default extended file attributes on ZFS

Boeri

Member


Messages: 22

#1
I'm running the latest FreeBSD 10.0-CURRENT with samba 3.6.5.
I'm sharing some folders from a ZFS file system

Code:
properties of the zfs filesystem:
tank/users  aclmode               passthrough              inherited from tank
tank/users  aclinherit            passthrough              received
When I create a file via a windows client on the shared volume following ACL is applied:

Code:
getfacl New\ Text\ Document.txt
# file: New Text Document.txt
# owner: administrator
# group: domain users
            owner@:rw-p--aARWcCo-:------:allow
            group@:rw-p--a-R-c---:------:allow
         everyone@:------a-R-c---:------:allow
Code:
 ls -l New\ Text\ Document.txt
-rw-rw----+ 1 administrator  domain users  0 Jul 24 10:46 New Text Document.txt
I don't want to see the everyone listed in the ACL ( with following aces: read attributes, Read extended attrbiutes, Read permissions) on the windows clients.
Is this " everyone@:------a-R-c---:------:allow" implemented by FreeBSD by default? Can I filter this or change the default extended attributes? Is this defined by the the NFSv4 standard?


smb.conf
Code:
ea support = Yes

[data]
comment = Shares for Documents
path = /tank/users/
admin users = "@DOMAIN\domain administrators"
 map acl inherit = yes
 browseable = yes
 public = yes
 writable = yes
 inherit permissions = yes
 posix locking = yes
 nt acl support = yes
 create mask = 0770
 directory mask = 0770
 strict locking = no
 store dos attributes = yes
 csc policy = disable

 inherit acls = Yes
 inherit owner = Yes
 map archive = No
 map readonly = no
 vfs objects = zfsacl
 nfs4:mode = special
 nfs4:acedup = merge
 nfs4:chown = yes
 

gkontos

Daemon

Thanks: 461
Messages: 2,115

#2
The following code gives full access to the group users and no access at all to guests. You can adjust it for domain users.

Code:
     create mask = 660
     force create mode = 660
     security mask = 660
     force security mode = 660
     directory mask = 2770
     force directory mode = 2770
     directory security mask = 2770
     force directory security mode = 2770
     write list = @users
 

Sebulon

Aspiring Daemon

Thanks: 128
Messages: 709

#3
@Boeri

Map the share in windows with a user that has admin permissions in SAMBA and then you can remove "everyone" from the ACL in Properties -> Security, just like normal.

/Sebulon
 
OP
OP
B

Boeri

Member


Messages: 22

#4
Thanks for the replies guys.
I know that I can delete them in windows or on the freebsd side, but I would like to know why this is happening and if I can change this behavior.

I want to know who sets the read attributes, Read extended attrbiutes, Read permissions bit for "everyone". I don't have this behavior on an opensolaris box. Just the owner and group permissions are listed.
 

Sebulon

Aspiring Daemon

Thanks: 128
Messages: 709

#5
@Boeri

Well, that just sounds like standard Unix 755. Either ZFS "feels" how you chmod or it is hardcoded to reflect the standard. But if you look at how the ZFS ACL:s looked like back in 8.0 e.g. you would see waaay bigger differences than there are now.

/Sebulon
 

Sebulon

Aspiring Daemon

Thanks: 128
Messages: 709

#6
@Boeri

You know, I see what you mean know. I´ve just set up a FreeBSD-9.0 SAMBA 3.6.5 storage unit, and it´s behaving just as you´ve described- it´s rather annoying actually. It´s not behaving like our old SUN/Oracle or NetApp units did/do. With SUN, you had Owner, Group and Everyone, and if you deleted those from the ACLs, they weren´t inherited. With Netapp, you get a new share that´s "Everyone - Full Control" from start and you have to modify that to suite your needs. And I´ve set up this machine just like the ACLs we use in our NetApps, but it behaves very differently. It seems as if owner@, group@ and everyone@ is always inherited no matter what you do. How did you manage it?

