 Tommy here from learn systems and we're going to do a video today on how to set up permissions in true NAS core Specifically, I'm going to be using true NAS core 13 release candidate one because it's almost out or maybe by the time you're watching This video it is out now This is pretty much the same as how you would do it in true NAS core 12 the current release as of April 2022 but there's really not any differences in the products overall when it comes to the permissions The goal is going to be though to teach you how to create a data set then apply Permissions to that data set based on the user you want to be the primary user Adding that primary user to a group setting a group permissions and adding another user so two different people can share You can keep adding more users and progress from there This is to set you up with the base of understanding of how to do that Everything is time indexed down below so you can jump around to the part that maybe you were stuck on in this process But please note if you do things out of order you may have unexpected results So if you choose to skip parts of this video, make sure you've done those parts prior to skipping them This is some of the problems people run into when I see forum posts or people contact us for consulting about Permissions in true NAS core as they didn't do all of the steps or doing them in the right order because well These are important steps to get in the right order simple as that now before we dive into the details of this video Let's first are you an individual or company looking for support on a network engineering storage or virtualization project? Is your company or internal IT team looking for someone to proactively monitor your system security or offer strategic guidance to keep your IT systems operating smoothly? Not only would we love to help consulting your project We also offer fully managed or co-managed IT service plans for businesses in need of IT administration or IT teams in need of additional support With our expert install team we can also assist you with all of your structured cabling and Wi-Fi planning projects If any of this piques your interest fill out our hire us form at Lawrence systems comm so we can start crafting a solution that works for you If you're not interested in hiring us, but you're looking for other ways you want to support this channel There's affiliate links down below to get your deals and discounts on products and services We talk about on this channel and now back to our content Now the first thing we want to do is make sure we have our users So we're going to go over to users and we have Marcus and we have Tom At least one user needs to be created and maybe that's as far as you need It's just one user for permissions But we're going to build this on the idea that we have Tom and we have Marcus and we want to put them into the Editor's group so both of these users will have read write permission in this particular Share that we're going to create so we look at the groups now easy enough to add a group and create one group ID create the name here and We're going to cancel because we already have one done and it's this one here expand out here click members Put the people you want in this group that we're going to be assigning to this share in here for the group members So we have the Tom and Marcus group member if you add more users you would just bring them over here By the way root will not work properly So don't ever use root as part of this even though this is where a lot of people get stuck thinking you can put Root in there because you'll find a foreign post that references it. Yes in the old versions of TrueNAS that was an option that Looks like an option because you can do it, but it won't work properly and often where people get themselves stuck Next we want to actually create the spot for the share. So we go to storage then pools And we click the three dots on the pool to we add a data set it is Best to create a data set for each different types of sharing and permissions you want The reason for this is the share level permission data is stored within the data set So if you had a completely different set of parameters that you wanted for another share Creating another data set for that share would be ideal Although you can nest data sets together and we'll kind of mention that here when I get to their permissions because there's an option that you Can check to set all of them in groups instead of all of them individually, but they can be nested together Now we're going to call this one YouTube demo now I use an underscore because I just don't like spaces in there helps when you're navigating from the command line But also important don't put a space or any special characters after that may get in there I have had some head scratching moments doing consulting when I couldn't see the space because of the way it's displayed and realized someone had just added an extra space or special character from copying pasting afterwards and Samba may not parse it properly there for your permissions will have some weird results So take the time to type that in because it is parsed It is something you want to make sure you get right and not anything extra the comments You can do whatever you want so we can call this you do permissions and Whatever you want for spaces and such and I guess we'll capitalize the T because I think that's how it's supposed to look Going down nothing else we really have to do here Choosing SMB because this is the share type. We're gonna have we're gonna go ahead and hit submit So now we've created that next thing we want to do is the permissions themselves go back click three dots Edit permissions It will default to having root here because when you create new data sets root is the default owner We're gonna change that to Tom as you start typing it will autocomplete check the apply user box Then we'll put editors Start typing it'll autocomplete check the applied group box So now we've applied user applied group will select an ACL preset of Restricted there's different options you can do here But these presets will control the