# Samba with NFSv4/ZFS ACL Support



## jlohiser (Sep 9, 2010)

Hello all.  I was hoping I could start a discussion regarding Samba and the use of NFSv4 ACL's on ZFS.

I have been working for several days to allow Samba to use the new NFSv4 ACL's that are available with FreeBSD 8.1 and ZFS.  I checked the existing Samba versions in the ports collection and I did not see any support for this feature.  The only information that I could find regarding this subject was some references in http://wiki.freebsd.org/NFSv4_ACLs and some references to Samba and its vfs_zfsacl module in a Solaris forum.  I was finally able to determine that I needed to customize a port to build this module.  I installed the "libsunacl" port and patched the "samba34" port to use this library and to build the vfs_zfsacl module.  I also had to tweak the smb.conf to make Samba work properly with this module and the ZFS ACL's.

As of this morning, everything appears to be working properly.  I am able to set permissions on by Samba shares via the Security dialogs on Windows XP.  The permissions are being changed on the NFSv4 ACL's and I am able to see the changes via getfacl on FreeBSD.  I am also able to connect to the share via OS X and the permissions seem to be correct.

This was a rather difficult and time consuming task.  I would rather it not be this difficult for future users.  I would like to submit my modifications to the port, however, I am not sure how to do this properly.  There are several open questions regarding the port modifications.

1) The vfs_zfsacl module appears to be completely separate from the --with-acl-support configuration option.  As such, should vfs_zfsacl be included in the existing ACL_SUPPORT port configuration option or should it be a separate option?  Perhaps it should be included in EXP_MODULES instead???

2) OS X was not able to properly "see" the ACL permissions.  Windows was able to see the permissions and my username has full access to the share.  Connecting to the share with OS X using the same username, I was not able to write to the root of the share.  I did, however, have full access to any subfolders.  I am not sure if this is an OS X issue or a Samba issue.  I had to add "unix extensions = no" to the smb.conf (see http://splatdot.com/fixing-snow-leopard-10-6-3-samba-write-access).  I believe there should be a note in the smb.conf installed by the port regarding this issue.

I am hoping that a port maintainer is monitoring this list and could assist me in possibly incorporating these changes in the Samba port(s).

These changes could also benefit other projects, such as FreeNAS.  With the apparent death of OpenSolaris, FreeBSD is poised to become the primary opensource OS for ZFS.  The continuing development on FreeBSD to add newer versions of ZFS and additional features, such as deduplication, is very exciting.  For these reasons, and many others, I believe it would be of great benefit to integrate the features of NFSv4/ZFS into applications such as Samba.


----------



## SirDice (Sep 9, 2010)

jlohiser said:
			
		

> I am hoping that a port maintainer is monitoring this list and could assist me in possibly incorporating these changes in the Samba port(s).


There aren't a lot of developers on this forum. Your best bet is probably the freebsd-ports mailinglist and/or the maintainer of the samba34 port.


----------



## dvg_lab (Sep 10, 2010)

jlohiser said:
			
		

> Hello all.  I was hoping I could start a discussion regarding Samba and the use of NFSv4 ACL's on ZFS.
> 
> I have been working for several days to allow Samba to use the new NFSv4 ACL's that are available with FreeBSD 8.1 and ZFS.



Right now I'm resolving the same issue without success. Could you tell us the configure steps? I think it would be useful for many freebsd/zfs users.


----------



## dvg_lab (Sep 15, 2010)

I've installed the "libsunacl" port, also installed samba34 compiled with the vfs_zfsacl module (added WANT_EXP_MODULES+=vfs_zfsacl into Makefile and changed all "<sys/acl.h>" into "<sunacl.h>" in all samba files). Samba seems to be working and I can write into shares but can't edit acls from windows dialog. At the same time I can set acls from command line by setfacl and see it in getfacl output but don't see any changes in windows security properties dialog. What I've missed?

