 Time here for more systems. It is July of 2023 and TrueNAS scale 22.12.3.2 because there's a point release of that.2 is the latest version available right now. And it's the version we're gonna use to do this permissions demo. Well, I'm gonna walk you through the whole setup of the permissions and it's not that much different fundamentally than the way it worked in TrueNAS Core but the menus are a lot different and the apps adding other dimensions. So the things we're gonna be covering in today's tutorial is how to set up users, how to set up a share, how to apply users and or groups to a share, to even another dataset, nested another dataset and then how to apply the apps if you wanna also have an app that has data that goes back and forth from that dataset and getting all the permissions to flow properly. They've done a nice job now where even the apps when you assign them to a dataset will have a specific way it sets the permissions automatically for you, provided you have the checkboxes checked properly and that's one of the things we're gonna cover here. Now I'm not gonna cover how to do it in every single app but I will cover in general how to do it in apps. Each app may have some slight nuances of the way you map the data but in general this should work for most TrueNAS scale apps. Now if you're interested in hiring us for TrueNAS consulting, there's a link down below to my website or just head over to lornsystems.com and click that hires button right at the top and you can get in touch with us and we do offer consulting on TrueNAS, TrueNAS scale and all things storage. Now let's jump over to the tutorial. All right, the first place we're gonna start is in the credentials. We're gonna go here to credentials and we're gonna go to local users. If you are using TrueNAS with Active Directory that is out of scope of this talk this is for local user management only. We already have user Tom created. We're gonna go ahead and create one more user. If you have a menu like this that shows all the users you just simply click this at the top to narrow it down to just the users you may want to see in here. Go ahead and hit add. We're gonna put Marcus. We're gonna set a password. Scroll on down to the bottom and click save. All the other defaults are fine. Now we're also gonna create a group because we're gonna show you how to apply group permissions. So we're gonna add a group called YouTube and once again all the defaults are fine so we'll just click save. Then we're gonna go back over and look at our data sets. Now the first data set we're gonna create is gonna be just a standard share demo. So we'll set it up so we can have data share between these two people, Tom and Marcus. Scroll down the bottom here and the share type is very important. If you choose generic it will use UNIX permissions. If you choose SMB or apps it will use the more advanced ACLs. These can be switched later but if you don't have this correct you will not be able to get this working properly and I've seen a lot of people make that mistakes because it does default to generic. Now we can choose SMB and if we choose to add an app later that we want to point at that data set it will actually fix the permissions for us. We'll do that later in the demo but share type SMB is fine, we're gonna hit save. Now here's our share demo and when we click on it we can see the permissions down here. We can see that owner and group is root and we have the built in users group on there. We can click edit and we see the advanced ACL come up and this is gonna be fine because by default the users you create all are part of the built in users so they'll have permission and we're gonna back over here to data sets because I wanna point out this storage data set here just has your standard UNIX permissions and that means we get this manager right here. If you would like to switch a existing data set to a different format you would actually click on the data set, click on edit go down to the bottom, click on advanced and this is where you'll change the ACL type for the types of ACLs that you want. This is if you've created it and you wanna do it after the fact but we did it upon creation so no problem we've got these set up and now we can do the ACLs which we're gonna use the default ones and simply create a share. So if we create the share we're gonna go over here to shares. We wanna add a window share, click on our share demo default share parameters are fine, hit save. It'll warn you that you're going to restart the SMB service that's perfectly fine well is for me at least make sure you don't have anything writing actively to it for that momentary restart while it adds a new share to the list. We're gonna go to that server we're gonna log in as Tom there's our share demo and yes we can read and write to it exactly as we had hoped. So there's a test directory let's go ahead and create another one test two. Now the next thing I wanna do is show you how you can create a nested data set that has different permissions than the parent one and for that we're gonna go back over to the data sets we're gonna click on our share demo and we want to add another nested one under there by clicking add data set and we'll call this one YouTube because we're going to give it the same name as the group you don't have to I just think that's gonna be something that makes sense to me but you can actually have a series of these all different permissions. Now make sure when you're setting this once again we choose SMB even though it's nested and we wanna click save and it's actually gonna prompt us then to go