Reference Tutorial: Setting Up SMB Home Shares | TrueNAS Documentation Hub
I’m planning to set up a dataset for shared home folders (using SMB) for certain users, but the tutorial isn’t clear on which user/group should own the dataset itself.
I’ve found about 4 different answers to this question on various tutorials that all do something different, so I’m curious what y’all are doing with your actual setups. 
I don’t think it matters at all which user owns the enclosing dataset as long as the target user owns the home directory that’s being shared. So if you have a dataset mounted at /mnt/data/homes, it can be owned by root, but you want /mnt/data/homes/SinisterPisces to be owned by the SinisterPisces user (which it should automatically using samba’s home shares feature).
For general shares, I usually leave the default owner/group settings and use the permissions dialogue to set additional users and groups because SMB shares on TrueNAS use the underlying setfacl command for more complex access control lists.
Thanks.
On TrueNAS SCALE, the default owner of a dataset is root (group root). Having root own anything but the actual pool unsettles me a bit because I don’t yet fully understand the implicit privilege escalation involved. But from what you said, at least with SMB ACLs that might not be as big a deal?
I was considering creating a Share Admin and letting them and their group own datasets that I otherwise don’t need to set specific owners for.
That’s probably a fine idea. The ramification of root:root owning the dataset mountpoint is that a user can’t easily escape their home folder. So in that example I gave earlier, your user would have full access to your own home directory, but if someone found a way to access TrueNAS via a bug in Samba (for example), they couldn’t get to the outer directory. I’d think you could mimic this effect with a shareadmin:shareadmin ownership, like you implied; just make sure none of the users with home shares are members of the group shareadmin. A common membership to that group could enable one user to browse the home share of another.
Thanks! That explains a lot, and makes me feel more confident about what I’m trying to do.
It’d be cool if there was a tool to get a report (text or visual) of what every known SMB user is actually able to see and mount (those aren’t always the same, for an added layer of complication, though I try to keep them the same with ABSE).
I’m a little late to this conversation but I’ll just summarize what I understand about permissions.
Yeah so all of that is good. Root owns most everything when it comes to Unix permissions. When TrueNAS creates SMB share the Unix permissions of the could be root:wheel or user:user depending on what Dataset or Directory you share, the ACL permissions are given per user you create in the TrueNAS.
You can login to Shell and go to /mnt/Disk$/ directory and ls -alh to see these permissions
The below directory ISO-Files is not shared via SAMBA and the Unix permissions of drwxr-xr-x mean that the owner root has read write execute permissions rwx users belonging to group wheel have read and execute permissions, so do all other Unix users on TrueNAS.
The Media directory is controlled by ACL’s because SMB share is enabled on it.
This is on TrueNAS Core which is FreeBSD based. Unix permissions could be different on the LInux based TrueNAS Scale. On this one when you create a Dataset from the UI since you’re logged in as root the Dataset created belongs to Root, everything is basically done using Root user. They might have changed that later, but there’s no security issue so long as no one gets to be root on your machine.
drwxr-xr-x 2 root wheel 6 Mar 28 16:05 ISO-Files
d---------+ 12 root wheel 14 Mar 23 15:51 Media