FreeBSD 8.1R amd64, 
smb.conf


```
[global]
   workgroup = EX
   server string = FS1 Samba Server
   security = ads
   hosts allow = 192.168.200. 192.168.201. 127.
   load printers = no
   log file = /var/log/samba34/log.%m
   max log size = 50
   password server = dc0.ex.com
   realm = EX.COM
   socket options = SO_RCVBUF=8192 SO_SNDBUF=8192 TCP_NODELAY
   local master = no
   os level = 10
   domain master = no
   preferred master = no
   domain logons = no
   dns proxy = no
   display charset = koi8-r
   unix charset = koi8-r
   dos charset = cp866
    nt acl support = yes
    inherit acls = yes
    map acl inherit = yes
case sensitive = No
winbind use default domain = Yes
idmap uid = 10000-20000
idmap gid = 10000-20000
winbind enum users = yes
winbind enum groups = yes
client ntlmv2 auth=yes
[general]
   comment = Public Stuff
   path = /noc/shares/general
   public = yes
   writable = yes
   printable = no
   write list = @Office
   admin users = druginin
   acl check permissions = True
   vfs objects = zfsacl
   nfs4: mode = special
```


----------



## jlohiser (Sep 15, 2010)

dvg_lab,

You compiled Samba with the same configuration I used.  Try setting "acl check permissions = no".  As I understand it, that setting is for POSIX ACL's (which we are not trying to use) and will just interfere with the NFSv4 ACL's.

A couple of other notes...

I also have "nfs4:acedup = merge" and "nfs4:chown = yes" in smb.conf as per a recommended Solaris 10 configuration that I found.  I have not yet researched their necessity.

If you are attempting to use OS X clients, you will probably need to set "unix extensions = no" in order for them to work properly with the ACL's.

While I was able to edit the ACL's via Windows, I am not certain that it places the ACL entries in the proper order for them to work properly in all circumstances.  You will have to test this on your system check the results. 

P.S.  Sorry for not replying earlier.  I was out of town.

Jim L.


----------



## jlohiser (Sep 15, 2010)

Oh, and don't forget about the ZFS options "aclmode" and "aclinherit" and how they affect inherited permissions.  You probably want to set "aclmode=passthrough" and "aclinherit=passthrough" on root of the share.


----------



## jlohiser (Sep 15, 2010)

Sorry! One more.  You probably want "inherit acls = no" in smb.conf and allow ZFS to handle inheritance.


----------



## dvg_lab (Sep 16, 2010)

Thanks, *jlohiser*, now I can edit permission from windows dialog but something strange occurs. I create a file on the share then try to view permissions in Security properties dialog and windows claims me about wrong permissions ordering (?). So far after fixing it and set right permisions (only one group "Domain Users" with full access) I try to edit file in MS Word then save and after that I see new added permisions - groups "All" and "root (unix User\root)" with special access permisions. Do you know how to change samba behavior to windows like mode? Most of the clients of this server will be windows xp and windows 7, and all the clients will be work with files directly on shares.


```
fs1# zfs get aclinherit zroot/noc/shares
NAME              PROPERTY    VALUE             SOURCE
zroot/noc/shares  aclinherit  passthrough       local
fs1# zfs get aclmode zroot/noc/shares
NAME              PROPERTY  VALUE             SOURCE
zroot/noc/shares  aclmode   passthrough       local
```

smb.conf

```
[global]
   workgroup = EX
   server string = FS1 Samba Server
   security = ads
   hosts allow = 192.168.200. 192.168.201. 127.
   load printers = no
   log file = /var/log/samba34/log.%m
   max log size = 50
   password server = dc0.ex.com
   realm = EX.COM
   socket options = SO_RCVBUF=8192 SO_SNDBUF=8192 TCP_NODELAY
   local master = no
   os level = 10
   domain master = no
   preferred master = no
   domain logons = no
   dns proxy = no
   display charset = koi8-r
   unix charset = koi8-r
   dos charset = cp866

    nt acl support = yes
    inherit acls = no
    map acl inherit = yes
case sensitive = No
winbind use default domain = Yes
idmap uid = 10000-20000
idmap gid = 10000-20000
winbind enum users = yes
winbind enum groups = yes
client ntlmv2 auth=yes
acl check permissions = no
[general]
   comment = Public Stuff
   path = /noc/shares/general
   public = no
   writable = yes
   printable = no
   write list = @Office
   admin users = druginin
   unix extensions = no
   vfs objects = zfsacl
   nfs4: mode = special
   nfs4:acedup = merge
   nfs4:chown = yes
   nt acl support = yes
```

Thank you again, Jim.
DVG_Lab.


