Share ACL permissions - user in group cannot access files created by other users

TrueNAS General
,
1

I’ve been pulling my hair out trying to get permissions working properly on my SMB share. This is my first time setting up a NAS and SMB shares with ACL permissions and will admit to knowing next to nothing about ACLs / unix permissions. I’ve scoured many other forum threads and can’t figure out where I’m going wrong in trying to allow all users in a group to access and modify all files.

My setup:

TrueNAS:

  • Version: TrueNAS-13.0-U6.1 running in VM on proxmox
  • Users:
    • mark, syncthing_user
  • Groups:
    • syncthing_lxc (both users added to group)

Dataset:

  • Child dataset dsSyncthing under Personal-Media root dataset.
  • Dataset path: truenas/Personal-Media/dsSyncthing
  • Dataset ACLs:
    • Owner: mark
    • Group: syncthing_lxc
    • owner@, group@ - Full Control
    • Group: syncthing_lxc - Full Control
  • I have set ACLs recusively and ticked the “apply owner” and “apply group” boxes

SMB share:

  • Share created for child dataset dsSyncthing with share name Syncthing
  • Mounted on proxmox host. Extract from /etc/fstab:
    //192.168.1.101/Syncthing/ /mnt/lxc_shares/syncthing cifs _netdev,x-systemd.automount,noatime,uid=100000,gid=110000,dir_mode=0770,file_mode=0770,user=syncthing_user,pass=pw 0 0
  • Bind mounted to Syncthing LXC client. Extract from LXC .conf file:
    mp0: /mnt/lxc_shares/syncthing/,mp=/mnt/syncthing,mountoptions=nosuid
  • In case it makes a difference, this is the guide I used to get the share mounted on the unprivileged LXC:
    [TUTORIAL] - Tutorial: Unprivileged LXCs - Mount CIFS shares | Proxmox Support Forum

Clients:

  • Windows 10 client`
    • Accessing SMB share under user: mark
  • Syncthing LXC running Debian on proxmox
    • Accessing SMB share under user: syncthing_user (via proxmox host)

My Intent:

  • Run Syncthing on LXC client with files stored on SMB share. Full access for Windows user and any other users in syncthing_lxc group to see and modify each other’s files.
  • No access for other users not in the syncthing_lxc group.

The problem:

  • I can access the share from both clients with their respective users.
  • New files created on Windows by user mark are accessible and can be modified from both clients.
  • New files created on the Syncthing LXC (or proxmox host) by user syncthing_user are accessible only by syncthing_user and cannot be seen on the Windows client / user mark, despite mark being part of the syncthing_lxc group.

As a test, I created a few text files in the root of the share to check for access.

  • mark.txt created by mark on Windows
  • syncthing_user.txt created by syncthing_user on Syncthing LXC
  • truenas.txt created as root from TrueNAS shell

Output of getfacl on the root directory and the first two files:

➜  ~ getfacl /mnt/truenas/Personal-Media/dsSyncthing
# file: /mnt/truenas/Personal-Media/dsSyncthing
# owner: mark
# group: syncthing_lxc
            owner@:rwxpDdaARWcCos:fd-----:allow
            group@:rwxpDdaARWcCos:fd-----:allow
group:syncthing_lxc:rwxpDdaARWcCos:fd-----:allow
         everyone@:--------------:fd-----:allow

➜  ~ getfacl /mnt/truenas/Personal-Media/dsSyncthing/mark.txt
# file: /mnt/truenas/Personal-Media/dsSyncthing/mark.txt
# owner: mark
# group: syncthing_lxc
            owner@:rwxpDdaARWcCos:------I:allow
            group@:rwxpDdaARWcCos:------I:allow
group:syncthing_lxc:rwxpDdaARWcCos:------I:allow
         everyone@:--------------:------I:allow

➜  ~ getfacl /mnt/truenas/Personal-Media/dsSyncthing/syncthing_user.txt
# file: /mnt/truenas/Personal-Media/dsSyncthing/syncthing_user.txt
# owner: syncthing_user
# group: syncthing_lxc
            owner@:rwxpDdaARWcCos:------I:allow
            group@:rwxpDdaARWcCos:------I:allow
group:syncthing_lxc:rwxpDdaARWcCos:------I:allow
         everyone@:--------------:------I:allow

Output of ls -la on the root directory:

➜  ~ ls -la /mnt/truenas/Personal-Media/dsSyncthing
total 50
drwxrwx---+  4 mark            syncthing_lxc   7 May  1 18:03 .
drwx--x---+  7 mark            NAS             7 Apr 30 20:34 ..
drwxrwx---+ 18 mark            syncthing_lxc  19 Apr 30 18:29 Caroline
drwxrwx---+ 13 mark            syncthing_lxc  14 Apr 30 18:29 Mark
-rwxrwx---+  1 mark            syncthing_lxc  32 May  1 17:56 mark.txt
-rwxrwx---+  1 syncthing_user  syncthing_lxc   0 May  1 16:45 syncthing_user.txt
-rwxrwx---+  1 root            syncthing_lxc   0 May  1 18:03 truenas.txt

Here’s a screenshot of the dataset ACL settings for good measure:

Expand for screenshot

image
image951×1153 50.8 KB


I’ve tried stripping ACLs and reapplying many times, creating new groups and testing those etc. to no avail.

The only way I was able to get it to work as I want was by adding another ACL entry for the user mark with full control. But while this works, surely I shouldn’t have to do this if mark is already part of group syncthing_lxc, which already has its own ACL entry? And then what happens if I need to add more users - a new ACL for each one? That would make the group pointless. So it would be great if I could get this working properly as intended.

I’m hoping there’s a glaring mistake I’ve made somewhere that’s easy to correct. Would anyone be kind enough to take a look over the above? Thanks!

2

Can you double-check output of id mark from shell? Make sure the user is member of syncthing_lxc. Have you tried to su to mark via SSH and cat the syncthing _user.txt file? This will help to isolate whether the issue is SMB-specific.

Did you recently change group membership of mark but not remount the share from Windows? If so, unmount / remount, reboot client, or restart SMB on TrueNAS.

1 Like
3

Bingo! That makes me feel very silly indeed. I reconnected the Windows client and now all is working as expected.

I had chopped and changed groups several times in my attempts for a solution, but assumed group memberships would be updated dynamically since changes I made to ACLs in TrueNAS were visible straight away.

Here is the output of id mark, in case you can spot any glaring errors:

➜  ~ id mark
uid=1000(mark) gid=1000(mark) groups=1000(mark),1002(NAS),1003(plex),1004(sonarr),1005(media-centre),1006(phonesync),1007(syncthing),110000(syncthing_lxc)

Note: I set the GID of syncthing_lxc to 110000 to match the GID of the proxmox host and Syncthing LXC group syncthing_lxc. I’ve no idea if this was necessary, and it could be nonsense, but it was just another thing I tried.

EDIT: Here’s a follow up question now that it’s all working:

Is the ACL entry: group:syncthing_lxc:rwxpDdaARWcCos:fd-----:allow still required if the dataset group is already set to syncthing_lxc?

4

Is the ACL entry: group:syncthing_lxc:rwxpDdaARWcCos:fd-----:allow still required if the dataset group is already set to syncthing_lxc?

I generally prefer to have explicit entries, otherwise effective permissions can unexpectedly change if you chown / chgrp.