[Samba] samba on ZFS
Andrew Walker
walker.aj325 at gmail.com
Mon Mar 13 15:42:51 UTC 2017
FreeNAS 9.10.2-STABLE has Samba 4.5.5. By default "zfsacl" is enabled on
all samba shares. Additionally the zfs "aclmode" property is set to
"restricted" on all samba shares (except I believe the sysvol share). I
believe on the sysvol dataset / share, the aclmode is set to "passthrough"
and "zfsacl" is not enabled. I do not use freenas as and ADDC and so can't
comment about specific configuration changes that are made in that regard,
but I am happy to speculate that they probably handle ACLs on the sysvol
share via acl_xattr while the underlying filesystem happily pretends it's a
normal Unix FS. Jordan Hubbard recently wrote a decent summary of the
choices FreeNAS made with respect to handling ACLs here:
https://forums.freenas.org/index.php?threads/update-on-smb-permissions-docker-containers-zfs-a-brief-history-of-posix-perms-etc.51272/
The source for the FreeNAS 9.10l.2 script that generates its smb.conf file
is here:
https://github.com/freenas/freenas/blob/9.10.2-STABLE/src/freenas/usr/local/libexec/nas/generate_smb4_conf.py
I do vaguely recall some problems people had when they tried to place the
sysvol share on a dataset with the aclmode set to "restricted"... well, not
the exact problems, but rather a general wailing and gnashing of teeth.
On Sat, Mar 11, 2017 at 2:50 AM, Rowland Penny via samba <
samba at lists.samba.org> wrote:
> On Sat, 11 Mar 2017 08:18:26 +0100
> "Niels Dettenbach \(Syndicat IT & Internet\) via samba"
> <samba at lists.samba.org> wrote:
>
> > Am 11. März 2017 00:04:13 MEZ schrieb Andrew Walker via samba
> > <samba at lists.samba.org>:
> > >I don't believe that ZFS on FreeBSD supports acltype=posixacl and
> > >sa-based
> >
> > If you want to see a working samba / zfs / FreeBSD AD / PDC
> > "ecosystem" i recommend just trying and exploring the open FreeBSD
> > based "FreeNAS" which offers / allows exactly this.
> >
> > We run several Samba 4 with ACL / AD (managed by MS RSAT) on FreeNAS,
> > which anything held on ZFS (except a read only boot partition on
> > USB / flash usually. FreeNAS uses some kind of ntfsv4 acls on ZFS
> > which have "similiar" features, but a bit other semantics, to
> > "emulate" acls for samba - works well.
> >
>
> From what I can see, Freenas is using Samba 4.3.6 and if it is using
> ZFS, it is probably also using the ntvfs filesystem instead of 3fs.
> This could be a problem with Freenas 10, it uses a later version of
> Samba, where by default, ntvfs is turned off.
>
> Samba does not understand ntvfsv4 ACLs, this is where the problem lies,
> you cannot provision Samba as an AD DC on ZFS.
>
> Also, there is no such thing as an AD/PDC, a PDC is an NT4-style domain
> controller. All AD domain controllers are equal, so there is no such
> concept as an AD primary DC. I suppose you could refer to the initial
> DC as 'The First Domain Controller I Set UP', but do you really want to
> call it a 'TFDCISU' ?? ;-)
>
> Rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
More information about the samba
mailing list