Share ACL permissions - user in group cannot access files created by other users

I’ve been pulling my hair out trying to get permissions working properly on my SMB share. This is my first time setting up a NAS and SMB shares with ACL permissions and will admit to knowing next to nothing about ACLs / unix permissions. I’ve scoured many other forum threads and can’t figure out where I’m going wrong in trying to allow all users in a group to access and modify all files.

My setup:


  • Version: TrueNAS-13.0-U6.1 running in VM on proxmox
  • Users:
    • mark, syncthing_user
  • Groups:
    • syncthing_lxc (both users added to group)


  • Child dataset dsSyncthing under Personal-Media root dataset.
  • Dataset path: truenas/Personal-Media/dsSyncthing
  • Dataset ACLs:
    • Owner: mark
    • Group: syncthing_lxc
    • owner@, group@ - Full Control
    • Group: syncthing_lxc - Full Control
  • I have set ACLs recusively and ticked the “apply owner” and “apply group” boxes

SMB share:

  • Share created for child dataset dsSyncthing with share name Syncthing
  • Mounted on proxmox host. Extract from /etc/fstab:
    // /mnt/lxc_shares/syncthing cifs _netdev,x-systemd.automount,noatime,uid=100000,gid=110000,dir_mode=0770,file_mode=0770,user=syncthing_user,pass=pw 0 0
  • Bind mounted to Syncthing LXC client. Extract from LXC .conf file:
    mp0: /mnt/lxc_shares/syncthing/,mp=/mnt/syncthing,mountoptions=nosuid
  • In case it makes a difference, this is the guide I used to get the share mounted on the unprivileged LXC:
    [TUTORIAL] - Tutorial: Unprivileged LXCs - Mount CIFS shares | Proxmox Support Forum


  • Windows 10 client`
    • Accessing SMB share under user: mark
  • Syncthing LXC running Debian on proxmox
    • Accessing SMB share under user: syncthing_user (via proxmox host)

My Intent:

  • Run Syncthing on LXC client with files stored on SMB share. Full access for Windows user and any other users in syncthing_lxc group to see and modify each other’s files.
  • No access for other users not in the syncthing_lxc group.

The problem:

  • I can access the share from both clients with their respective users.
  • New files created on Windows by user mark are accessible and can be modified from both clients.
  • New files created on the Syncthing LXC (or proxmox host) by user syncthing_user are accessible only by syncthing_user and cannot be seen on the Windows client / user mark, despite mark being part of the syncthing_lxc group.

As a test, I created a few text files in the root of the share to check for access.

  • mark.txt created by mark on Windows
  • syncthing_user.txt created by syncthing_user on Syncthing LXC
  • truenas.txt created as root from TrueNAS shell

Output of getfacl on the root directory and the first two files:

➜  ~ getfacl /mnt/truenas/Personal-Media/dsSyncthing
# file: /mnt/truenas/Personal-Media/dsSyncthing
# owner: mark
# group: syncthing_lxc

➜  ~ getfacl /mnt/truenas/Personal-Media/dsSyncthing/mark.txt
# file: /mnt/truenas/Personal-Media/dsSyncthing/mark.txt
# owner: mark
# group: syncthing_lxc

➜  ~ getfacl /mnt/truenas/Personal-Media/dsSyncthing/syncthing_user.txt
# file: /mnt/truenas/Personal-Media/dsSyncthing/syncthing_user.txt
# owner: syncthing_user
# group: syncthing_lxc

Output of ls -la on the root directory:

➜  ~ ls -la /mnt/truenas/Personal-Media/dsSyncthing
total 50
drwxrwx---+  4 mark            syncthing_lxc   7 May  1 18:03 .
drwx--x---+  7 mark            NAS             7 Apr 30 20:34 ..
drwxrwx---+ 18 mark            syncthing_lxc  19 Apr 30 18:29 Caroline
drwxrwx---+ 13 mark            syncthing_lxc  14 Apr 30 18:29 Mark
-rwxrwx---+  1 mark            syncthing_lxc  32 May  1 17:56 mark.txt
-rwxrwx---+  1 syncthing_user  syncthing_lxc   0 May  1 16:45 syncthing_user.txt
-rwxrwx---+  1 root            syncthing_lxc   0 May  1 18:03 truenas.txt

Here’s a screenshot of the dataset ACL settings for good measure:

Expand for screenshot

I’ve tried stripping ACLs and reapplying many times, creating new groups and testing those etc. to no avail.

The only way I was able to get it to work as I want was by adding another ACL entry for the user mark with full control. But while this works, surely I shouldn’t have to do this if mark is already part of group syncthing_lxc, which already has its own ACL entry? And then what happens if I need to add more users - a new ACL for each one? That would make the group pointless. So it would be great if I could get this working properly as intended.

I’m hoping there’s a glaring mistake I’ve made somewhere that’s easy to correct. Would anyone be kind enough to take a look over the above? Thanks!

Can you double-check output of id mark from shell? Make sure the user is member of syncthing_lxc. Have you tried to su to mark via SSH and cat the syncthing _user.txt file? This will help to isolate whether the issue is SMB-specific.

Did you recently change group membership of mark but not remount the share from Windows? If so, unmount / remount, reboot client, or restart SMB on TrueNAS.

1 Like

Bingo! That makes me feel very silly indeed. I reconnected the Windows client and now all is working as expected.

I had chopped and changed groups several times in my attempts for a solution, but assumed group memberships would be updated dynamically since changes I made to ACLs in TrueNAS were visible straight away.

Here is the output of id mark, in case you can spot any glaring errors:

➜  ~ id mark
uid=1000(mark) gid=1000(mark) groups=1000(mark),1002(NAS),1003(plex),1004(sonarr),1005(media-centre),1006(phonesync),1007(syncthing),110000(syncthing_lxc)

Note: I set the GID of syncthing_lxc to 110000 to match the GID of the proxmox host and Syncthing LXC group syncthing_lxc. I’ve no idea if this was necessary, and it could be nonsense, but it was just another thing I tried.

EDIT: Here’s a follow up question now that it’s all working:

Is the ACL entry: group:syncthing_lxc:rwxpDdaARWcCos:fd-----:allow still required if the dataset group is already set to syncthing_lxc?

Is the ACL entry: group:syncthing_lxc:rwxpDdaARWcCos:fd-----:allow still required if the dataset group is already set to syncthing_lxc?

I generally prefer to have explicit entries, otherwise effective permissions can unexpectedly change if you chown / chgrp.