@gkontos

I tested having those settings listed in each share but they aren´t honored by either SAMBA, ZFS, or both. It feels as if the standard Unix 755 is always applied, no matter what.


/Sebulon
 

gkontos

Daemon

Thanks: 461
Messages: 2,115

#7
Sebulon said:
I tested having those settings listed in each share but they aren´t honored by either SAMBA, ZFS, or both. It feels as if the standard Unix 755 is always applied, no matter what.
/Sebulon
You have to set the permissions on the parent shared directory to 2770

[CMD=""]# chmod -R 2770 /parent[/CMD]

Please tell me if this doesn't work either.
 

Sebulon

Aspiring Daemon

Thanks: 128
Messages: 709

#8
@gkontos

Well, that´s not exactly what I want. Let me show you how I set it up:

Code:
[CMD="#"][/CMD]
[CMD="#"]zfs get aclmode,aclinherit pool2/storage[/CMD]
NAME               PROPERTY    VALUE          SOURCE
pool2/storage  aclmode     passthrough    local
pool2/storage  aclinherit  passthrough    local
[CMD="#"]ls -1 /export/storage/[/CMD]
home
netlogon
profile
[CMD="#"]chmod 0700 /export/storage/home[/CMD]
[CMD="#"]getfacl /export/storage/home[/CMD]
# file: /export/storage/home/
# owner: root
# group: BUILTIN.users
            owner@:rwxp--aARWcCos:------:allow
            group@:------a-R-c--s:------:allow
         everyone@:------a-R-c--s:------:allow

You see? Here, I would have thought that 0700 meant more like:
Code:
            owner@:rwxp--aARWcCos:------:allow
            group@:--------------:------:allow
         everyone@:--------------:------:allow
Or just straight up:
Code:
            owner@:rwxp--aARWcCos:------:allow
Also, why doesn´t "7" include "D" and "d" in the ACL? It should, right?

/Sebulon
 

gkontos

Daemon

Thanks: 461
Messages: 2,115

#9
I am really confused now! Here is an example of a working directory where group users can read, write and the permissions to the new directories get inherited. It is a ZFS dataset but the permissions have been set at the fs level.

Code:
root@hp:/tank # getfacl share
# file: share
# owner: root
# group: users
            owner@:rwxp--aARWcCos:------:allow
            group@:rwxp--a-R-c--s:------:allow
            everyone@:------a-R-c--s:------:allow
Code:
root@hp:/tank # zfs get aclmode,aclinherit tank/share
NAME        PROPERTY    VALUE          SOURCE
tank/share  aclmode     discard        default
tank/share  aclinherit  restricted     default
Code:
root@hp:/tank # ls -alh
drwxrws---   2 root     users       2B Sep 26 11:49 share
 

Sebulon

Aspiring Daemon

Thanks: 128
Messages: 709

#10
@gkontos

What is it that you are confused about?