parameters on the side here if you want to get more advanced and it's out of scope this video Yes, you can get granular with the ACL items and do more extended and more enhanced features from there Scrolling down apply permissions recursively will apply these permissions to any data that may be in there Now the next thing you have is the apply permissions to child data sets You can nest data sets together and the reason you may want to do that is because you want different Parameters different settings per data set not just folders when you're creating a share and everything down there So you may want to have a series of nested data sets So you could set maybe a snapshot policy differently for a subfolder Versus the main folder that would have to make it as a data set They present all those folders inside of the share, but this apply child data set is so the permissions you set here can apply Downward or maybe you want to create a series of data sets where you have different permissions Then you wouldn't check that Last thing I want to mention is the strip ACLs if you have gotten yourself into a mess and you've done this a few times But you keep trying to reapply them stripping all the ACLs means strip all of the access control lists off of anything is within here So you can start over this does not affect the data only the permissions on the data if there's existing data in there So that's sometimes a good way to start over and go back and fix permissions now We're going to hit save and now we've created the YouTube demo data set But before we do the share I want snapshots on this particular data set So we're going to go over here to tasks and set up a snapshot tasks periodic snapshot tasks add Choose the data set we're going to choose the YouTube demo one Snapshot lifetime of two weeks and we'll say two hours You can the help button here. It'll tell you some different parameters weeks months There's different parameters of maybe how long you want to keep the snapshots for how often you want them to run We're going to do custom Because we want them to run every minute in every hour This is more than most people want them to run, but you can see they're going to be running Once a minute here now snapshots are only as big as the differential of the data between Snapshots, so there's not much data being taken up by the snapshot itself So if there's a hundred gigs of data and at each minute I add Only one gig of data the references snapshot grows by one gig not a hundred and one gigs This is important. Remember, this is what allows you to have a lot of snapshots without them taking up a lot of space The other advantage of snapshots is Samba will present them inside of windows as a volume shadow copy an immutable volume shadow copy So people in windows will be able to restore their previous versions But they will have no access to delete them because only the admin on shurnass itself through the web UI here can actually Manipulate the snapshots or if you SSH gym from the command line Allow taking of empty snapshots. I'm going to uncheck because they only want the snapshots to occur if it finds There's new data if there's no new data the snapshot doesn't need to take place now This isn't really about space saving This is about making it more concise because if you had all the empty snapshots and people are looking for the last time Something was changed when they're trying to restore a volume shadow copy they would see all the list of them and they have to know what time to look with the Not taking any empty snapshots the snapshots look if there's no difference in changes in data The snapshot just doesn't happen. So you end up with a list based on when the data was changed So we're gonna go ahead and hit submit and so now this is set to pending and within one minute It will go ahead and start creating snapshots even though there's no data been put in here yet All right now I waited till there's at least one snapshot in here because this can sometimes be a problem when you're creating a share if There are no snapshots. We're gonna go over here to window share and we're gonna add the share and We're just gonna span out the advanced options by default the enable shadow copies is checked But if this shares created and it sees no snapshots until Samba's restarted at least once if it never seen a snapshot there And there was zero snapshots this service doesn't always run it goes Oh, I don't see any on there But once it realizes there's one it starts working again This is kind of a quirk you can run into where you create a data set with no snapshots You set all this up and do have the shadow copy enable then you later add the snapshots the Snapshots are happening and the data is being snapshot it But they may not be presenting in volume shadow copy simply start and stop the Samba service without Changing the share parameters at all and it will work now. We're gonna go ahead and expand this out to create the share itself Mount Choose the YouTube demo ACL and ACL is present in this path is what it tells you the reason It's saying that is to let you know that that's how it's going to base its permissions So any of these that have the ACL Samba reads the ACL of that. That's what controls the users It's not anything in here that sets the users who can or cannot access It's reading the sales to generate that list to control who can or cannot access this data Please note we didn't need to expand the advance We're still using the default share parameters and we expanded it to show this So there's no other boxes. We're gonna check there are plenty more advanced things you can do such as denying and allowing and building restrictions But for simplicity, we're just gonna hit submit now. We're gonna go to Windows and mount the share So here we're gonna double click the shortcut and we're gonna go ahead and log in Now it will use your default Windows credentials that you have set up I purposely don't have them set up in this one so I can log in as different users. So we're gonna head hit okay The YouTube demo is the share and there it is and we're gonna go ahead and copy some data into it