> _What do I set my ACL permissions to in truenas scale for my SMB dataset that has ACL mode set to restricted, so that when I create a new file via the SMB share on windows that it maintains the correct owner and group as set in the ACL?_

## 🔑 TrueNAS SCALE SMB ACL Permissions Guide (Restricted Mode) 🔑

**Goal:** Maintain correct owner & group for new files created via SMB from Windows in a Restricted ACL mode dataset.

### 🔎 Understanding the Challenge

Windows & TrueNAS handle ownership differently.  Restricted ACL mode _requires_ specific settings to bridge this gap. Without them, new files default to `nobody` ownership.

### ⚙️ Configuration Steps

**1. SMB Share Settings:** 🖥️

- **Access Based Share Keys:** ✅ _Enabled_ (Highly Recommended for Security)

- **ACL Mode:** 🔒 _Restricted_ (You've already set this!)

- **VFS Objects:** 🧩
  - **fruit:** 👍 _Enabled_

  - **streams:** 👍 _Enabled_ (Important for Windows extended attributes)

  - **xattr:** 👍 _Enabled_ (Crucial for ACL persistence!)

  - **posix:** 👍 _Enabled_ (Necessary for owner/group translation)

**2.  **`**posix**`** VFS Object Settings (Advanced):** 🛠️

Within the `posix` VFS object configuration (accessed by clicking the ⚙️ icon next to it):

- **mapall:** 🚫 _Disabled_ (Let's be precise!)

- **maproot:** 👤 Typically `root`, but consider a dedicated SMB user if preferred.

- **mapto:** 👤 The user/group to map to. This is where the magic happens. See “Mapping Strategy” below.

- **noperm:** 🚫 _Disabled_ (We want permissions to be applied!)

- **prefixes:** 📝 Add a comma separated list of windows users to translate. Example: `domain\user1,domain\user2`

- **suffix:** 📝 Add a suffix to usernames. Example: `@domain.com`

**3. Mapping Strategy: 🗺️**

This is the core of the solution. How you map Windows users to TrueNAS users depends on your setup.

- **Option 1: Direct Mapping (Recommended):** 👯
  - Create TrueNAS users that _exactly_ match Windows usernames (case-sensitive!).

  - Within the `posix` settings, add prefixes to map those Windows users to the TrueNAS users. This ensures a 1:1 translation.

- **Option 2: Group Mapping:** 👥
  - Create a TrueNAS group that corresponds to a Windows user/group.

  - Map the Windows user to this TrueNAS group using `posix`. This simplifies management but might be less granular.

**4. ACL Configuration on the Dataset:** 📂

- **Dataset Properties > Permissions > ACL Mode:** ✅ _Restricted_ (Again, verify!)

- **Dataset Properties > Permissions > ACL Type:** ✅ _POSIX ACL_

- **Set ACLs:** Apply POSIX ACLs to the dataset defining default owner and group. For example:
  - `User:domain\username:Owner`

  - `Group:domain\groupname:Group` (Or a specific TrueNAS group)

  - Apply these to the root of your SMB share _and_ consider applying them recursively if desired.

### ⚠️ Important Considerations:

- **Case Sensitivity:** TrueNAS is case-sensitive. Usernames _must_ match.

- **Windows User Mapping:** Ensure the Windows users have corresponding accounts in TrueNAS (or map them to a group).

- **Testing:** Always test with a small number of users before rolling out changes widely. Create a test file via SMB and verify ownership/group.

- **Restart SMB Service:** After making configuration changes, restart the SMB service in TrueNAS SCALE for them to take effect. 🔄

### ℹ️ Troubleshooting:

- **Files Created as **`**nobody**`**:** Double-check your `posix` configuration and ensure users are correctly mapped.

- **Permissions Issues:** Verify ACLs are correctly applied on the dataset and that the mapped user has appropriate permissions.