----------



## dvg_lab (Sep 16, 2010)

This is what I mean:


```
fs1# getfacl /noc/shares/general/inherit/
# file: /noc/shares/general/inherit/
# owner: root
# group: domain users
group:domain users:rwxpDdaARWcCos:fd----:allow
      group:office:rwxpDdaARWcCos:fd----:allow

fs1# getfacl /noc/shares/general/inherit/test.doc
# file: /noc/shares/general/inherit/test.doc
# owner: root
# group: domain users
group:domain users:rwxpDdaARWcCos:------:allow
      group:office:rwxpDdaARWcCos:------:allow
            owner@:--------------:------:deny
            owner@:rwxp---A-W-Co-:------:allow
            group@:--------------:------:deny
            group@:rwxp----------:------:allow
         everyone@:-------A-W-Co-:------:deny
         everyone@:rwxp--a-R-c--s:------:allow
```

I don't know where it inherit or create deny permisions if in parent directory it's absent.
It seems to me I should add some magic config lines to smb.conf.


----------



## jlohiser (Sep 17, 2010)

I am running some experiments on my system and I will post my findings.  I believe that the root of the problem is that the owner@, group@, and everyone@ permissions must remain defined on the root of the share. Ultimately, while the Windows interface is nice to use, I think that the permissions will need to be defined by setfacl in order for everything to work properly.


----------



## dvg_lab (Sep 18, 2010)

It seems to me that about 3-4 years ago when I experimented with ACL on UFS2 the things looks a bit easier and production ready. I think I should play with ACL on UFS2 and compare it with ZFS. Actually, I don't want to migrate to UFS because of snapshots an etc.
Anyhow it looks like samba with ACL on ZFS doesn't ready for production use right now.


----------



## AndyUKG (Sep 20, 2010)

dvg_lab said:
			
		

> Actually, I don't want to migrate to UFS because of snapshots an etc.



If you want to use UFS2 AND also have ZFS snapshots then you can create a ZFS block device volume, and format it using UFS2.

Andy.


----------



## cougar (Oct 25, 2010)

I'm sorry to ask: how to "patch the "samba34" port to use this library and to build the vfs_zfsacl module" or to "change all "<sys/acl.h>" into "<sunacl.h>" in all samba files"

I need samba to work with zfs's acl, thanks for your solution.


----------



## cougar (Oct 25, 2010)

I install libsunacl and do what in this thread but can not build modules/vfs_zfsacl.c

I do this

```
fb81# cd /usr/ports/net/samba34/

fb81# make patch

fb81# grep -rl "sys/acl.h" .
./source3/modules/vfs_hpuxacl.c.bak
./source3/modules/nfs4_acls.h.bak
./source3/lib/util.c.bak
./source3/include/config.h.in.bak
./source3/configure.bak
./source3/configure.in.bak
./source3/configure.in.orig.bak
./lib/replace/system/filesys.h.bak
./lib/replace/system/config.m4.bak

fb81# find ./ -exec grep "sys/acl.h" '{}' \; -exec sed -i .bak 's/sys\/acl.h/sunacl.h/g' {} \;
fb81# make build
```

the error is

```
Compiling modules/vfs_zfsacl.c
modules/vfs_zfsacl.c: In function 'zfs_get_nt_acl_common':
modules/vfs_zfsacl.c:42: error: 'ace_t' undeclared (first use in this function)
modules/vfs_zfsacl.c:42: error: (Each undeclared identifier is reported only once
modules/vfs_zfsacl.c:42: error: for each function it appears in.)
modules/vfs_zfsacl.c:42: error: 'acebuf' undeclared (first use in this function)
modules/vfs_zfsacl.c:47: error: 'ACE_GETACLCNT' undeclared (first use in this function)
modules/vfs_zfsacl.c:60: error: expected expression before ')' token
modules/vfs_zfsacl.c:65: error: 'ACE_GETACL' undeclared (first use in this function)
modules/vfs_zfsacl.c:82: error: 'ACE_OWNER' undeclared (first use in this function)
modules/vfs_zfsacl.c:85: error: 'ACE_GROUP' undeclared (first use in this function)
modules/vfs_zfsacl.c:88: error: 'ACE_EVERYONE' undeclared (first use in this function)
modules/vfs_zfsacl.c: In function 'zfs_process_smbacl':
modules/vfs_zfsacl.c:106: error: 'ace_t' undeclared (first use in this function)
modules/vfs_zfsacl.c:106: error: 'acebuf' undeclared (first use in this function)
modules/vfs_zfsacl.c:112: error: expected expression before ')' token
modules/vfs_zfsacl.c:130: error: 'ACE_EVERYONE' undeclared (first use in this function)
modules/vfs_zfsacl.c:133: error: 'ACE_OWNER' undeclared (first use in this function)
modules/vfs_zfsacl.c:136: error: 'ACE_GROUP' undeclared (first use in this function)
modules/vfs_zfsacl.c:148: error: 'ACE_SETACL' undeclared (first use in this function)
The following command failed:
cc -O2 -pipe -DLDAP_DEPRECATED -fno-strict-aliasing -I. -I/usr/ports/net/samba34/work/samba-3.4.8/source3 -I/usr/ports/net/samba34/work/samba-
3.4.8/source3/iniparser/src -Iinclude -I./include  -I. -I. -I./../lib/replace -I/usr/local/include   -I./../lib/tevent -I./../lib/tdb/include -
I./libaddns -I./librpc -I./.. -DHAVE_CONFIG_H  -I/usr/local/include -Iinclude -I./include -I. -I. -I./../lib/replace -I/usr/local/include -
I./../lib/tevent -I./../lib/tdb/include -I./libaddns -I./librpc -I./.. -I./../lib/popt -I/usr/local/include -I /usr/local/include -
DLDAP_DEPRECATED  -I/usr/ports/net/samba34/work/samba-3.4.8/source3/lib -I.. -I../source4 -D_SAMBA_BUILD_=3 -D_SAMBA_BUILD_=3 -fPIC -DPIC -c 
modules/vfs_zfsacl.c -o modules/vfs_zfsacl.o
gmake: *** [modules/vfs_zfsacl.o] Error 1
```


