# Samba AD Member, ZFS and ACLs



## nebu (Sep 7, 2016)

Hi,

I am currently trying to set up a Samba file server as a member of an existing Active Directory. Basic things worked, i joined the domain, I can see users and groups and my shares are visible in the Network.

What does not work are ACLs.I have tried various configurations and read through many tutorials and the posts in this forum. Still no success.

My smb4.conf looks like this:


```
[global]
  workgroup = TEST
  server string = Samba Server Version %v
  security = ads
  realm = Test.local
  use sendfile = true

  idmap config * : backend = tdb
  idmap config * : range = 100000-299999
  idmap config TEST : backend = rid
  idmap config TEST : range = 10000-99999
  winbind separator = +
  winbind enum users = yes
  winbind enum groups = yes
  winbind use default domain = yes
  winbind refresh tickets = yes

  restrict anonymous = 2
  log file = /var/log/samba4/log.%m
  max log size = 50
  vfs objects = acl_xattr
  map acl inherit = yes
  store dos attributes = yes

[test]
  path = /storage/samba/test/
  read only = No
  vfs objects = zfsacl
  nfs4:mode = special
  nfs4:acedup = merge
  nfs4:chown = yes
  nt acl support = yes
  store dos attributes = yes
```

With this config I don't even see the security tab in the Windows management console. When removing the nfsv4 stuff, like this


```
[test]
  path = /storage/samba/test/
  read only = No
  #inherit permissions = yes
  #inherit acls = Yes
```

I can see the security tab but saving permissions is not possible.
zfs is set to aclmode =passthrough aclinherit=passthrough

OS is FreeBSD 10.3, Samba44 built from ports.

Can anyone tell me what I am doing wrong? I'll greatly appreciate any help on this.

Regards,
Ben


----------



## nebu (Sep 8, 2016)

I think the problem might not originate in Samba but in the NFSv4-ACLs required.

`# getfacl /storage/samba/test`
results in

```
# file: test
# owner: root
# group: domänen-admins
user::rwx
group::r-x
other::r-x
```

This looks like POSIX-ACLs to me. I there any setting I missed? I am a bit confused about the NFSv4-ACLs required by Samba on ZFS....

`setfacl -m u:administrator:rwxp::allow /storage/samba/test/`
gives me

```
setfacl: /storage/samba/test/: acl_get_file() failed: Operation not supported
```


Sorry for the wrong formatting in the previous post. I'll do better now.

Regards,
Ben


----------



## JinSoo Suh (Sep 8, 2016)

Dear nubu,

/usr/local/share/doc/samba44/README.FreeBSD

```
You may find this tutorial useful, if you happen to run Samba4 on ZFS-root:

  o http://glsan.com/community/samba4
```

Did you grant the SeDiskOperatorPrivilege privilege to "Domain Admins" as explained in "Shares with Windows ACLs"?


```
# zfs create -o aclinherit=passthrough -o aclmode=passthrough /storage/samba/test
# chown root:'domain users' /storage/samba/test
# setfacl -m g:’domain users’:modify_set:fd----:allow /storage/samba/test
# setfacl -m g:'domain admins':full_set:fd----:allow /storage/samba/test
# getfacl /storage/samba/test
```


----------



## nebu (Sep 8, 2016)

JinSoo Suh, Thank you SO much!

This:


JinSoo Suh said:


> ```
> # zfs create -o aclinherit=passthrough -o aclmode=passthrough /storage/samba/test
> # chown root:'domain users' /storage/samba/test
> # setfacl -m g:’domain users’:modify_set:fd----:allow /storage/samba/test
> ...


worked. I have no Idea what I did wrong before, but this works perfecly.

Regards,
Ben


----------



## nebu (Sep 14, 2016)

*Solved! *The ZFS Filesystems were not properly mounted after a reboot. Just ignore this post.

Well, I guess I still haven't resolved this.

The above way worked so far, I copied the data in the respective shares, set ACLs, mounted the shares on the clients. So far so good.

But this morning the shares aren't accessible by the clients anymore. Same errors as before. `getfacl` only gives POSIX-ACLs, the NFSv4-ACLs are gone:
`getfacl /storage/home`

```
# file: /storage/home
# owner: root
# group: wheel
user::rwx
group::r-x
other::r-x
```


If I create new shares as described by JinSoo Suh ACLs are as they should be, but the existing ones are messed up:

`zfs create -o aclinherit=passthrough -o aclmode=passthrough storage/tester2
chown root:'domänen-benutzer' /storage/tester2
setfacl -m g:"domänen-benutzer":modify_set:fd----:allow /storage/tester2
setfacl -m g:"domänen-admins":full_set:fd----:allow /storage/tester2
getfacl /storage/tester2`


```
# file: /storage/tester2
# owner: root
# group: domänen-benutzer
group:domänen-admins:rwxpDdaARWcCos:fd-----:allow
group:domänen-benutzer:rwxpDdaARWc--s:fd-----:allow
  owner@:rwxp--aARWcCos:-------:allow
  group@:r-x---a-R-c--s:-------:allow
  everyone@:r-x---a-R-c--s:-------:allow
```



I added a cache drive to the zpool yesterday, but that should not affect the ZFS filesystems on the pool. It never did on all the other machines I have running with FreeBSD and ZFS.

Edit: This does not seem a samba issue but a zfs issue to me.

Regards,
Benjamin


----------

