I’ve been pulling my hair out trying to get permissions working properly on my SMB share. This is my first time setting up a NAS and SMB shares with ACL permissions and will admit to knowing next to nothing about ACLs / unix permissions. I’ve scoured many other forum threads and can’t figure out where I’m going wrong in trying to allow all users in a group to access and modify all files.
My setup:
TrueNAS:
- Version: TrueNAS-13.0-U6.1 running in VM on proxmox
- Users:
mark
,syncthing_user
- Groups:
syncthing_lxc
(both users added to group)
Dataset:
- Child dataset
dsSyncthing
underPersonal-Media
root dataset. - Dataset path:
truenas/Personal-Media/dsSyncthing
- Dataset ACLs:
- Owner:
mark
- Group:
syncthing_lxc
owner@
,group@
- Full Control- Group:
syncthing_lxc
- Full Control
- Owner:
- I have set ACLs recusively and ticked the “apply owner” and “apply group” boxes
SMB share:
- Share created for child dataset
dsSyncthing
with share nameSyncthing
- Mounted on proxmox host. Extract from
/etc/fstab
:
//192.168.1.101/Syncthing/ /mnt/lxc_shares/syncthing cifs _netdev,x-systemd.automount,noatime,uid=100000,gid=110000,dir_mode=0770,file_mode=0770,user=syncthing_user,pass=pw 0 0
- Bind mounted to Syncthing LXC client. Extract from LXC .conf file:
mp0: /mnt/lxc_shares/syncthing/,mp=/mnt/syncthing,mountoptions=nosuid
- In case it makes a difference, this is the guide I used to get the share mounted on the unprivileged LXC:
[TUTORIAL] - Tutorial: Unprivileged LXCs - Mount CIFS shares | Proxmox Support Forum
Clients:
- Windows 10 client`
- Accessing SMB share under user:
mark
- Accessing SMB share under user:
- Syncthing LXC running Debian on proxmox
- Accessing SMB share under user:
syncthing_user
(via proxmox host)
- Accessing SMB share under user:
My Intent:
- Run Syncthing on LXC client with files stored on SMB share. Full access for Windows user and any other users in
syncthing_lxc
group to see and modify each other’s files. - No access for other users not in the
syncthing_lxc
group.
The problem:
- I can access the share from both clients with their respective users.
- New files created on Windows by user
mark
are accessible and can be modified from both clients. - New files created on the Syncthing LXC (or proxmox host) by user
syncthing_user
are accessible only bysyncthing_user
and cannot be seen on the Windows client / usermark
, despitemark
being part of thesyncthing_lxc
group.
As a test, I created a few text files in the root of the share to check for access.
mark.txt
created bymark
on Windowssyncthing_user.txt
created bysyncthing_user
on Syncthing LXCtruenas.txt
created asroot
from TrueNAS shell
Output of getfacl
on the root directory and the first two files:
➜ ~ getfacl /mnt/truenas/Personal-Media/dsSyncthing
# file: /mnt/truenas/Personal-Media/dsSyncthing
# owner: mark
# group: syncthing_lxc
owner@:rwxpDdaARWcCos:fd-----:allow
group@:rwxpDdaARWcCos:fd-----:allow
group:syncthing_lxc:rwxpDdaARWcCos:fd-----:allow
everyone@:--------------:fd-----:allow
➜ ~ getfacl /mnt/truenas/Personal-Media/dsSyncthing/mark.txt
# file: /mnt/truenas/Personal-Media/dsSyncthing/mark.txt
# owner: mark
# group: syncthing_lxc
owner@:rwxpDdaARWcCos:------I:allow
group@:rwxpDdaARWcCos:------I:allow
group:syncthing_lxc:rwxpDdaARWcCos:------I:allow
everyone@:--------------:------I:allow
➜ ~ getfacl /mnt/truenas/Personal-Media/dsSyncthing/syncthing_user.txt
# file: /mnt/truenas/Personal-Media/dsSyncthing/syncthing_user.txt
# owner: syncthing_user
# group: syncthing_lxc
owner@:rwxpDdaARWcCos:------I:allow
group@:rwxpDdaARWcCos:------I:allow
group:syncthing_lxc:rwxpDdaARWcCos:------I:allow
everyone@:--------------:------I:allow
Output of ls -la
on the root directory:
➜ ~ ls -la /mnt/truenas/Personal-Media/dsSyncthing
total 50
drwxrwx---+ 4 mark syncthing_lxc 7 May 1 18:03 .
drwx--x---+ 7 mark NAS 7 Apr 30 20:34 ..
drwxrwx---+ 18 mark syncthing_lxc 19 Apr 30 18:29 Caroline
drwxrwx---+ 13 mark syncthing_lxc 14 Apr 30 18:29 Mark
-rwxrwx---+ 1 mark syncthing_lxc 32 May 1 17:56 mark.txt
-rwxrwx---+ 1 syncthing_user syncthing_lxc 0 May 1 16:45 syncthing_user.txt
-rwxrwx---+ 1 root syncthing_lxc 0 May 1 18:03 truenas.txt
Here’s a screenshot of the dataset ACL settings for good measure:
I’ve tried stripping ACLs and reapplying many times, creating new groups and testing those etc. to no avail.
The only way I was able to get it to work as I want was by adding another ACL entry for the user mark
with full control. But while this works, surely I shouldn’t have to do this if mark
is already part of group syncthing_lxc
, which already has its own ACL entry? And then what happens if I need to add more users - a new ACL for each one? That would make the group pointless. So it would be great if I could get this working properly as intended.
I’m hoping there’s a glaring mistake I’ve made somewhere that’s easy to correct. Would anyone be kind enough to take a look over the above? Thanks!