----------



## cougar (Oct 27, 2010)

the new ports has update :

http://www.freshports.org/net/samba35/



> These upgrade notes are taken from /usr/ports/UPDATING
> 2010-10-26
> Affects: users of net/samba35
> Author: Timur Bakeyev <timur@FreeBSD.org>
> ...


----------



## dvg_lab (Oct 28, 2010)

It seems to me that we should play with it again  I hope ACL inheritance have been fixed.
I'll try it on the next week.


----------



## pruik (Oct 28, 2010)

On my FreeBSD 8.1-STABLE amd64 system the compile of Samba 3.5.6 with ACL and EXP_MODULES fails. Was hoping to test the usage of Samba on ZFS with ACL's, please let me know if anyone succeeds....


```
Compiling winbindd/idmap_ad.c
winbindd/idmap_ad.c: In function 'idmap_ad_unixids_to_sids':
winbindd/idmap_ad.c:390: error: incompatible types in assignment
winbindd/idmap_ad.c:410: warning: assignment makes pointer from integer without a cast
winbindd/idmap_ad.c:412: warning: assignment makes pointer from integer without a cast
winbindd/idmap_ad.c: In function 'idmap_ad_sids_to_unixids':
winbindd/idmap_ad.c:583: error: incompatible types in assignment
winbindd/idmap_ad.c:603: warning: assignment makes pointer from integer without a cast
winbindd/idmap_ad.c:605: warning: assignment makes pointer from integer without a cast
winbindd/idmap_ad.c: In function 'nss_ad_get_info':
winbindd/idmap_ad.c:874: warning: assignment makes pointer from integer without a cast
winbindd/idmap_ad.c:875: warning: assignment makes pointer from integer without a cast
winbindd/idmap_ad.c:876: warning: assignment makes pointer from integer without a cast
winbindd/idmap_ad.c:906: error: incompatible types in assignment
winbindd/idmap_ad.c:912: warning: assignment makes pointer from integer without a cast
winbindd/idmap_ad.c:913: warning: assignment makes pointer from integer without a cast
winbindd/idmap_ad.c:914: warning: assignment makes pointer from integer without a cast
winbindd/idmap_ad.c: In function 'nss_ad_map_to_alias':
winbindd/idmap_ad.c:985: error: incompatible types in assignment
winbindd/idmap_ad.c:991: warning: assignment makes pointer from integer without a cast
winbindd/idmap_ad.c: In function 'nss_ad_map_from_alias':
winbindd/idmap_ad.c:1064: error: incompatible types in assignment
winbindd/idmap_ad.c:1071: warning: assignment makes pointer from integer without a cast
The following command failed:
cc -O2 -pipe -fno-strict-aliasing -I. -I/usr/ports/net/samba35/work/samba-3.5.6/source3 
-I/usr/ports/net/samba35/work/samba-3.5.6/source3/iniparser/src -Iinclude 
-I./include  -I. -I. -I./../lib/replace -I./../lib/tevent -I./libaddns -I./librpc 
-I./.. -DHAVE_CONFIG_H  -I/usr/local/include -Iinclude -I./include -I. -I. 
-I./../lib/replace -I./../lib/tevent -I./libaddns -I./librpc -I./.. 
-I./../lib/popt -I/usr/local/include  -I/usr/ports/net/samba35/work/samba-3.5.6/source3/lib -I.. 
-I../source4 -D_SAMBA_BUILD_=3 
-D_SAMBA_BUILD_=3  -fPIC -DPIC -c winbindd/idmap_ad.c -o winbindd/idmap_ad.o
gmake: *** [winbindd/idmap_ad.o] Error 1
*** Error code 1

Stop in /usr/ports/net/samba35.
*** Error code 1

Stop in /usr/ports/net/samba35.
```