- **SMB Logs:** Examine the TrueNAS SCALE SMB logs for errors or warnings. 🔍

Linux

Linux Commands

SMB Shares

AI Explained

Arch

Beat Link Trigger

Changing ACL Permissions in TrueNAS Scale

Common Linux distros

Docker MACVLAN’s

GrandMA 2 & 3

How to Check Disk Size of a Directory On Linux

How to create a daemon service

KDE vs GNOME

Life of Dan

Mounting an External Drive Using fstab

Oh-my-zsh - the Fancy terminal

Professional Entertainment Lighting, Sound and Visual Programs

Resolume Arena 7 and Resolume Wire

TrueNAS Scale (Community Edition)

> _What do I set my ACL permissions to in truenas scale for my SMB dataset that has ACL mode set to restricted, so that when I create a new file via the SMB share on windows that it maintains the correct owner and group as set in the ACL?_

<blockquote>
What do I set my ACL permissions to in truenas scale for my SMB dataset that has ACL mode set to restricted, so that when I create a new file via the SMB share on windows that it maintains the correct owner and group as set in the ACL?
</blockquote>

**Goal:** Maintain correct owner & group for new files created via SMB from Windows in a Restricted ACL mode dataset.

Goal: Maintain correct owner &amp; group for new files created via SMB from Windows in a Restricted ACL mode dataset.

🔑 TrueNAS SCALE SMB ACL Permissions Guide (Restricted Mode) 🔑

Windows & TrueNAS handle ownership differently.  Restricted ACL mode _requires_ specific settings to bridge this gap. Without them, new files default to `nobody` ownership.

Windows &amp; TrueNAS handle ownership differently. Restricted ACL mode requires specific settings to bridge this gap. Without them, new files default to <code>nobody</code> ownership.

**1. SMB Share Settings:** 🖥️

- **Access Based Share Keys:** ✅ _Enabled_ (Highly Recommended for Security)

- **ACL Mode:** 🔒 _Restricted_ (You've already set this!)

- **VFS Objects:** 🧩
  - **fruit:** 👍 _Enabled_

  - **streams:** 👍 _Enabled_ (Important for Windows extended attributes)

  - **xattr:** 👍 _Enabled_ (Crucial for ACL persistence!)

  - **posix:** 👍 _Enabled_ (Necessary for owner/group translation)

**2.  **`**posix**`** VFS Object Settings (Advanced):** 🛠️

Within the `posix` VFS object configuration (accessed by clicking the ⚙️ icon next to it):

- **mapall:** 🚫 _Disabled_ (Let's be precise!)

- **maproot:** 👤 Typically `root`, but consider a dedicated SMB user if preferred.

- **mapto:** 👤 The user/group to map to. This is where the magic happens. See “Mapping Strategy” below.

- **noperm:** 🚫 _Disabled_ (We want permissions to be applied!)

- **prefixes:** 📝 Add a comma separated list of windows users to translate. Example: `domain\user1,domain\user2`

- **suffix:** 📝 Add a suffix to usernames. Example: `@domain.com`

**3. Mapping Strategy: 🗺️**

This is the core of the solution. How you map Windows users to TrueNAS users depends on your setup.

- **Option 1: Direct Mapping (Recommended):** 👯
  - Create TrueNAS users that _exactly_ match Windows usernames (case-sensitive!).

  - Within the `posix` settings, add prefixes to map those Windows users to the TrueNAS users. This ensures a 1:1 translation.

- **Option 2: Group Mapping:** 👥
  - Create a TrueNAS group that corresponds to a Windows user/group.

  - Map the Windows user to this TrueNAS group using `posix`. This simplifies management but might be less granular.

**4. ACL Configuration on the Dataset:** 📂

- **Dataset Properties > Permissions > ACL Mode:** ✅ _Restricted_ (Again, verify!)

- **Dataset Properties > Permissions > ACL Type:** ✅ _POSIX ACL_

- **Set ACLs:** Apply POSIX ACLs to the dataset defining default owner and group. For example:
  - `User:domain\username:Owner`

  - `Group:domain\groupname:Group` (Or a specific TrueNAS group)

  - Apply these to the root of your SMB share _and_ consider applying them recursively if desired.

