Skip to:

  1. Skip to Jira Navigation
  2. Skip to Side Navigation
  3. Skip to Main Content

Thanks for using the TrueNAS Community Edition issue tracker! TrueNAS Enterprise users receive direct support for their reports from our support portal.

SMB + NFSv4 does not allow access for User entries (non-@)

Description

I've been having issues with SMB access for accounts that are allowed permission to access a share whilst authenticated as a 'User' of the dataset (not an @owner or @group).
I've read quite a few forum posts along similar lines, but not sure any of them are quite what I'm experiencing.

This issue was not present when I had Core installed, but immediately presented upon migrating to Scale.

Context: I migrated from Core to Scale about 12months ago. I actually did a clean install of Scale and just imported the drives/datasets.

I am trying to access a particular share from one of my network devices. When I authenticate as the @owner for the dataset via SMB, everything works and access is granted as expected. However when I authenticate as a User, access is denied. The root SMB share can be mounted for the User, but any of the containing folders cannot be accessed.

Both accounts have SMB access enabled.

Share ACL Type:

ACLs for the dataset I am trying to access:

SMB Settings:

It is not likely to be the difference between 'Modify' and 'Read' permissions, as this issue also occurs when accessing a different dataset via my PC where the User is allowed Modify. Given it also occurs on my PC, the issue doesn't appear to be device-specific.

I have tried recursively re-applying all the permissions but there is no change in the behavior.

Problem/Justification

None

Impact

None

Attachments

6
  • 22 Jun 2023, 03:28 AM
  • 22 Jun 2023, 03:28 AM
  • 21 Jun 2023, 05:24 AM
  • 21 Jun 2023, 05:24 AM
  • 21 Jun 2023, 05:24 AM
  • 21 Jun 2023, 05:24 AM

Activity

Show:

Andrew Walker August 18, 2023 at 11:39 AM

After reviewing server configuration in teamviewer session, it was observed that the SMB share contained ZFS datasets with inconsistent ACL settings. This is an unsupported configuration that would normally raise a ValidationError if the SMB share were created after the datasets in question were created with incompatible settings.

Andrew Walker August 14, 2023 at 1:57 PM

I can’t reproduce your issue. Let’s schedule teamviewer so that you can show me precisely what you’re seeing. We can coordinate via email awalker@ixsystems.com

B D August 13, 2023 at 10:06 AM

Any update on this?

Michelle Johnson June 22, 2023 at 10:54 AM

Thank you for your submission, !

This issue ticket is now in the queue for review. An Engineering representative will update with further questions or details in the near future.

B D June 22, 2023 at 3:28 AM

Thanks for the insight Andrew slightly smiling face

Permissions are highly suspect since this effectively cuts off access for all users who aren’t a member of gid 1001, uid 1001, or one of the listed users.

This is intended.

Additionally, removing READ_DATA permissions will prevent users from “clicking through” folders and instead rely on knowing exact paths in question.

I have set the permissions there to be “Traverse”. Is this not the correct option to grant a user the ability to navigate through a folder structure? (see screenshot)

I see numerous authentication attempts in your audit log as GUEST (which maps to the nobody user and is of course denied access).

The particular client that I was attempting to log in with is the NVIDIASHIELD user. I was successfully able to mount TrueNAS on my NVIDIA Shield with the following connection string: \\smb;NVIDIASHIELD:<PASSWORD>@10.30.0.2\tank.
Does this look to be the source of ‘GUEST’? I would have expected it to appear as NVIDIASHIELD, right? Perhaps that is just a red herring (in the context of this issue) from some other device on my network?

Aclmode on the dataset in question is passthrough. Recommended configuration is RESTRICTED (especially where users get permissions by virtue of owner@ and group@ entries).

I have adjusted this - no apparent change in behaviour.

 

I would have expected with my current permissions setup, that an authenticated NVIDIASHIELD user would be able to at least navigate into the Media folder.

As further context, I face the same issue with another part of the folder tree, whenever I am authenticated as user 1001, I am able to navigate to: /mnt/Apps/docker-data/terraria (so long as user 1001 is part of the owner@ group for the terraria dataset). However if I remove 1001 from the owner@ group, 1001 is then denied access to terraria, even though it is listed as a user and has Modify permissions. (I have also tried setting this as RESTRICTED Aclmode but no change)

 

Thank you for helping look into this!

User Configuration Error
Pinned fields
Click on the next to a field label to start pinning.

Details

Assignee

Reporter

Labels

Impact

Medium

Time remaining

0m

Components

Fix versions

Affects versions

Priority

Katalon Platform

Created June 21, 2023 at 5:24 AM
Updated February 27, 2025 at 9:28 PM
Resolved August 18, 2023 at 11:39 AM
Configure