----------



## pruik (Nov 5, 2010)

Hmmm, tried it again and succeeded in compiling Samba 3.5.6 with sysutils/libsunacl. Great!

I can edit ACL's from Windows clients but receive a warning about permissions being incorrectly ordered.

Getting closer ;-)


----------



## dvg_lab (Nov 9, 2010)

I had the same effect. Incorrectly ordering permissions. I still haven't tried UFS2 and etc. because absolutely have no free time to experiment with samba


----------



## gosevo (Nov 10, 2010)

*I managed to win "incorrectly ordered"*

*HELLO ALL*
I managed to win "incorrectly ordered"
Now run a file server ZFS+SAMBA(3.5.6)+AD
That's part of my configuration, which works through the windows and everything correctly ordered.

```
[global]
        workgroup = DOMAIN
        realm = DOMAIN.LAN
        server string = FILESERVER
        security = ADS
        allow trusted domains = No
        map to guest = Bad User
        password server = 192.168.0.228
        client NTLMv2 auth = Yes
        map untrusted to domain = Yes
        log file = /var/log/samba/log.%m
        max log size = 50000
        unix extensions = No
        client signing = Yes
        load printers = No
        printcap name = /etc/printcap
        disable spoolss = Yes
        os level = 10
        local master = No
        domain master = No
        dns proxy = No
        idmap alloc backend = tdb
        idmap uid = 10000-100000
        idmap gid = 10000-100000
        template homedir = /tank/home/%U
        winbind enum users = Yes
        winbind enum groups = Yes
        winbind use default domain = Yes
        winbind refresh tickets = Yes
        winbind offline logon = Yes
        admin users = DOMAIN\it-mans
        write list = DOMAIN\it-mans
        hosts allow = 192.168.0., 192.168.1., 127.
        map acl inherit = Yes
        case sensitive = No

[homes]
        comment = Home Directories
        read only = No
        browseable = No
        root preexec = /usr/bin/createhome.sh '%U'
        vfs objects = zfsacl
        nfs4:mode = special
        nfs4:acedup = merge
        nfs4:chown = yes

[data]
        comment = Shares for Documents
        path = /tank/data
        read only = No
        [B]inherit permissions = Yes
        inherit acls = Yes
        inherit owner = Yes
        map archive = No
        map readonly = no
        vfs objects = zfsacl
        nfs4:mode = special
        nfs4:acedup = merge
        nfs4:chown = yes[/B]
```


----------



## pruik (Nov 10, 2010)

Thanks for the update Gosevo!

Did you also set 
	
	



```
aclmode=passthrough
```
 and 
	
	



```
aclinherit=passthrough
```
 on tank/data in order to get this setup working correctly?


----------



## pruik (Nov 10, 2010)

*Alternative solution?*

Anybody tried vfs_acl_tdb in order to map Windows ACL's correctly as workaround?

