I have a parent dataset called Ocean and a child dataset called 01-Media. Both set to SMB with ACL.
When I try to apply the child dataset with a group called grp_media__t for a non-inherent traverse permission. But I am getting an error stating that the parent dataset Ocean needs to have the group with execute permission.
[EPERM] Filesystem permissions on path /mnt/HDD/Ocean prevent access for group "grp_media__t" to the path /mnt/HDD/Ocean/01-Media. This may be fixed by granting the aforementioned group execute permissions on the path: /mnt/HDD/Ocean.
Why?
If I use a Windows computer and connect to the share with SMB, I CAN add the traverse permission to the child dataset without the parent having the execute.
But when I try to make any change and save the ACL on the child dataset, I am getting the same error. Even if the change is not related to that group.
Not very fluent with SMB, but in Unix âexecuteâ permission means âtraverseâ, i.e. look up directory content. And obviously you need that for all parents up to the root to get at any particular dataset or directory.
Still make no sense. Permission are just attribute to that file/folder. Why it care if something above it has permission or not.
Itâs totally logical to have 2 folder level each have their own non-inherent permission group for traverse. And itâs common setup in business too.
If you are using pure SMB/NFSv4 ACLs you have to set traverse on any parent if you want permissions in sub datasets for that group to work.
For Unix permissions since you canât execute a directory the bit used for file execute is repurposed to mean âpermission to list/traverseâ. Iirc Unix permissions can work in theory for a user in an isolated directory even if he doesnât have permission to list the parent directory, but doing SMB/NFS ACLs nested below Unix permissions with execute not set could be the issue here.
Basically:
SMB might have to traverse the parent directories and be denied before ever getting to the folders where it has access.
Like I mentioned above, the parent dataset has a different group that can give the user traverse access only at that level. Even if a user donât have enough permission to access at parent level thus unable to access the child is an acceptable behavior at the user end.
My issue here is I canât even set a non-inherent group permission to a child dataset as root/admin without the parent dataset has this group permission with execute in the GUI.
If I shared the child dataset directly, this dependency of the parent dataset is still there.
Hiya,
I think I understand what you are talking about but could you perhaps share some screenshots of your dataset layouts and permissions so we can better understand the exact issue here?
Thanks
Thanks so Ocean is an SMB share as is 01-Media right?
And the issue is 01-Media canât access the 01-Media share?
There is no access involved yet. I am just simply trying to add a permission group to 01-media only. no inherent.
This is what I am trying to save.
Ah ok gotcha.
So is the Ocean dataset shared out over SMB?
Edit: Sorry not root dataset.
Yes. But really SMB share or not should be irrelevant when change ACL on dataset. We are dealing with dataset attribute itself.
Sure.
So essentially youâre wanting multiple shares some with nested datasets?
Is there any reason why 01-Media needs to be its own dataset instead of a directory within Ocean? If the answer is yes then is there any reason why 01-Media couldnât be a child dataset of HDD?
Yes. itâs easier to manage that way. Dataset can be easily replicate somewhere else compare to folder.
Ocean is the root of all shares. HDD, as the root of the dataset/pool should not be use for share. This is recommended setup by iXsystem.
Interesting. I generally create one or two âstubâ datasets at the top level for snapshot schedules and replication and tend not to share those out. They act like control points and the sharing datasets sit within them.
PS: appreciate this doesnât help in this situation but with noting in future.
Just tested the setup in Core where my production is at. There is no restriction nor dependency there.
I feel like this is some kind bug, but need some admin/dev to confirm that.
There has defo been a change not doubt however I donât think itâs a bug but instead I think itâs the devs trying to stop us doing things they think are not ideal.
Feel free to create a bug report by clicking the above link but I have a feeling there are reasons.
But when you replicate the child dataset, it break the dependency anyway. Why a ACL has dependency from parents anyway?