My problem is that when you create a zfs dataset, mkdir and mount that, I usually start by:
Code:
[CMD="#"]zfs create pool2/storage/share[/CMD]
[CMD="#"]mkdir /export/storage/share[/CMD]
[CMD="#"]mount -t zfs pool2/storage/share /export/storage/share/[/CMD]
[CMD="#"]ls -lah /export/storage/[/CMD]
...
drwxr-xr-x  2 root  wheel        2B Sep 27 07:12 share
[CMD="#"]getfacl /export/storage/share/[/CMD]
# file: /export/storage/share/
# owner: root
# group: wheel
            owner@:rwxp--aARWcCos:------:allow
            group@:r-x---a-R-c--s:------:allow
         everyone@:r-x---a-R-c--s:------:allow
[CMD="#"]chmod 0700 /export/storage/share[/CMD]
[CMD="#"]ls -lah /export/storage/[/CMD]
...
drwx------  2 root  wheel        2B Sep 27 07:12 share
[CMD="#"]getfacl /export/storage/share/[/CMD]
# file: /export/storage/share/
# owner: root
# group: wheel
            owner@:rwxp--aARWcCos:------:allow
            group@:------a-R-c--s:------:allow
         everyone@:------a-R-c--s:------:allow
Ok, so here, I would have thought that you didn´t even have to see group@ and everyone@, as they both got set to "0", and they don´t have to be in the ACL for this kind of sharing to work. And how come owner@ can delete if it isn´t allowed in the ACL? What I do next is to:
Code:
[CMD="#"]setfacl -m group:16724:rwxpDdaARWcCo-:fd----:allow /export/storage/share[/CMD]
(BUILTIN.SYSTEM)
[CMD="#"]setfacl -m group:16725:rwxpDdaARWcCo-:fdi---:allow /export/storage/share[/CMD]
(BUILTIN.CREATOR\ OWNER)
[CMD="#"]setfacl -m group:BUILTIN.administrators:rwxpDdaARWcCo-:fd----:allow /export/storage/share[/CMD]
(Nestled with DOMAIN.administrators in SAMBA)
[CMD="#"]setfacl -m group:BUILTIN.users:r-xp--a-R-c---:fd----:allow /export/storage/share[/CMD]
(Nestled with DOMAIN.users in SAMBA)
[CMD="#"]setfacl -x 1 /export/storage/share/[/CMD]
[CMD="#"]setfacl -x 1 /export/storage/share/[/CMD]
[CMD="#"]getfacl /export/storage/share/[/CMD]
# file: /export/storage/share/
# owner: root
# group: wheel
group:BUILTIN.users:r-xp--a-R-c---:fd----:allow
group:BUILTIN.administrators:rwxpDdaARWcCo-:fd----:allow
       group:16725:rwxpDdaARWcCo-:fdi---:allow
       group:16724:rwxpDdaARWcCo-:fd----:allow
            owner@:rwxp--aARWcCos:------:allow
And these are they only ACLs I want to have for underlying folders, that allows for BUILTIN->DOMAIN.users to automatically create a homefolder when they log in with roaming profile and redirected home folder. But when you create a subfolder, group@ and everyone@ magically come back alive "55":
Code:
[CMD="#"]mkdir /export/storage/share/test[/CMD]
[CMD="#"]getfacl /export/storage/share/test/[/CMD]
# file: /export/storage/share/test/
# owner: root
# group: wheel
group:BUILTIN.users:r-xp--a-R-c---:fd----:allow
group:BUILTIN.administrators:rwxpDdaARWcCo-:fd----:allow
       group:16725:rwxpDdaARWcCo-:fd----:allow
       group:16724:rwxpDdaARWcCo-:fd----:allow
            owner@:rwxp--aARWcCos:------:allow
            group@:r-x---a-R-c--s:------:allow
         everyone@:r-x---a-R-c--s:------:allow
WTF?! Stay out of my life!:) And remember that all commands was issued directly in the filesystem, I haven´t mixed in SAMBA yet, so it can´t be SAMBA´s "fault"...

And I think this was what Boeri was experiencing as well. Am I "holding it wrong"?

/Sebulon
 

gkontos

Daemon

Thanks: 461
Messages: 2,115

#11
@Sebulon,

I recently stumbled upon a similar situation where I had to make a PDC. I though about you in the end ;)

Code:
[project_hg]
      comment = Project_hg Users
      path = /tank/samba/project_hg
      valid users = @"DOMAIN\project_hg", @"DOMAIN\domain admins"
      admin users = @"DOMAIN\project_hg", @"DOMAIN\domain admins"
      map acl inherit = yes
      browseable = yes
      public = yes
      writable = yes
      inherit permissions = yes
      posix locking = yes
      nt acl support = yes
      create mask = 0775
      directory mask = 0775
      strict locking = no
      store dos attributes = yes
      csc policy = disable
      inherit acls = Yes
      inherit owner = Yes
      map archive = No
      map readonly = no
      vfs objects = zfsacl
      nfs4:mode = special
      nfs4:acedup = merge
      nfs4:chown = yes
[CMD=""]#zfs get all tank/samba/project_hg[/CMD]

Code:
tank/samba/project_hg  aclmode              passthrough            
tank/samba/project_hg  aclinherit            passthrough
 
Top