SMB ACL not respecting new files/folders

Hey there!

I’m running SCALE 24.10.0.2 and I’m having issues with my SMB permissions. When I apply my ACL access is correct for myself and my partner, but if either of us create a new file/folder, the other can’t access it and the group permission that should apply to new files/folders doesn’t seem to get applied.

I’ve spent some time reading various topics/checkin videos but I’ve not managed to find any fix or if I’m just doing something dumb.

We have a user each, both part of the exact same groups.

The ACL is set up as follows:

Owner: (my personal user)
Owner Group: Family

ACL:

User Obj - (my personal user) - R/W/E
Group Obj - Family - R/W/E
Other - R/W
User Obj - default - (my personal user) - R/W/E
Group Obj - default - Family - R/W/E
Other - default - None

I did have another version previously which also had the same issues but included my partners user in the ACL table, but it didn’t seem to make a difference if it was there or not.

When I apply this, recursively, all files currently in the share are accessible by both of us, as we expect - but any new files are only getting the user perm and not group perm (when I check inside windows security) - they SHOULD get the family group assigned to them.

Any help would be great, thanks!

Something else I’ve noticed, when a file has incorrect group permission and I check within windows, it tries to resolve the group name I believe and fails? It goes from a string of letter + numbers and then resolves to a group called “None”.

Sounds like an inheritance issue. How did you set the ACL? Using the freenas web ui or the windows security dialog?

New files and/or folder only copy access control entries from the parent directory that have the corresponding inheritance flag set. In the freenas web ui that is done by setting “Flags” to “Inherit”. In windows it is done by setting “Applies to” to something like “This folder, subfolders and files”.

Generally, if you need windows-style ACLs, you should select the NFSv4 acltype in ZFS or create datasets with the SMB preset. The UX with POSIX ACLs will always be somewhat underwhelming.

1 Like

The ACL is set in the SCALE web ui, yeah.

I’ve tried a few ways to make it inherit but I’ve not found a working solution, can you expand on this?

Sorry, I didn’t realize you’re using POSIX ACLs. POSIX ACL don’t have inheritance flags, they have default entries. I never used them in combination with TrueNAS. I don’t recommend using them in combination with SMB.

You should follow the advice that @awalkerix posted. The ACL Type SMB/NFSv4 works much better with SMB.

1 Like

When I try to update the acltype and set it to SMB/NFSv4, anything I try and set the aclmode to just defaults to discard and then fails to save - no matter what option I just get the output of

[EINVAL] pool_dataset_update.aclmode: DISCARD aclmode may not be set for NFSv4 acl type

Ah, eventually it worked and let me set it to restricted after some attempts - I think it just needed me to refresh and try it again.

Thanks for the help @bacon and @awalkerix - This is now resolved and permissions seem to be being respected as I expected!