[Samba] File permissions getting destroyed with M$ software on ZFS

Gaiseric Vandal gaiseric.vandal at gmail.com
Mon Oct 4 07:02:24 MDT 2010

I had a lot of problems with this as well.    I found it hard to find 
much documentation on the zfs module in samba from either samba or sun.

(PS-  A big thumbs down to Sun and the OpenSolaris crowd for apparently 
abandoning samba.)

I am running Samba 3.0.x from Sun on two servers and samba 3.4.x 
compiled from source on the third.  I eventually opened a support case 
with Sun which did help (somewhat.)

Did you check the permissions of the parent directory?  There may be an 
inheritance issue.   Usually the following worked for me:

chmod -R A- thedirectory
chmod -R A=owner@:rwxpdDaARWcCos:allow ?thedirectory
chmod -R A+group@:rwxpdDaARWcCos:allow ?thedirectory

My share defintions looks like the following (the nfs4 and zfsacl 
options were recommended by sun tech support.)

        vfs objects = zfsacl
         inherit permissions = Yes
         inherit acls = Yes
         nfs4:acedup = merge
         nfs4:chown = yes
         nfs4: mode = special
         mapread only = no
         ea support = yes
         store dos attributes = yes
         create mask = 0770
         force create mode = 0600
         directory mask = 0775
         force directory mode = 0600
         zfsacl: acesort = dontcare

PS.  Are your samba shares on top of autofs shares?   If so, you may 
also need to do the following.

# chmod A+user:nobody:aRc:allow  thedirectory

So far it seems to work OK.

On 10/04/2010 06:06 AM, RegioGis wrote:
> Hi,
> I see you use samba with zfs. But how on earth do you prevent the 'deny'
> aces from being the first in the ACL, and thus denying all access to the
> resource ?
> I'm able to add permissions via the MS UI  ( I added an AD group
> 'regio-users' )
> When I then create a file or folder via Samba, I get this on the Solaris box
> :
> root # ll -V db1.mdb
> -rw-rw----+  1 ackerra  gis        98304 Oct  4 11:49 db1.mdb
>      group:regio-users:--x-----------:------:deny
>      group:regio-users:r-x---a-R----s:------:allow
>              owner@:--x-----------:------:deny
>              owner@:rw-p---A-W-Co-:------:allow
>              group@:--x-----------:------:deny
>              group@:rw-p----------:------:allow
>           everyone@:rwxp---A-W-Co-:------:deny
>           everyone@:------a-R-c--s:------:allow
> Thus denying all access to 'regio-users' ....
> How do you solve this ?    ( I defined the share exactly as you specified )
> Rgrds,

More information about the samba mailing list