Hi All,
I have been using Unix, Linux, *BSD and other Unices for many users and have always made use of ACLs wherever possible. But I am getting a bit confused with TrueNAS Scale 25.04.2 on my home NAS because I feel limited by the GUI web interface’s options but also can’t get CLI access to operate in any meaningful. I expect (hope!) there something straightforward that I’m missing so I’ll be grateful if someone can point it out.
Here’s the scenario:
- I have RAIDZ1 zpool, in which I have a dataset to store all my media for access via the Plex app.
- I share the dataset via SMB and NFSv4. (I personally use the NFS/SMB sharse to do admin and uploads; but the kids use the share and open the .mp4/.mkv files in VLC from Windows file explorer .)
- I have created users and groups (12-content, pg-content, 18-content etc.) to control access to PG, 12-, 15- and 18-rated content. I am planning to apply these groups to various sub-directories in the share so that my youngest cannot access inappropriate content.
- I have content with the different age ratings stored under separated subfolders in that dataset.
- I can see from the output of /proc/mounts that the zpool and dataset are mounted with nfsv4acl mount option.
- On the whole, this works fairly well for Windows clients.
Hopefully that’s explained clearly enough.
One problem I have is that using the TrueNAS web acess, I can only really change the ACLs at the top-level of the dataset. (Okay, I know I can manually edit the URL for the ACL editor to allow me to edit the ACL of any arbitrary folder in my datasets but it’s not all that practical and sometimes it fails with EPERM because parent folders don’t have compatible groups in their ACLs.) Of course, I could just create datasets for the content in each different rating and then I could edit the ACLs in the web interface.
However, if I use my preferred method (the CLI) with the getfacl, getcifsacl or nfs4_getfacl commands, I get results I just don’t understand, and which differ now from what I remember worked previously, e.g. in TrueNAS core, Ubuntu or Solaris.
- If I run “getfacl xxxx” then I just get basic user/group/world entries, even though in Windows file explorer,
- I can see the correct ACL I want for the exact same folder, with entries for 12-content as appropriate. This corresponds to what I set up in the TrueNAS web interface.
- If I run getcifsacl or nfs4_getfacl on the same folder then it fails with a not supported error.
I’d appreciate any suggestions, thanks.
I may decide to remove NFS access to the dataset as nobody but me uses it. If that helps… But I’d prefer to understand this better.
Thanks in advance,
Aidan