[Samba] ACL on ZFS

Maximilian Kirchner max.kirchner at gmail.com
Thu Nov 10 11:00:28 UTC 2016

My Server is running 4.5.1 on Ubuntu 16.04, most of the shares are located
on a zfs raid. Some of the added profiles are now getting corrputed and
cannot login anymore due to some files in the profile share not being

After searching online I found two solutions:

a) setting aclmode=passthrough, aclinherit=passthrough on the zfs volume
b) using nt4 acl mode and the vfs_zfsacl module on samba

when I added some code I found online last time I fucked up badly so I
would like some input if what I found is correct or if using zfs would be a
very bad idea from the beginning.

My current smb.conf reads as follows (without any editing for vfs_zfsacl:
        netbios name = SRV
        realm = SMB.WIE
        server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl,
winbindd, ntp_signd, kcc, dnsupdate
        workgroup = SMB
        server role = active directory domain controller
        idmap_ldb:use rfc2307 = yes

        interfaces = bond0:0
        bind interfaces only = yes

        winbind enum users = Yes
        winbind enum groups = Yes
        winbind refresh tickets = Yes
        winbind nested groups = No

        logon script = logon.bat

        log file = /usr/local/samba/logs/log.%m
        log level = 3
       path = /ssds/samba/Profiles/
       read only = no
       store dos attributes = Yes
       create mask = 0600
       directory mask = 0700
       profile acls = yes
       csc policy = disable

What I would add to the Profiles-Share is:

## Enable the zfsacl module for this share
vfs objects = zfsacl

nfs4:mode = special
## Merge duplicate ACEs
nfs4:acedup = merge
## Enable changing owner and group
nfs4:chown = yes
map acl inherit = yes

And to the global settings:
    ## Store DOS attributes in extended attributes (no mapping)
    map hidden = no
    map system = no
    map archive = no
    map readonly = no
    store dos attributes = yes

    ## Extended attributes
    ea support = yes

More information about the samba mailing list