http://www.samba.org/samba/docs/man/manpages-3/vfs_acl_tdb.8.html


----------



## gosevo (Nov 10, 2010)

*Hi pruik*
Of course I have set these parameters.
Here are my settings file system

```
fileserver# zfs get all tank/data
NAME       PROPERTY              VALUE                  SOURCE
tank/data  type                  filesystem             -
tank/data  creation              Tue Sep 28 11:54 2010  -
tank/data  used                  182M                   -
tank/data  available             1.53T                  -
tank/data  referenced            182M                   -
tank/data  compressratio         1.00x                  -
tank/data  mounted               yes                    -
tank/data  quota                 none                   default
tank/data  reservation           none                   default
tank/data  recordsize            128K                   default
tank/data  mountpoint            /tank/data             default
tank/data  sharenfs              off                    default
tank/data  checksum              on                     default
tank/data  compression           off                    default
tank/data  atime                 on                     default
tank/data  devices               on                     default
tank/data  exec                  on                     default
tank/data  setuid                on                     default
tank/data  readonly              off                    default
tank/data  jailed                off                    default
tank/data  snapdir               hidden                 default
tank/data  aclmode               passthrough            local
tank/data  aclinherit            passthrough            local
tank/data  canmount              on                     default
tank/data  shareiscsi            off                    default
tank/data  xattr                 off                    temporary
tank/data  copies                1                      default
tank/data  version               3                      -
tank/data  utf8only              off                    -
tank/data  normalization         none                   -
tank/data  casesensitivity       sensitive              -
tank/data  vscan                 off                    default
tank/data  nbmand                off                    default
tank/data  sharesmb              off                    default
tank/data  refquota              none                   default
tank/data  refreservation        none                   default
tank/data  primarycache          all                    default
tank/data  secondarycache        all                    default
tank/data  usedbysnapshots       0                      -
tank/data  usedbydataset         182M                   -
tank/data  usedbychildren        0                      -
tank/data  usedbyrefreservation  0                      -
```

And I also noticed that files created in Total Commander violate the order at the top appears @everyone and when creating directories fine.
Windows commander and FAR commander all right.

Tried to work with vfs_acl_xattr and vfs_acl_tdb with but they do not work correctly with zfs.


----------



## gabell (Dec 20, 2010)

Seems it works well after upgrade to V28 on 8-STABLE.


----------



## jyavenard (Dec 25, 2010)

On "stable" is the v28 patch on RELENG_8 ?

I got the latest one from: http://people.freebsd.org/~pjd/patches/zfs_20101212.patch.bz2

and it applies fine on today's cvsup..

Has anyone ran into problems ?


----------



## dzilavy (Mar 20, 2011)

*FreeBSD 8.2 - Samba and ZFS*

I'm using 8.2 with Samba 3.5.6 and a ZFS share.  I followed the instructions in this thread but I'm getting the incorrectly ordered error message.

I compiled Samba 3.5.6 with ACL_SUPPORT with pulls in vfs_zfsacl and libsuncal.

Makefile

```
.if defined(WITH_ACL_SUPPORT)
CONFIGURE_ARGS+=        --with-acl-support
.       if ${OSVERSION} > 800000
WANT_EXP_MODULES+=      vfs_zfsacl
LIB_DEPENDS+=           sunacl.1:${PORTSDIR}/sysutils/libsunacl
.       endif
.else
CONFIGURE_ARGS+=        --without-acl-support
.endif
```

And work/samba-3.5.6/source3/configure appears to fix up the references to sys/acl.h to reference sunacl.h.

```
for ac_header in sys/acl.h acl/libacl.h sunacl.h
do :
  as_ac_Header=`$as_echo "ac_cv_header_$ac_header" | $as_tr_sh`
ac_fn_c_check_header_mongrel "$LINENO" "$ac_header" "$as_ac_Header" "$ac_includes_default"
if eval test \"x\$"$as_ac_Header"\" = x"yes"; then :
  cat >>confdefs.h <<_ACEOF     
#define `$as_echo "HAVE_$ac_header" | $as_tr_cpp` 1
_ACEOF
          
fi
        
done
```

The share has aclmode and aclinherit set to passthrough.

```
NAME               USED  AVAIL  REFER  MOUNTPOINT
zdisk              355K  39.0G  30.6K  /zdisk
zdisk/share       58.6K  39.0G  30.6K  /zdisk/share
zdisk/share/user  28.0K  39.0G  28.0K  /zdisk/share/user

zdisk/share/user  aclmode               passthrough            inherited from zdisk/share
zdisk/share/user  aclinherit            passthrough            inherited from zdisk/share
```

Here's the smb.conf.

```
[global]
    workgroup = WORKGROUP
    netbios name = FILER
    server string = FILER

    unix extensions = No
    dns proxy = No
    map acl inherit = Yes

    log file = /var/log/samba/log.%m
    max log size = 50

[share]
    path = /zdisk/share/user
    valid users = user
    read only = No
    inherit permissions = Yes
    inherit acls = Yes
    inherit owner = Yes
    map archive = No
    map readonly = no
    vfs objects = zfsacl
    nfs4:acedup = merge
    nfs4:mode = special
    nfs4:chown = yes
```

What am I missing?


