[Samba] Recommended ACL-related settings (Samba/ZFS)?

Remy Zandwijk remy+samba at luckyhands.nl
Thu Jun 17 10:33:53 UTC 2021 

> I guess this only partly Samba related, but I’m guessing many Samba sysadmins using ZFS as backend has run into this issue. I know we’ve been running into it many times atleast and it feels kind of like a moving target…
> 
> 
> The question:
> 
> What is the recommended (modern) settings (both in Samba and in the filesystem ACLs) that causes the least amount of grief for users for these use cases:
> 
> 1. ZFS as backend filesystem - and working ZFS ACLs support (ie FreeBSD or possibly Solaris)
> 2. Samba for SMB access serving Windows 10 and MacOS clients
> 3. NFSv4 for NFS access serving Linux/Unix clients.
> 4. HOME directories (with only the users full access)
> 5. Shared directories where users are expected to be able to share files
> 
> (And some (Linux) users want the old mode bits and no ACLs at all… Sigh)

I am such an sysadmin, running a couple of FreeBSD 12.2 servers with Samba (currently 4.13.7). The same situation as yours applies, except that we basically have no home directories.


> Samba smb.conf (relevant settings, assuming latest version - 4.14.5):
> 
> vfs objects = zfsacl
> nt acl support = yes
> store dos attributes = yes
> ea support = false
> nfs4:acedup = merge
> zfsacl:denymissingspecial = yes
> zfsacl:map_dacl_protected = yes
> inherit acls = no
> inherit permissions = no
> 
> The idea is to let ZFS manage ACL inheritance etc. 

We have 'ea support' enabled, but for no obvious reason. It is enabled by default. Both 'zfsacl:' settings are 'no' in our setup, which is also the default. Additionally, we have the settings (but they are not related to acls):

vfs objects               = shadow_copy2 zfsacl fruit streams_xattr
shadow:format             = %Y-%m-%d
shadow:snapdir            = .zfs/snapshot
shadow:snapdirseverywhere = yes
shadow:sort               = desc
fruit:aapl                = yes


> Home directory ACL:
> 
> % acltool lac peter86
> # file: peter86
> # owner: peter86
> # group: employee
>           owner@:rwxpDdaARWcCos:fd-----:allow
>           group@:------a-R-c--s:fd-----:allow
>     everyone@:------a-R-c--s:fd-----:allow
> 
> Or should one use separate owner@ ace’s for file-inherit and dir-inherit and skip the “x” bit for the files so things don’t turn up as executables all the time?

What about zfs set aclinherit=passthrough-x <dataset> ? What is your 'aclmode' setting? We have 'passthrough', since the other settings interfere with the acls (which is expected, but unwanted).

What does the act on group directories look like?

> Googling turns up a lot of old and probably (these days) incorrect settings so… what are you using? Any real world big site users around who as felt the pain? :-)

Oh, I feel your pain! I find it very hard to debug Samba/ZFS/acl problems. In my opinion the documentation is so-so (meaning: I keep reading the vfs_zfsacl manpage and related documentation, but I have a hard time to _really_ understand what is meant). And then you have Microsoft Office, doing all kind of weird stuff with the acl's, etc. In my defense: I inherited the systems, which makes doing big changes almost undoable [without breaking stuff]. The biggest problem is that we need to share the same data via NFS and Samba. I think it would be much easier to share the data via Samba only.

-Remy

More information about the samba mailing list