there another way to slove the problem?

Unfortunately I can no longer find the Strip ALC function in the GUI.

awalkerix · December 13, 2024, 12:28pm

What is output of stat /mnt/storage_pool? This typically means that you removed the other execute bit from that path manually via shell.

saveNAT · December 13, 2024, 1:28pm

This is the output.

admin@truenas[~]$ stat /mnt/storage_pool
  File: /mnt/storage_pool
  Size: 3               Blocks: 1          IO Block: 512    directory
Device: 0,64    Inode: 34          Links: 3
Access: (0755/drwxr-xr-x)  Uid: (    0/    root)   Gid: (    0/    root)
Access: 2024-07-05 02:07:50.407334100 -0700
Modify: 2024-12-13 04:43:52.287503936 -0800
Change: 2024-12-13 04:43:52.287503936 -0800
 Birth: 2022-03-25 08:57:42.304115236 -0700

storage_pool on the new TrueNAS Scale system ist a brand new created pool. I’m sure, that I don’t change here anything over the shell.
I only did a repliation (pull) to that new pool.

awalkerix · December 13, 2024, 1:29pm

What is the output of midclt call filesystem.getacl /mnt/storage_pool?

awalkerix · December 13, 2024, 1:31pm

What is also output of midclt call filesystem.stat /mnt/storage_pool?

saveNAT · December 13, 2024, 1:36pm

admin@truenas[~]$ midclt call filesystem.getacl /mnt/storage_pool 
{"acl": [{"tag": "owner@", "id": -1, "perms": {"READ_DATA": true, "WRITE_DATA": true, "EXECUTE": true, "APPEND_DATA": true, "DELETE_CHILD": false, "DELETE": false, "READ_ATTRIBUTES": true, "WRITE_ATTRIBUTES": true, "READ_NAMED_ATTRS": true, "WRITE_NAMED_ATTRS": true, "READ_ACL": true, "WRITE_ACL": true, "WRITE_OWNER": true, "SYNCHRONIZE": true}, "flags": {"BASIC": "NOINHERIT"}, "type": "ALLOW"}, {"tag": "group@", "id": -1, "perms": {"READ_DATA": true, "WRITE_DATA": false, "EXECUTE": true, "APPEND_DATA": false, "DELETE_CHILD": false, "DELETE": false, "READ_ATTRIBUTES": true, "WRITE_ATTRIBUTES": false, "READ_NAMED_ATTRS": true, "WRITE_NAMED_ATTRS": false, "READ_ACL": true, "WRITE_ACL": false, "WRITE_OWNER": false, "SYNCHRONIZE": true}, "flags": {"BASIC": "NOINHERIT"}, "type": "ALLOW"}, {"tag": "everyone@", "id": -1, "perms": {"READ_DATA": true, "WRITE_DATA": false, "EXECUTE": true, "APPEND_DATA": false, "DELETE_CHILD": false, "DELETE": false, "READ_ATTRIBUTES": true, "WRITE_ATTRIBUTES": false, "READ_NAMED_ATTRS": true, "WRITE_NAMED_ATTRS": false, "READ_ACL": true, "WRITE_ACL": false, "WRITE_OWNER": false, "SYNCHRONIZE": true}, "flags": {"BASIC": "NOINHERIT"}, "type": "ALLOW"}], "trivial": true, "uid": 0, "gid": 0, "path": "/mnt/storage_pool", "nfs41_flags": {"protected": false, "defaulted": false, "autoinherit": true}, "acltype": "NFS4"}

admin@truenas[~]$ midclt call filesystem.stat /mnt/storage_pool
{"realpath": "/mnt/storage_pool", "type": "DIRECTORY", "size": 3, "allocation_size": 512, "mode": 16877, "uid": 0, "gid": 0, "atime": 1720170470.0, "mtime": 1734093832.0, "ctime": 1734093832.0, "btime": 1648223862.0, "mount_id": 142, "dev": 64, "inode": 34, "nlink": 3, "is_mountpoint": true, "is_ctldir": false, "attributes": ["MOUNT_ROOT"], "user": "root", "group": "root", "acl": false}

awalkerix · December 13, 2024, 1:38pm

What is output of midclt call filesystem.stat /mnt/storage_pool/NEW-Rreplication-Test?

saveNAT · December 13, 2024, 1:43pm

I made a new test from a snapshot. So the command line is changed.

admin@truenas[~]$ midclt call filesystem.stat /mnt/storage_pool/VMware               
{"realpath": "/mnt/storage_pool/VMware", "type": "DIRECTORY", "size": 8, "allocation_size": 11264, "mode": 16384, "uid": 1000, "gid": 1000, "atime": 1720170471.0, "mtime": 1734096169.0, "ctime": 1734096169.0, "btime": 1648223908.0, "mount_id": 400, "dev": 65, "inode": 34, "nlink": 8, "is_mountpoint": true, "is_ctldir": false, "attributes": ["MOUNT_ROOT"], "user": null, "group": null, "acl": false}

awalkerix · December 13, 2024, 1:46pm

If you create a user who is a member of the group tester, can it chdir into /mnt/storage_pool/VMWare via shell?

saveNAT · December 13, 2024, 1:51pm

You mean, that I should log in with that new user to the truenas gui instead of admin?

awalkerix · December 13, 2024, 1:52pm

I mean SSH into TrueNAS as admin, su to the user and try to literally cd /mnt/storage_pool/VMWare.

The validation error is raised when the middlewared sets euid to a fake credential that only has the group in question and tries to chdir to the path and on error walks it back until it can succeed.

awalkerix · December 13, 2024, 1:54pm

One other item to consider, what is the output of midclt call filesystem.stat /mnt?

saveNAT · December 13, 2024, 2:10pm

admin@truenas[~]$ midclt call filesystem.stat /mnt
{"realpath": "/mnt", "type": "DIRECTORY", "size": 3, "allocation_size": 512, "mode": 16877, "uid": 0, "gid": 0, "atime": 1731103543.0, "mtime": 1734093831.0, "ctime": 1734093831.0, "btime": 1733229435.0, "mount_id": 34, "dev": 31, "inode": 34, "nlink": 3, "is_mountpoint": true, "is_ctldir": false, "attributes": ["MOUNT_ROOT"], "user": "root", "group": "root", "acl": false}
admin@truenas[~]$