----------



## jlohiser (Mar 21, 2011)

*Use setfacl, for now...*

I opened this thread initially.  Unfortunately, work became crazy for a few months and I was unable to follow up.  Since then, I have upgraded by server to 8.2-RELEASE and I am using the new amba 3.5 port.  This is great since I no longer need to patch the port to get ZFS ACL support.  I just needed to *make config* the port and pick the appropriate build options.

In regards to incorrectly ordered permissions, I cannot confirm that gosevo's configuration works to fix the ordering issue.  If you set the permissions via Windows and then look at them via *getfacl*, you can see what Windows is trying to do.  To the best of my understanding, it would appear that the ZFS/FreeBSD ACL and the Windows ACL ordering are not truly compatible.  The solution would probably be a patch for Samba that would translate the ordering so that Windows sees the ordering it needs and ZFS gets the correct actual ACL's.

On my server, I simply set all of the permissions directly with *setfacl*.  I have given up using the Windows interface for now.  Doing this, I am able get the proper permissions on the server (i.e. in FreeBSD) and on my Windows and Mac clients via Samba.  Here is what I do. (I am not in front of my server right now, so please forgive me if the syntax is not correct.)

1) I create the root of my share.  For me, this usually involves creating a new ZFS filesystem on my storage pool (*zfs create -o utf8only=on tank/Pictures*).

2) Next I set the ZFS inheritance options. *zfs aclmode=passthrough tank/Pictures* and *zfs set aclinherit=passthrough tank/Pictures*. (Yeah, I know these probably can be combined into step 1, but I am doing this from memory.)

3) I modify the default default permissions with *chown*.  For example, if I know that "other" users should not ever access these files, I do *chown o-rwx /tank/Pictures*).  Do the same with the group permission if you know what you need.

4) Now look at the ACL's with *getfacl* and take note of them. I try to leave the defaults alone, if possible.  I also usually leave root as the owner.

5) Now I add my per user permissions.  Usually this involves giving me full control.  So use *setfacl* to insert my username at the TOP of the ACL permission set with the appropriate permissions.  For my user, I allow everything.  I also set file_inherit and dir_inherit on (I think?).

As I said, this works great for me.  I do not know if this can be translated into a working setup for and Active Directory integrated server.

Since OpenSolaris uses its kernel based SMB/CIFS server, it does not seem to have these issues (at least I have not noticed them as much).  Like I said, I think the current answer would lie in some sort of ACL ordering translator in Samba to "fix" the view Windows sees.

I really hope a resolution can be found.  I have been eagerly following the progress of ZFS on FreeBSD.  I am so anxious to try 9.0 as I think it has v28.  I am also very excited by the continuing development progress on redesigned version of FreeNAS.  If this issue can be corrected, it would make FreeBSD and FreeNAS into an awesome file server platform. 

Hope this helps even a little bit.  Good luck!


----------



## dzilavy (Mar 23, 2011)

jlohiser,

You appear to be dead on.  I modified vfs_zfsacl.c to return non-inherited DENY ACEs before ALLOW ACEs and Windows is happy.  Unfortunately, when you update the file permissions via Windows, ZFS doesn't like Windows' ACE ordering.

From what I can tell Windows and ZFS/NFSv4 ACL ordering rules differ.


----------



## AndyUKG (Mar 25, 2011)

For Solaris ZFS based systems apparently Sun recommend setting:


```
vfs objects = zfsacl
inherit permissions = Yes
inherit acls = Yes
nfs4:acedup = merge
nfs4:chown = yes
nfs4: mode = special
zfsacl: acesort = dontcare
```

A couple of things in there, such as *chown* and *acesort* don't seem to have been set by people on this thread, perhaps they might help, if they aren't Solaris specific...?

ta Andy.


----------



## ovi_diu (Jun 10, 2011)

*file size won't change after editing*

I'm using FreeBSD 8.2, ZFS ACL and Samba 3.5.8 and I have a problem. With Samba 3.5.6 was the same. I create a file and after editing the file the size won't modify until I press F5 (refresh). I'm using Windows XP, Windows 7, both with Windows Explorer as client and I have the same issue with KDE - Dolphin. 

I don't know what to do. Please tell me if I could change something.


----------

