TrueNAS Core 12 User and Group ACL Permissions and SMB Sharing

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
tom here from orange systems and since 12.0 truenas core has been released there have been some changes to the way the permission system works i want to cover those changes and this is also going to fix if you are someone who had the problem of do the in place upgrade and broke some of the permissions we're going to show you how to fix that by simply stripping off the old permissions and putting on new ones and of course we'll start with how to set up a brand new share and the proper way to get those permissions set up for a single user and for a group of users and for a shared group before we get started with that let's first if you'd like to learn more about me or my company head over to lawrences.com if you'd like to hire sharp project there's a hires button right at the top if you'd like to help keep this channel sponsor free and thank you to everyone who already has there is a join button here for youtube and a patreon page your support is greatly appreciated if you're looking for deals or discounts on products and services we offer on this channel check out the affiliate links down below they're in the description of all of our videos including a link to our shirt store we have a wide variety of shirts that we sell and new designs come out well randomly so check back frequently and finally our forums forums.laurensystems.com is where you can have a more in-depth discussion about this video and other tech topics you've seen on this channel now back to our content now the device you're going to be testing this on is a true nas mini 3.0 x plus and big shout out to iac systems for providing me with this for doing some testing and review and yes i have a longer term review that is coming on this particular device but it doesn't really matter if you're using a ix systems based device or built this yourself the way the permissions work is the same either way this is true nash 12.0 release now this is the fully released version of truenast not the beta anymore and as of november 2020 the most current version now one thing we're going to go over is a couple prerequisite here let's go to accounts and users we're going to start with the one user i have created in here tom and we're going to build our first data set with permissions on there this is pretty much a clean system because i keep reloading it and testing it in different configurations so there's really not much on here it's pretty default and we're going to go over here to storage pools and let's create a new data set go ahead and hit add data set and we'll call it youtube permissions youtube permissions demo pretty straightforward on how we do this nothing special and we're going to go ahead and just hit submit so we didn't do anything other than a default create on here now this is where there's definitely some changes that have occurred compared to the previous versions we go over here and it did have options to add permissions or edit acls now it's just set of permissions these are the default linux style permissions and we want to actually change this over to acl so we're going to go over here and hit use acl manager we can create a custom access control list or select from their presets we'll actually go with the restricted one now open kind of like it implies it's going to create an open control as a matter of fact we'll say continue real quick here and you'll see what it creates we have a everyone that can go in here the group whoever the group owner is and whoever the owner is so we have an owner a group owner and then an everyone option on here if we select a different one such as restricted hit okay and now it's only the whoever the owner is whoever the group is and then we can select another one here again and look at the home options and once again we have everyone but some other permission nuances have been changed in between to reflect setting up like a home drive so as i said we'll start with restricted so we'll go here we want to restrict this only to tom by default it has root and it has wheel we do not want root and wheel this is something that intune as 12 you're going to have problems with because you should be assigning it to a user and not letting root own everything but this is how i believe in the older versions of freenass didn't have any problem with this it is more of a challenge so we're not going to use root and wheel for these we're going to actually go ahead and use the groups we have which whenever you create a new user it also creates a group so that group we have is tom so we'll grab tom here apply we'll grab tom again here whenever there's a user created there's an accompanying group apply user apply group we select the permissions we'll leave these right here pretty basic just like that if there's existing data apply recursively that means grab and apply these acls to everything underneath and hit save and that's all you need to do to create it and now have time own it so let's go back in here and take a look at it we're going to go to edit permissions hey look tom owns it now if we were to switch that and we'll say wheel for example apply group save let me go back and edit again you can see now it has wheel but we want tom to own it for purposes of this demo where we're at right now apply group apply recursively you know there's no data in there so we didn't put anything in there yet but we'll go ahead and hit save all right so now we have youtube permissions we've created a data set and we've uh established that tom owns it the tom group and one more time we'll go back in here and make sure tom has full permissions for everything but we see full control here and we can even change this from basic permission modifying we just want to say full control i want to make sure tom owns and has control of everything in here because that's the user we're going to start testing with and then we'll create the other users next so we go ahead and hit save now one thing i will note if you have screwed this up and you've already gotten to the point where you've applied a bunch of missions you're not sure what's going on and everything's kind of a mess pretty easy to fix and what you do in that particular circumstance is go back over to added permissions and you can just hit strip acls remove all acl permissions from the child data sets and current data set strip acls and it basically lets you start over and this is sometimes the best place to start if you've been playing with this for a while and you're kind of stuck and you're like i'm not sure what i did i'm not sure what acls i have applied i just need to wipe all these access controls off which doesn't affect the data this just affects the permissions assigned to each object and folder underneath and you can just strip them off that's kind of what happens when you have done some in-place upgrades that maybe you don't know or maybe some mistakes were made along the way because you didn't document all the changes you made either way strip acls is pretty straightforward to strip all the access control lists but we're not going to do that because we just set them right and we created this new next we're going to create a share now when you're creating a share windows share we're going to add go to mount the pool and the nice thing is it tells you acl is present in this path so it already understands which one does we do have this other folder this is a video sync test i'm doing uh unrelated to this video but you notice how it doesn't have an acl neither does iso cage this does so we go here that's the folder we want to share what's the name we want to use we'll call it you tube youtube permissions now of note and i've done videos before in snapshots and i'll be doing some updated ones for 2ns12 but they essentially work the same by default it does have enable shadow copies enabled and this is only if you have snapshots also turned on for the data set on a scope of this particular video but pretty easy if you turn the snapshots on once you turn them on start and stop the smb service to make sure it understands that this option's enabled and that'll enable shadow copies but you don't really need to change anything from the advanced the basic options are fine but i wanted to note these are currently the defaults when you create