let it copy over and There it is now right now. I did this as the user Tom So we're actually going to log out of Windows and log back in so we can log in as user Marcus to show that Marcus will have now permissions for this. So we're gonna go ahead and close this Restart this particular computer that way we don't have any stale connections From there Windows occasionally will hold on to permissions that it's seen set instead of actually logging out properly There's ways you can get around it. Restarting it is a guaranteed way to make sure that those permissions are unset Go back into SureNAS Choose Marcus go back into the YouTube demo and There's all that data. We just copied over and we can even do things such as go to properties security It'll take a second and we can see that is owned by FreeNAS Tom The editors group has the permissions on there as well which Marcus is a member of the editors group This is what allows Marcus to be able to go into these particular folders pretty simple So now Marcus is going to delete all the data out of there. So now that's gone Yeah, we'll just leave that one there. We'll leave the presentation. Maybe we'll Delete this folder too All right Marcus has now deleted some of the data now We're gonna go ahead and show you how to restore that data that Marcus deleted And that's actually just like you would in any other Windows where it's connected to its own Server like a Windows server where you have the volume shadow copies enable and we're gonna go ahead and hit restore previous versions and Because there was data changed at these points right here. We can then open up to this Copy the data if we want be able to see it here or just go ahead and restore it I can actually copy it over there now when it's doing the volume shadow copies as I said They're immutable to the users because they're actually not volume shadow copies their snapshots Presented as volume shadow copies, which means I can try to delete these all I want. I'm hitting delete I can right-click and do a delete but it just will not delete these particular files here So it's pretty straightforward. Actually, we can just hit restore. So what those files will go back hit restore It's been restored to its previous version and There's all those files really straightforward how to get this going and get it working now the next thing I'm gonna mention Marcus is not a member of video production because this is a separate share that already have set up You notice that there is no ability for Marcus to access video production for example, but he can't access you to demo Let's do one more thing here We're gonna go over to groups. We're gonna go back to the editors group here Look at the members. We're gonna take Marcus out of that group and hit save So now the permissions are lost. You should no longer have access to this But this is where things get a little confusing with windows because we removed him from the group But he still has those permissions from that we're hanging on so we've applied it But there's still a authentication permission that hasn't been removed But if we restart this computer and log back in now Marcus cannot get in here anymore because we've lost that token and We can't reinitiate a new token. The opposite is true So right now Marcus cannot get in but we're gonna go back over to true nas Go back to our editors group members Hit save Marcus now has permissions to log in but we go back over to windows Windows still continually will say you don't have permissions So it does work where once you remove it until they've lost their token and logged in and out They still have permissions because they had it originally but the opposite is now true of we've added their permission back But once windows has decided there's no permissions in here It's going to keep doing this the solution to this is going to be simply And we'll just do a sign out and back in which should work and now Marcus is able to get back into it this part sometimes is where people get stuck on this because it is a little bit confusing and Certainly a little aggravating that when you change some of the permissions if you don't log in and out the communications Doesn't seem to be there that allows the system to say. Oh, okay. You have done a change on the back end So we should just allow it in there. I'm not Versed enough is so speak of some of the more command line ways you could do this in Windows I know someone's gonna say you don't have to log out time You could just go from the command line and clear out the token that was on there for authentication This works a little bit different if you actually have a windows actor directory server connected on the back end And you're using the sharing on windows But I wanted to clarify this is how it works when you're tying it to a samba server So people understand that oh I added the users and I change your permissions But I still can't get in try logging in and out or restarting the windows computer You're connecting with so hopefully that helps when you're doing some of the troubleshooting and Thanks more discussion in the forums and let me know what comments concerns you have about this video appreciate it And thank you for making it all the way to the end of this video If you've enjoyed the content, please give us a thumbs up if you would like to see more content from this channel Hit the subscribe button and the bell icon if you'd like to hire a short project head over to Lawrence systems comm and click The hires button right at the top to help this channel out in other ways There's a join button here for YouTube and a patreon page where your support is greatly appreciated for deals discount And offers check out our affiliate links in the description of all our videos including a link to our shirt store Where we have a wide variety of shirts that we sell and designs come out well randomly So check back frequently and finally our forums forums dot Lawrence systems comm is where you can have a more in-depth discussion About this video and other tech topics covered on this channel. Thanks again for watching and look forward to hearing from you