1. SMB Share Settings: 🖥️
<ul>
<li>
Access Based Share Keys: ✅ Enabled (Highly Recommended for Security)
</li>
<li>
ACL Mode: 🔒 Restricted (You've already set this!)
</li>
<li>
VFS Objects: 🧩
<ul>
<li>
fruit: 👍 Enabled
</li>
<li>
streams: 👍 Enabled (Important for Windows extended attributes)
</li>
<li>
xattr: 👍 Enabled (Crucial for ACL persistence!)
</li>
<li>
posix: 👍 Enabled (Necessary for owner/group translation)
</li>
</ul>
</li>
</ul>
2. <code>posix</code> VFS Object Settings (Advanced): 🛠️
Within the <code>posix</code> VFS object configuration (accessed by clicking the ⚙️ icon next to it):
<ul>
<li>
mapall: 🚫 Disabled (Let's be precise!)
</li>
<li>
maproot: 👤 Typically <code>root</code>, but consider a dedicated SMB user if preferred.
</li>
<li>
mapto: 👤 The user/group to map to. This is where the magic happens. See “Mapping Strategy” below.
</li>
<li>
noperm: 🚫 Disabled (We want permissions to be applied!)
</li>
<li>
prefixes: 📝 Add a comma separated list of windows users to translate. Example: <code>domain\user1,domain\user2</code>
</li>
<li>
suffix: 📝 Add a suffix to usernames. Example: <code>@domain.com</code>
</li>
</ul>
3. Mapping Strategy: 🗺️
This is the core of the solution. How you map Windows users to TrueNAS users depends on your setup.
<ul>
<li>
Option 1: Direct Mapping (Recommended): 👯
<ul>
<li>
Create TrueNAS users that exactly match Windows usernames (case-sensitive!).
</li>
<li>
Within the <code>posix</code> settings, add prefixes to map those Windows users to the TrueNAS users. This ensures a 1:1 translation.
</li>
</ul>
</li>
<li>
Option 2: Group Mapping: 👥
<ul>
<li>
Create a TrueNAS group that corresponds to a Windows user/group.
</li>
<li>
Map the Windows user to this TrueNAS group using <code>posix</code>. This simplifies management but might be less granular.
</li>
</ul>
</li>
</ul>
4. ACL Configuration on the Dataset: 📂
<ul>
<li>
Dataset Properties &gt; Permissions &gt; ACL Mode: ✅ Restricted (Again, verify!)
</li>
<li>
Dataset Properties &gt; Permissions &gt; ACL Type: ✅ POSIX ACL
</li>
<li>
Set ACLs: Apply POSIX ACLs to the dataset defining default owner and group. For example:
<ul>
<li>
<code>User:domain\username:Owner</code>
</li>
<li>
<code>Group:domain\groupname:Group</code> (Or a specific TrueNAS group)
</li>
<li>
Apply these to the root of your SMB share and consider applying them recursively if desired.
</li>
</ul>
</li>
</ul>

- **Case Sensitivity:** TrueNAS is case-sensitive. Usernames _must_ match.

- **Windows User Mapping:** Ensure the Windows users have corresponding accounts in TrueNAS (or map them to a group).

- **Testing:** Always test with a small number of users before rolling out changes widely. Create a test file via SMB and verify ownership/group.

- **Restart SMB Service:** After making configuration changes, restart the SMB service in TrueNAS SCALE for them to take effect. 🔄

<ul>
<li>
Case Sensitivity: TrueNAS is case-sensitive. Usernames must match.
</li>
<li>
Windows User Mapping: Ensure the Windows users have corresponding accounts in TrueNAS (or map them to a group).
</li>
<li>
Testing: Always test with a small number of users before rolling out changes widely. Create a test file via SMB and verify ownership/group.
</li>
<li>
Restart SMB Service: After making configuration changes, restart the SMB service in TrueNAS SCALE for them to take effect. 🔄
</li>
</ul>

- **Files Created as **`**nobody**`**:** Double-check your `posix` configuration and ensure users are correctly mapped.

- **Permissions Issues:** Verify ACLs are correctly applied on the dataset and that the mapped user has appropriate permissions.

- **SMB Logs:** Examine the TrueNAS SCALE SMB logs for errors or warnings. 🔍

<ul>
<li>
Files Created as <code>nobody</code>: Double-check your <code>posix</code> configuration and ensure users are correctly mapped.
</li>
<li>
Permissions Issues: Verify ACLs are correctly applied on the dataset and that the mapped user has appropriate permissions.
</li>
<li>
SMB Logs: Examine the TrueNAS SCALE SMB logs for errors or warnings. 🔍
</li>
</ul>