right to the ACL manager because it's a nested one. So head over to the ACL manager. Now it's important to note that all of your ACLs are applied to data sets those folders we created or directories in the Linux world test and test one those are not going to be able to have permissions set to them individually you can set them though on a data set and we'll show you once we have these set and we're gonna head and strip all the ACLs cause I don't want any of the ones that are currently on there. Then we go back to the ACL here we're gonna hit edit. I'm not sure why it does this but it'll click on that and you can go right back to the normal ACL manager we're gonna create a custom ACL there's none applied it just leaves some default ones in there we wanna make sure we have the word YouTube here and this could match any one of these users such as built-in users but YouTube is fine we're gonna apply that group cause that's the group we created if you start typing it will auto complete that. So there's our YouTube group we wanna add an item and then from here we are choosing group at it may be a little bit confusing but it's the group you have here will apply to this here so now you can see group at YouTube allow modify we're actually gonna switch to full control we just want this group and therefore any members in it to have this permission and we want to apply these permissions recursively so anything that may be in there or existing there shouldn't be anything in there but I do this out of habit will inherit all this permission so even though you're setting them on the data set the different objects nested within that data set the different files and directories we'll have these permissions applied to them and this is where you're gonna set those so we've created this particular data set now we're applying this permission to it and we wanna go ahead and save the access control list now you could apply permissions to child data sets if there were more nested data sets you can keep nesting each one of these data sets all the way down but we're just gonna hit save here and then I always double check it so we click on this and what do we see here group YouTube allow special perfect we can double check and edit exactly what I wanted to see this is the group and let's go over and double check our group here under credentials local groups YouTube members gotta add a member to this we wanna make sure we add that member Tom so we'll scroll down here and we'll hit save now what this allows me to do is when Tom logs in he's able to get to the YouTube folder which also has the YouTube permissions added to it so if we go back over to our shares one last thing I wanna make sure is noted because we made changes we want to turn off the service and turn it back on now if you build all your data sets and all your groups before you built or share because it does restart when you do this it will automatically reread the permissions but when you change users and members of groups Samba rereads that on restart so stopping and starting the Samba service will cause it to reload and grab all the group information and apply the permissions that's a good troubleshooting tip that sometimes people just reboot the entire server because they get aggravated you can simply just restart the Samba service and that should solve that problem now let's go back over to our system and make sure we have read write access to it so there's our test test two and yes we do but let's go ahead and log in as Marcus now and see if Marcus has permission because well the permissions weren't applied so if we did this properly when we log in as another user he should not be able to read write to this now my reason for restarting the system is because windows will hold on to the last user that was logged in it will sometimes get stuck there's probably an easier way of doing it but restarting is fast that's my solution Marcus has credentials Marcus can see the test and test two but if we go here does not have permissions now if we wanted to give Marcus permission to theirs to this particular directory we go to the credentials local groups and we can go to YouTube members and we would go through and just add Marcus or alternatively this is another way of doing it we can click on Marcus we can edit we can look at the groups built in and we'll scroll all the way down here and check the YouTube so now we can see that auxiliary groups is built in users in YouTube scroll down hit save and see if he has permission still get the error as I noted the way to fix that is of course we've made a modification we would need to restart the service you can go to system you can go to services and we can restart Samba here simply by stopping it and starting it or you can do it from the share it does the same thing no matter which way you do this the goal is to get Samba to restart to reload all those change permissions and now Marcus has permission to go in here we can actually delete this that we created and it works now let's talk about doing application permissions the apps user and apps group is what needs to be assigned to a data set in order to get applications to read or write to a data set now we're going to go here and one other thing that's important is under advanced settings that you have enable host path safety checks disabled if this and by default it is enabled is enabled you're going to get this warning that you don't want to do that we can cancel cancel because I'm not saving any of this because it was already disabled but without that you will not get it working properly you'll have some