Skip to:

  1. Skip to Jira Navigation
  2. Skip to Side Navigation
  3. Skip to Main Content

SMB not respecting `setgid` flag in POSIX ACLs

Description

I have just very basic POSIX ACL requirements in that the datasets and related shares only need permissions for one related group each. My users are all members of the groups that are related to the shares they are allowed to see/use. In order for newly created files on those shares to always be accessible to members of the related group, I have set "chmod g+s" (recursively) on the respective share entrypoints (which match datasets).

When files are now created via CLI, the group is applied correctly to new files. But when files get created via SMB on those shares, they end up with the primary group of the SMB user, which IMHO looks like a bug, but I am no expert in this.

Also, files created by SMB users have granted their permissions twice, once as main owner:group and additionally via extended ACLs (user:[username]:xxx etc).

root@brain/mnt/tank/media/recordings# getfacl smb-test.txt

  1. file: smb-test.txt

  2. owner: franz

  3. group: franz
    user::rwx
    user:franz:rwx
    group::r-x
    group:franz:r-x
    mask::rwx
    other::r-x

root@brain/mnt/tank/media/recordings# touch test-cli.txt
root@brain/mnt/tank/media/recordings# getfacl test-cli.txt

  1. file: test-cli.txt

  2. owner: root

  3. group: mediacenter
    user::rw-
    group::r--
    other::r--

I am aware that extended/advanced ACL can be configured via the UI, but basic ACL should work correctly regardlessly.

Problem/Justification

None

Impact

None

Activity

Show:

Franz Koch February 3, 2022 at 5:31 PM

and setting the user:group twice is also correct? (once via default POSIX ACL and once via extended ACL)?

And forum didn't help so far with my ACL questions..., so..

William Gryzbowski February 3, 2022 at 12:45 PM

This is the expected behavior of Samba vfs_acl_xattr module.

Appropriate POSIX1E ACLs should be set using UI.

 

For help we suggest you try the forums.

 

Thank you

Michelle Johnson February 2, 2022 at 2:16 PM

Thank you for your submission, !

This issue ticket is now in our queue for review. An engineering representative will update with further details or questions in the hear future.

Franz Koch February 2, 2022 at 1:34 PM

Hi. I don't see how a Debug would help here, but I can ofc provide one. But it won't really differ from the last 2 ones I attached in other tickets config wise

Michelle Johnson February 2, 2022 at 1:15 PM

Thank you for your report, !

Would you please attach a debug to the Private Attachments area of this issue ticket.

To generate a debug file on TrueNAS SCALE, log in to the TrueNAS web interface, go to System Settings > Advanced, then click Save Debug and wait for the file to download to your local system. 

Behaves as Intended
Pinned fields
Click on the next to a field label to start pinning.

Details

Assignee

Reporter

Labels

Impact

Medium

Components

Fix versions

Affects versions

Priority

More fields

Katalon Platform

Created February 1, 2022 at 4:58 PM
Updated July 6, 2022 at 9:00 PM
Resolved February 3, 2022 at 12:45 PM
Configure