TrueNas Scale Ovpn Client and Server + Samba

Does anyone succeed to install by clicking on this damn web?
I kill 6 hours trying, and totally disappointed did it “the old way” via ssh.
takes about 5 min.
Who invented this damn thing?

Next “faut pas” was with Samba. Presumably I have to click-directly-to-happiness my ACLs but after an hour of clicking I’ve lost my will and switched to whiskey.
This ACLs is not clearest thing in the world, but with this…
BTW Even if it was set once, it shifts by it’s own will, and I don’t know what to do, except to cook a script which will set it right.
@LTS_Tom if it’s not so much troubles, make a video about ACLs for laughfull numbers (about several hundreds) users about a dozen subfolders with custom rights on each. And one condition: No AD allowed.

SY

1 Like

If you have a lot of varied permissions then Active Directory is the easiest way to manage it.

My mistake was during creation I choose “General” instead of “Samba”, it’s easy mistake (?) to made, if consider a SAMBA domain.
But things is not too bad, if

  • chmod -R 775 ./ # default is 600
  • setfacl -R -k ./ #get rid of default::
    after that all “miracles” (such as 6 “New Folder(1-6)” w/o access as a responce to create folder command") vanishes.
    It’s useful to save your acl-s to file
    getfacl -R ./ > acl-01.txt

But Openvpn via web is an absolute nightmare.
I’ve done thousands clients sets-up. But this…
If for Scale it’s possible to configure all I need via ssh shell, the Core is whole other story.
What a stupid messages “Root CA must have CRL Sign set for KeyUsage extension.”
WTF?? Guys from iX System, you kinda overengeneere this. Maybe you had a stomach flu, because I can’t imagine that reasonable man will do it intentionally.
My root CA (cooked in my kitchen) must Not! OKay?
I almost start to become desperate, as manually configured OVPN causes system reboot, but thereafter I discover a dirty little secret in TN Core. It has fully functional wireguard module, and it works!
After a minute I had my tunnel for management. So it’s about all.

So my task is done.
Some basic things deserves to take into account.
There is two interfered types of permissions. Filesystem perms and SAMBA perms.
In common case we set root:wheel on our SAMBA share, run smbd which can thereafter set it’s own set of permissions, due to impersonate “samba-user”

Let say we have /mnt/pool1/smb folder (with subfolders)

1 strip all FS perms down.
chown -R root:wheel /mnt/pool1/smb

OK nice start. Now strip all SMB perms by
cd /mnt/pool1
find smb | setfacl -b

Now a “short” description of FreeBSD ACLs:

  • ACLs are made up of one or more ACE’s (Access Control Entries)
  • ACLs are evaluated on server
  • Order matters
  • ACLs are processed until access is allowed

ACE’s are made up of 4 or 5 colon delimited fields

  • Principal
  • Access Permissions
  • Inheritance flags
  • Type

*Principal (are made of tag or qualifier)

  • ACL Tag

    • owner@ *Access permissions apply to the owner
    • group@ *Access permissions apply to the goup owner (!!!)
    • everyone@ *AP apply to everyone (inc owner and group)
    • u or user *AP apply to user specified in qualifier
    • g or group *AP app. to the group spec in qualifier
  • ACL qualifier

  • Username *AP apply to this user
  • Groupname *AP apply to this group

ACCESS PERMISSIONS

  • r - read data * R - read_xattr
  • w - write data * W - write_xattr
  • p - append_data * c - read_acl
  • D - delete_child * C - write_acl
  • d - delete * o - write_owner
  • a - read_attributes * s - synchronize
  • A - write_attributses

** addedd Access permission !!! p-flag !!!

  • p – append_data (it’s a flag ignored for files and MUST be set in order to create subdirs)
  • D – delete child (ability to Delete subdirs)

Inheritance

  • f – file_inherit (Files inherit ACE setfacl -m owner@full_set:f:allow,group@full_set:f:allow,everyone@full_set:f:allow)
  • d – dir_inherit (same shit)
  • i – inherit_only ( Used with f,d - Only files/dirs BENEATH directory will inherit the ACE)
  • n – no_propagate (only the first dir beneath propagate, others will)
  • I – inherited (shows)

Compare to Linux perms:

Octal number Access permissions given

  0          rwx   read, write and execute
  1          rw-   read and write
  2          r-x   read and execute
  3          r--   read only
  4          -wx   write and execute
  5          -w-   write only
  6          --x   execute only
  7          ---   no permissions

After that we may at least set our samba(nfs4) permissions on our will for a folder FOLD
for users “user1” “user2” and group “Company-adms”

setfacl -R -m everyone@:------a-R-c–s::allow
setfacl -R -m user:user1:rwxp–aARWcCos::allow FOLD
setfacl -R -m user:user2:rwxp–aARWcCos::allow FOLD
setfacl -R -m g:Company-adms:rwxp–aARWcCos::allow FOLD

it’s about it. Now we can script it in any way.
But it worth to remember that TrueNas fails to concatenate ACE so each command must be on it’s own row.

NFS troubles. Again.
I had a humle intention to connect my vShpere to NFS share out of TrueNas but stuck. All I’ve got is read only share.
All this is consequences of root permissions, than root haven’t on this share.
I it takes to go under Advanced → map user (root) → map group (wheel)
and only after that I had normal (from ESXi perspective) NFS share.
One questions stays - this thing makes the NFS share in SYNC mode, but I prefer ASYNC (due to my humble capaicities)
A solution still is not found but even in current mode is … acceptable because all I do is transfer VMDK-s to qcow2 for my PVE.
TN-Scale gives me a various range of surprises.