a new share in the new version of true nas these defaults though may not be the options you have if you did an in-place upgrade so if you didn't place upgrade it will not change options for example like shadow copy was not i believe part of the default several versions ago and because it is now you may want to change and check those things you can redo the existing but in this case we're creating new so these are going to be the defaults all right we're going to hit submit and then we're going to go and do a test now i'm going to do the test in windows because the assumption is a lot of people are using windows but this will work just as well in linux click over here over to my windows machine we're just going to do this by ip address there's our youtube permissions create a new folder test folder all right um maybe i have some documents in here let me see do i have some random stuff we'll go ahead and paste that in there as well there we go a couple random documents we threw in here now if we go here right click and go to properties we can see tom crater owner each one of the permission sets and then the group tom that's in here as well so all of this is configured properly sets up that's easy enough to understand for how tom can get there but if you work in larger organizations but not big enough to have active directory and i bring that up because if you were doing this in active directory it works slightly different because you'll have active directory handling all the permissions and you'll have it connecting to the server otoscope of this particular talk this is all going to be based on users and permissions based inside of the truenast system itself so now we know how to create a user the permissions and everything else will create a user we're going to get to next but pretty easy to create users in here we're going to create one more because who else works with tom so we need to add another user we're going to go over here accounts users add and marcus works with tom so we have a create a marcus user username marcus password and go ahead and hit submit not worried about home drives on a scope again of this so we want to have two different users now we're gonna go and create a group because both of these people work at lawrence systems and we'll just create a group id called lts so there's our group id and we'll hit submit then we're going to go over here into the lts group we're going to edit the members and the two members are currently marcus and tom save now we have two separate users we've created a group put these users inside of that group now we've got to go back over here i'm going to go to our storage pools youtube permissions here and we're going to go ahead and edit we want to edit the permissions and all you have to do is we're going to go here and we're going to change the group to lts apply group and because group has full control so does the owner so whoever creates it as full control people that are members of this group have full control we have some things that we've already created i want to make sure those have the right permission so we want to apply it recursively we hit save and now that group object has been created now let's go ahead and we're going to actually going to log in via linux and marcus and create some files right marcus is logged in and can see some of this let's dump a couple random things in there all right we threw a few folders in here let's go over in windows and take a look and now windows can see the other files created we're going to go ahead and do a properties on them look at the security and we see that marcus is the creator of these but do we have read write access to it should be able to create a new folder here oops test folder and yes we can now the test folder right here properties security and the creator was tom on this as opposed to marcus so i'm able to create folders i own underneath and these are the ones that the marcus user was able to create and we go back over here drag in now you can see this is from the linux side of the house i was able to do this as well and there's a test folder and if i wanted to create even more folders you kind of get the idea we can keep creating more and more folders there's the xxx one i just created and windows can see it as well so it's pretty straightforward getting the permission set up on here now one less one more thing that i'll cover in terms of how this works i've sshed into the system just so you can see what it looks like from the command line as well so you can see which owners have which and they can be changed here if you ever needed them they can be done from the command line as well also related to that is the get facl command you can also script and modify these and if you just want to look at some of the permissions and if you want to have an understanding of how it works in command line you can look up the different commands of how you do these and it will break down who owns what so owner is tom group lts and let's go side run the same command again so cd youtube permissions and let's look at something like that obs folder so we'll do the same command again but this time we're going to look at the obs folder and you can see who the owner and group is for that so on and so forth so you can kind of give an idea there's a handful command line options that work as well but it's pretty straightforward to manage it through the interface so let's switch back over to linux or sorry the trueness web interface and go over here edit permissions and if we needed to apply different groups different permissions you can see we'd be able to do it here also of note when you're adding acl items we did the group at and owner ad as in these people right here who are the owner you can also specify a specific user and you only have the user tom but whichever user you have created if you need to specify a specific permission as well and set the allow types basic inherit modify or you can say like full control this is a way you can specify a user who's not maybe part of the group but also implicitly you want to have on there and then you can keep so on and so forth maybe another group that you want to add maybe another acl item and yes you can just keep going with this and this is sometimes why strip acls is so important because you've built out so many complexities with this and then we go back over to ship ecls if we need to that'll remove all of them and we can start back over again go back and edit permissions when you strip acl it brings us back to the generic linux style permissions go back to acl manager and the process starts over so hopefully it's helpful hopefully this clarified some of the problems you're having and like i said if you did some in-place upgrades or you've been playing with this a while you don't remember all the changes you may have made or whether or not you did things recursively you can always start with strip acls remove them all start over start with all the templates and sometimes you know it's just easier to do it that way all right and thanks and thank you for making it to the end of the video if you like this video please give it a thumbs up if you like to see more content from the channel hit the subscribe button and hit the bell icon if you like youtube to notify you when new videos come out if you'd like to hire us head over to laurensystems.com fill out our contact page and let us know what we can help you with and what projects you'd like us to work together on if you want to carry on the discussion head over to forums.lawrentsystems.com where we can carry on the discussion about this video other videos or other tech topics in general even suggestions for new videos they're accepted right there on our forums which are free also if you'd like to help the channel in other ways head over to our affiliate page we have a lot of great tech offers for you and once again thanks for watching and see you next time
Info
Channel: Lawrence Systems
Views: 62,748
Rating: undefined out of 5
Keywords: lawrencesystems, network attached storage, truenas core 12, truenas core, freenas setup, freenas (software), truenas acl, freenas acl permissions, freenas acl, truenas acl manager, nas, freenas, truenas
Id: R-5jbDTCsOE
Channel Id: undefined
Length: 16min 32sec (992 seconds)
Published: Tue Nov 17 2020
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.