Confused about File Permissions: Can't access/read/ write in some directories

Hi everyone,

I'm very confused about file permissions on my NAS. I have set up a Pi4 as a NAS with RaspiOS lite running OMV and nextcloud via docker. I copied data form an old NAS. I configured four users in OMV:

- Matt and Kris (for me and my wife)

- appuser (used by docker containers)

- Nextcloud (which was intended solely for Nextcloud but isn't used).

All users are in the users group.

There are two directories Matt/ and Kris/ and in OMV I granted Read/Write access only to the corresponding user as well as to appuser so I can access those directories via nextcloud. I also made both directories available via SMB and access with my user (Matt) works fine.

Now this is where my confusion begins: my wife's user (Kris) can't access her directory via SMB, but if I give Read/Write access to user Matt, i can access my wife's directory.

I checked the permissions and found ACL attributes on Kris/ which I removed and I also changed them so they are equal to Matt/:

ls -ld Kris/
drwxrwsr-x 7 root users 4096 Jan 13 13:13 Kris/
ls -ld Matt/
drwxrwsr-x 5 root users 4096 Jan 13 13:11 Matt/

My confusion carries on: when I create a directory with nextcloud, I can't write in those directories via SMB, even if I change the owner from appuser to Matt or Kris.

I would be very happy if anyone could help me out and point me in the right direction.

Thanks for your help!

I actually have the drives mounted in nextcloud as external storage.

The system runs on an SSD and the storage drives are two HDDs in RAID mode.

My old setup consisted of a Buffalo NAS hooked to my Raspi4 running Libreelec with Nextcloud as a docker container. That worked flawlessly.

Regarding OMV 7: I will have a look, thanks for pointing it out. Im still in Bullseye and quite unsure on how to upgrade.

Sorry it took me so long to come back to this issue

I read the article about NAS permission and couldn't find anything I did wrong. I also did a bit more testing and oddly found that I cant get any other user to access the SMB share for my wife (Kris/), only my user account is affected by changing permissions in the OMV GUI.... I looked into how I set up the users but I can't seem to find apparent differences...

It's bed time for me now so I will continue tomorrow. Any help would be greatly appreciated

Quote from crashtest

What are you looking for? Fully open shares or restricted shares?

I want to have resricted shares. My use case is a home server which my family may use to back up important files and store media (videos, photos etc.). I set up nextcloud in docker to have access from "outside" via internet.
There are a couple of shares which permissions I want to manage in order to choose who has access to them e.g. some are open to guests (read/execute) some are only available for family (read/write/execute) and some are only available to me and my wife.

Quote from chente

What user do you use in Nextcloud to mount shared folders? Make sure that user's permissions are appropriate.

The user the docker containers use is called appuser. He has the same permissions like the users for me and my wife, same group (users) and additionally is in the docker group. In nextcloud, I set up external folders using the admin account (called nxtadmn). This account is only defined in nextcloud, not in OMV.

Today I tried to set up a whole new shared folder and SMB share which isn't included in nextcloud. I gave permissions to both my wife's user and mine, but only my user can access that share. I also created a new user (testdelete) and gave permissions to access the new share. The new user wasn't allowed to open the share either.

BTW: Thanks for pointing me to the uprade guide. I did that in january and it went quite smoothly

Hi!

I think I figured it out: Windows just isn't able to connect to a Samba share while a certain user's credential are saved as connection data for a network device. I hope I'm using the correct terms. So:

I saved my user's (matt) credentials in Windows so I'm always able to access my user's SMB share (called matt as well). If I wanted to access my wife's share, Windows asked for credentials (because my user wasn't allowed to enter) so I entered my wifes credentials. Still, Windows showed an error message telling me I wasn't allowed to access the share (even though I'm 100 % sure I entered the right credentials). After deleting my user's credentials from Windows, I'm able to access my wife's share. BUT if I save my wife's credentials, I can't access my share anymore ....

Is this really correct behavior (and Windows is to blame) or is it an indication for something being wrong in my server's configuration?

Quote from BernH

Since you say you found ACL's and removed them, and since ACL's can cause all kinds of grief if the implementation is not perfect, I have to ask how did you remove them?

The easiest solution to this would be to use the reset permissions plugin. This will default the permissions and ownership, and has a check box to clear ACL's also. This may get things back to a default state where they will work as intended. If you simply tried to turn off the ACL's they are likely not completely removed.

As for SAMBA access, depending on what you are doing exactly, you can also look at forcing a particular user and permissions on a share

with something like this in the advanced options of the share (edit the options as required for your setup). This example will force all files and directories to be made/modified as the specified user and group with full RWX access. I use this type of setup to allow me to use my user to samba connect to my nextcloud files that are owned by the www-data user. Any manipulations to the files then keep the nextcloud owner and permissions, instead of trying to use my user as the owner, so that they don't break nextcloud's ability to use the files.

Code

create mask = 6777
directory mask = 6777
force create mode = 6777
force directory mode = 6777
force user = www-data
force group = www-data

If you want to figure out the octal permissions, you can use this calculator:

https://chmodcommand.com/chmod-6777/

Display More

Thanks for the input. I installed the reset permissions plugin and it showed that all the permissions are correct. But it's so handy to have a quick overview. That permissions calculator is a very nice tool, too. Saved it to my bookmarks

Quote from chente

Instead, use an OMV user with access to the shared folders via Samba to mount the folders to Nextcloud. Once that's done, grant permission to the Nextcloud users you want.

Maybe I explained my setup badly? To explain the whole route I took: I mounted all the shared folders as volumes to the nextcloud container in the compose file. That way nextcloud may access those folders. I then set up those folders using the nextcloud admin for the other users so they can access them. Is that a bad practice? So, if I understand you correctly, I set up the docker user (called appuser) to access my shared folders, then set up external folders inside nextcloud to connect via samba, not as local folders?

Quote from chente

I'd say that's the expected behavior in Windows. I once had similar problems with Windows. Since then, I try not to mix different access permissions in the same user session to avoid those problems.

Aw man so it's really time to switch to Linux. I plan on just accessing those shares that are intended for my user. I was just testing my setup when I wanted to access my wife's share.

I'm sorry I wasted your time there, guys. I definitely learned something so I hope it wasn't too much of a waste there. Thanks for helping me out everyone!

Quote from chente

Okay, I probably misunderstood your previous explanation. You can actually do it both ways; either one works. Use the one you like best.

That's good to know! I probably will look into changing the external storage to be mounted via samba which would be much more consistant in the way I set up my containers with there own IP adresses inside my network. And that way my set up would be much more flexible instead of having to change the compose file to add or remove external storages to nextcloud. So, thanks too for sparking that idea

Now, where do I mark this thread as solved ...?