Hello everyone,
I configured a dataset and newly created folders and files don’t inherit the owner of the dataset. The dataset is shared as SMB and is set to restricted for ACL mode.
Is there any way I can configure the dataset’s ACL so new files or folders are owned by the dataset’s owner?
This is the dataset’s ACL
When the user “Mary” creates a folder in the dataset, the owner is set as Mary.
Mary is part of the builtin_users group:
Thank you to anyone for helping in advance!
Hello!
Just a quick note: builtin_users includes every user with permission to use SMB. So, potentially more users have Allow | Modify access to your data than just bob and the FINANCE group.
Regarding your question:
TrueNAS ACLs are a bit different than Windows permissions, and can be confusing until you get used to them. The “Apps Permissions” section of this video is outdated at this point, as TrueNAS changed, but the introduction to users, groups, and permissions helped me a lot.
(Watch the whole video first. He does an example or two at first that’s just a bare introduction to how the interface works before doing the example where he strips the ACLs and shows you how to do group-based permissions.)
The way I understand it is this: Using an ACL-based permissions structure, permissions are intended to be controlled based on groups. That’s why the root user owns everything by default. Some user has to own the dataset. If you never change root as the owner of a dataset, and set up the groups and group-based permissions as you want, root will never own a file created by one of your users. It just owns the container (dataset).
Notice in Tom’s video he doesn’t change the owner of his practice dataset away from root even when he’s demonstrating how to do group-based permissions. Access should be controlled based on groups, then as long as the right group permission is set, any user in that group has the permissions that group has.
Mary owns the files she created because she created them. They’re hers. She has read/write access to the share to create the files in the first place because she’s in a group with read/write access (builtin_users).
I hope that didn’t come off as trying to sound smart-aleck; it’s late here and that’s certainly not my intention. 
You mentioned that you wanted to control what users owned new files. What result are you going for? If we know what you’re trying to accomplish, there might be another way to do it.
TrueNAS isn’t really set up to let you easily override file owners for newly created files. You could periodically go into your dataset settings and recursively force TrueNAS to chown all the files to the dataset owner, but that’s a manual operation and a potentially dangerous sledgehammer.
Technically you can use an auxiliary parameter for the SMB share inherit owner=yes but it has caveats in addition to only working over the SMB protocol smb.conf
Generally on unix systems the person creating a file is the owner of the file. This is a useful feature since it allows you to track who owns the file, and this behavior is generally expected by many applications (so doing otherwise may have unintended side-effects).
Hello! Thank you so much for taking the time to respond with thorough detail.
Haha, no worries at all. I’m a newbie in IT after all so any correction or clarification is very helpful. If anything, it helped me rethink my approach about what I’m trying to do.
I did watch Lawrence’s video, but I didn’t fully grasp what he was doing until you pointed it out. I understand now - creating a shared drive between two users (Tom and Marcus) from two different groups and managing user permissions via groups.
I was thinking the same, but I think it’s best to clarify my goals and situation so you can understand my thought process.
My goals:
Current situation:
I have 6 different departments sharing the same shared drive from the Windows server. Each department has a folder to themselves. Since there isn’t any ACL, each department can freely access other department’s folder. This is good and bad. There are folders/files a department would like to share with others from their folder (good), and there are folders/files where they should be exclusive to the department (bad).
My idea with TrueNAS is to create a dataset and a nested dataset for each department. The parent dataset is to be accessed (with read and write) by other departments, and the child dataset is to be accessed only by the department. This is all fine and dandy until I realize a user of a different department can create a folder/file in the parent dataset and restrict it to only themselves. A user of the department, like Bob from FINANCE, wasn’t able to modify/remove the folder/file of the user. To circumvent this, I thought any folders/files created in a department’s folder should be owned by the head of the department. That way, other users can’t restrict any folders/files they create. Perhaps it’s fine that they can and I’m just nitpicking.
Let me know what you think. Thank you for your time and assistance!
Hi there,
Thanks for the reply. I just clarified my situation and goals to @SinisterPisces. Your suggestion seems to accomplish what I want, but I feel like I’m committing a bad practice lol. What would what you recommend?
So Mary becoming the owner of a folder she has created is quite normal you just want to ensure the users that should have access to that folder gain access. It can actually be quite useful to know who created a file or folder.
I generally recommend keeping the Owner and Owner Group set to the default root. I then remove all other entries including owner@ and group@ and then assign my groups.
I’d suggest you create Groups based on your departments such as Finance, HR, IT etc. Then create your users and assign them access to the relevant groups.
Create a dataset per department assigning the permissions as mentioned above.
Then share out each dataset with the default share settings and permissions.
