AD DC option to use acl_tdb rather than acl_xattr?

Andrew Walker awalker at
Sat Jun 4 02:14:31 UTC 2022

For what it's worth if ZFS is an option for your container host, once the
VFS plumbing is in, you can use our ZFS patches to ZoL to add support for
native ZFS (NFSv4-style ACLs). I've tested this before in containers before
and ZFS ACLs work as expected. The primary gotcha is that there is unmerged
work in upstream ZFS to add overlayfs support.

My PR to add it to OpenZFS is here:

You can use the samba VFS module and parameters listed in the PR or you can
grab my samba work from here:

If you have grab the lib/zfsacl and lib/sunacl code and related wscript
changes from that PR you can make vfs_zfsacl work on Linux. lib/zfsacl also
provides python bindings for interacting with the native ZFS ACLs.

A CLI management tool is here:

These things combined provide "rich" ACLs that will work in containers
without having to rely on exposing the security namespace, storing in user
xattrs, or writing to tdb files. If anyone is interested in taking this for
a spin, feel free to email me about it and I can give more detailed

Some things are still WIP. Today I finished writing samba support for ZFS
DOS attributes, but this is somewhat irrelevant to case of just providing
ACL support.

- other Andrew

More information about the samba-technical mailing list