Which User/Group Should Own a Dataset Used for SMB Home Directory Shares?

Reference Tutorial: Setting Up SMB Home Shares | TrueNAS Documentation Hub

I’m planning to set up a dataset for shared home folders (using SMB) for certain users, but the tutorial isn’t clear on which user/group should own the dataset itself.

I’ve found about 4 different answers to this question on various tutorials that all do something different, so I’m curious what y’all are doing with your actual setups. :slight_smile:

I don’t think it matters at all which user owns the enclosing dataset as long as the target user owns the home directory that’s being shared. So if you have a dataset mounted at /mnt/data/homes, it can be owned by root, but you want /mnt/data/homes/SinisterPisces to be owned by the SinisterPisces user (which it should automatically using samba’s home shares feature).

For general shares, I usually leave the default owner/group settings and use the permissions dialogue to set additional users and groups because SMB shares on TrueNAS use the underlying setfacl command for more complex access control lists.

Thanks. :slight_smile:

On TrueNAS SCALE, the default owner of a dataset is root (group root). Having root own anything but the actual pool unsettles me a bit because I don’t yet fully understand the implicit privilege escalation involved. But from what you said, at least with SMB ACLs that might not be as big a deal?

I was considering creating a Share Admin and letting them and their group own datasets that I otherwise don’t need to set specific owners for.

That’s probably a fine idea. The ramification of root:root owning the dataset mountpoint is that a user can’t easily escape their home folder. So in that example I gave earlier, your user would have full access to your own home directory, but if someone found a way to access TrueNAS via a bug in Samba (for example), they couldn’t get to the outer directory. I’d think you could mimic this effect with a shareadmin:shareadmin ownership, like you implied; just make sure none of the users with home shares are members of the group shareadmin. A common membership to that group could enable one user to browse the home share of another.

1 Like

Thanks! That explains a lot, and makes me feel more confident about what I’m trying to do.

It’d be cool if there was a tool to get a report (text or visual) of what every known SMB user is actually able to see and mount (those aren’t always the same, for an added layer of complication, though I try to keep them the same with ABSE).