[Samba] Recommended ACL-related settings (Samba/ZFS)?

[Peter Eriksson]

I guess this only partly Samba related, but I’m guessing many Samba sysadmins using ZFS as backend has run into this issue. I know we’ve been running into it many times atleast and it feels kind of like a moving target…


The question:

What is the recommended (modern) settings (both in Samba and in the filesystem ACLs) that causes the least amount of grief for users for these use cases:

1. ZFS as backend filesystem - and working ZFS ACLs support (ie FreeBSD or possibly Solaris)
2. Samba for SMB access serving Windows 10 and MacOS clients
3. NFSv4 for NFS access serving Linux/Unix clients.
4. HOME directories (with only the users full access)
5. Shared directories where users are expected to be able to share files

(And some (Linux) users want the old mode bits and no ACLs at all… Sigh)



Samba smb.conf (relevant settings, assuming latest version - 4.14.5):

vfs objects = zfsacl
nt acl support = yes
store dos attributes = yes
ea support = false
nfs4:acedup = merge
zfsacl:denymissingspecial = yes
zfsacl:map_dacl_protected = yes
inherit acls = no
inherit permissions = no

The idea is to let ZFS manage ACL inheritance etc. 


Home directory ACL:

% acltool lac peter86
# file: peter86
# owner: peter86
# group: employee
           owner@:rwxpDdaARWcCos:fd-----:allow
           group@:------a-R-c--s:fd-----:allow
     everyone@:------a-R-c--s:fd-----:allow

Or should one use separate owner@ ace’s for file-inherit and dir-inherit and skip the “x” bit for the files so things don’t turn up as executables all the time?


Googling turns up a lot of old and probably (these days) incorrect settings so… what are you using? Any real world big site users around who as felt the pain? :-)

- Peter