errors you run into so once you disable the host path safety checks this is going to allow the SMB and the apps to be able to read and write to that at the same time in that data set and we're going to use the file manager as a demo here so install the file browser scroll down relieve most of these things at default except for this my data and we'll call it share demo because that's what we're going to share share demo just have the name consistency here and we'll choose our share demo now when we do this and we hit save we're going to notice a change so we hit save here creating chart release data sets it's going to go ahead and build this out so we're going to skip ahead to its built alright our file browser is active let's go ahead to the web portal we're going to hit continue do not use this admin admins to default I'm not going to change it not for this demo share demo test test to and YouTube so we go test to test YouTube see we can put some data in here alright I've uploaded some data so now we have these and we can upload one more piece of data here all right so we have a few pictures we loaded and if we go over here we can see Marcus can see the fail cat that we uploaded from there and let's go ahead and just duplicate it so alright now we got two fail cats in here the code of armor demo thumbnail I have let's go ahead and switch back over to the file manager we refresh it we see the duplicated fail cat so now both of these have permission let's talk about how that works and if we look over here at the data set we go to the share demo we go to the share demo and we look at the permissions they've been changed the owner and group is now apps we still have group built-in users this is what gives Marcus and Tom permissions for this built-in administrators but the owner being switched to apps is what allow the app to talk to it and when it's set that up go back over here to data sets we look at the YouTube one it also changed the nested permissions and has apps on there as well with the full control but it did remove our YouTube apparently so I'm going to go ahead and add that one back and we can do that by looking at item and to fix these permissions what I did was we set the group at YouTube and then you just set the group and then you set it here so you can have two separate groups both having full control we're going to apply these permissions recursively to fix the objects that are in there save access control list edit it one more time to make sure that they are correct so now we have group at YouTube which is the primary and then a secondary group of just apps on there that should allow both permissions to work and we want to make sure we restart our Samba service to make sure all of these permissions are copied over properly go back into our share demo YouTube let's just duplicate all these again refresh our file manager make sure it has access to these and it does we can go ahead and upload another file and see that we have permissions there's that backup file that we created now one thing I want to point out is that yes that menu where you set the permissions can be a little bit fiddly and sometimes just stripping the ACLs and starting over is one of your best troubleshooting tips because that and restarting Samba and sometimes restarting Windows when it holds on to a credential like if you've changed your password are all tips that really save you a lot of time when you probably have it right but one of these other factors such as not reloading the credentials through Samba are causing a problem also anytime I set the permissions it's just muscle memory habit after I set them I click edit and make sure they're set properly because of that fiddly menu problem of yeah sometimes it seems to have not saved one of the extras that you've done so when you do the group at for a primary and then do a subgroup just double check those after you hit save to make sure they're applied the way you think they are the system does have the ability and I haven't tested this a whole lot because I just don't use it very often is the ability to save a preset so if you were going to apply this a lot of times to many different data sets then maybe you'd want to do it as a preset now all of this goes out the door if you hand over the permissions management to active directory because you're just setting the data set and letting active directory take it from there that video is either done or will be done in the future and linked down below depending on when you're watching this video but I do want to make an updated version of it so as of the making of this video it doesn't exist but in the future it would probably be in my cheer and ask video links leave your thoughts and comments down below like and subscribe if you'd like to see more videos like this one always love hearing from you so head over to my forums over at forums.lauronsystems.com to engage with a more in-depth discussion and this is something I really recommend reading through and spending some time in the IX systems TrueNAS forums as well because there's a lot of great information in there the documentation as of the making this video is still kind of light for TrueNAS scale they're still working on that actively so I don't have any documentation links but if that does become available that's also something I'll leave linked down below or maybe make an updated video that has the official documentation because as of today it's a little light if you're wondering how to read more a lot of this is just knowledge from the forums and my years of use of using TrueNAS alright and thanks