# Samba DC - ZFS ACL Permissions



## davidrx (Jan 5, 2018)

I setup FreeBSD Samba Domain Controller and installed second machine running as NAS.
I joined the second machine to the Samba Domain Controller.

I used groups and users from the FreeBSD Samba Domain Controller.

But I'm fighting with the permissions currently.
My goal is to have a share where only 1 user has modify access and admins have full access.

The odd thing I noticed when I remove the everyone ACL rule on user01 it removes all FreeBSD rwx permissions for ower/group on the folder?


```
$ ls -alf
total 55
drwxrwx---       4   david        domain_users    4 Jan  4 22:52 .
drwxrwxrwx    11   root         wheel          11 Jan  4 22:53 ..
d---------+       6    user01     domain_admins  25 Jan  5 01:57 user01
drwxrwxrwx+ 14    user02     domain_admins  15 Jan  5 11:49 user02
```
while on ACL it looks like this:

```
$ getfacl user01/
# file: user01/
# owner: user01
# group: domain_admins
            group@:rwxpDdaARWcCos:fdi----:allow
            owner@:rwxpDdaARWc--s:fdi----:allow
        user:david:rwxpDdaARWcCos:-------:allow
```
As result my Samba user share isn't accessible.  
So, my question is what is the correct way of creating a secured folder for 1 user + admin users?

I noticed when I add everyone line to the ACL it allows me to have access again, but I don't like the everyone permissions.  It feels less secure 

```
everyone@:------a-R-c--s:-------:allow
```


----------



## SirDice (Jan 5, 2018)

davidrx said:


> The odd thing I noticed when I remove the everyone ACL rule on user01 it removes all FreeBSD rwx permissions for ower/group on the folder?


What was the exact command you used? I have a feeling this is just a consequence of not setting the ACL correctly.


----------



## davidrx (Jan 5, 2018)

when I add ACL rules I do this:

```
setfacl -m u:david:full_set::allow directory or filename
```


to remove a rule:

```
setfacl -x0 (0 for first rule or 1 for second rule ...) directory or filename
```


----------



## davidrx (Jan 5, 2018)

I probably found my issue:

This:


```
group@:rwxpDdaARWcCos:fdi----:allow
           owner@:rwxpDdaARWc--s:fdi----:allow
```

should be:

`group@:rwxpDdaARWcCos:fd-----:allow
           owner@:rwxpDdaARWc--s:fd-----:allow`




```
setfacl -m owner@:full_set:fd:allow [directory]
```

That seems to work out what I want 

not sure what the inherit_only flag does?


----------

