Samba AD Member, ZFS and ACLs

nebu

New Member


Messages: 7

#1
Hi,

I am currently trying to set up a Samba file server as a member of an existing Active Directory. Basic things worked, i joined the domain, I can see users and groups and my shares are visible in the Network.

What does not work are ACLs.I have tried various configurations and read through many tutorials and the posts in this forum. Still no success.

My smb4.conf looks like this:

Code:
[global]
  workgroup = TEST
  server string = Samba Server Version %v
  security = ads
  realm = Test.local
  use sendfile = true

  idmap config * : backend = tdb
  idmap config * : range = 100000-299999
  idmap config TEST : backend = rid
  idmap config TEST : range = 10000-99999
  winbind separator = +
  winbind enum users = yes
  winbind enum groups = yes
  winbind use default domain = yes
  winbind refresh tickets = yes

  restrict anonymous = 2
  log file = /var/log/samba4/log.%m
  max log size = 50
  vfs objects = acl_xattr
  map acl inherit = yes
  store dos attributes = yes

[test]
  path = /storage/samba/test/
  read only = No
  vfs objects = zfsacl
  nfs4:mode = special
  nfs4:acedup = merge
  nfs4:chown = yes
  nt acl support = yes
  store dos attributes = yes
With this config I don't even see the security tab in the Windows management console. When removing the nfsv4 stuff, like this

Code:
 [test]
  path = /storage/samba/test/
  read only = No
  #inherit permissions = yes
  #inherit acls = Yes
I can see the security tab but saving permissions is not possible.
zfs is set to aclmode =passthrough aclinherit=passthrough

OS is FreeBSD 10.3, Samba44 built from ports.

Can anyone tell me what I am doing wrong? I'll greatly appreciate any help on this.

Regards,
Ben
 
OP
OP
N

nebu

New Member


Messages: 7

#2
I think the problem might not originate in Samba but in the NFSv4-ACLs required.

# getfacl /storage/samba/test
results in
Code:
# file: test
# owner: root
# group: domänen-admins
user::rwx
group::r-x
other::r-x
This looks like POSIX-ACLs to me. I there any setting I missed? I am a bit confused about the NFSv4-ACLs required by Samba on ZFS....

setfacl -m u:administrator:rwxp::allow /storage/samba/test/
gives me
Code:
setfacl: /storage/samba/test/: acl_get_file() failed: Operation not supported

Sorry for the wrong formatting in the previous post. I'll do better now.

Regards,
Ben
 

JinSoo Suh

New Member


Messages: 6

#3
Dear nubu,

/usr/local/share/doc/samba44/README.FreeBSD
Code:
You may find this tutorial useful, if you happen to run Samba4 on ZFS-root:

  o http://glsan.com/community/samba4
Did you grant the SeDiskOperatorPrivilege privilege to "Domain Admins" as explained in "Shares with Windows ACLs"?

Code:
# zfs create -o aclinherit=passthrough -o aclmode=passthrough /storage/samba/test
# chown root:'domain users' /storage/samba/test
# setfacl -m g:’domain users’:modify_set:fd----:allow /storage/samba/test
# setfacl -m g:'domain admins':full_set:fd----:allow /storage/samba/test
# getfacl /storage/samba/test
 
OP
OP
N

nebu

New Member


Messages: 7

#4
JinSoo Suh, Thank you SO much!

This:
Code:
# zfs create -o aclinherit=passthrough -o aclmode=passthrough /storage/samba/test
# chown root:'domain users' /storage/samba/test
# setfacl -m g:’domain users’:modify_set:fd----:allow /storage/samba/test
# setfacl -m g:'domain admins':full_set:fd----:allow /storage/samba/test
# getfacl /storage/samba/test
worked. I have no Idea what I did wrong before, but this works perfecly.

Regards,
Ben
 
OP
OP
N

nebu

New Member


Messages: 7

#5
Solved! The ZFS Filesystems were not properly mounted after a reboot. Just ignore this post.

Well, I guess I still haven't resolved this.

The above way worked so far, I copied the data in the respective shares, set ACLs, mounted the shares on the clients. So far so good.

But this morning the shares aren't accessible by the clients anymore. Same errors as before. getfacl only gives POSIX-ACLs, the NFSv4-ACLs are gone:
getfacl /storage/home
Code:
# file: /storage/home
# owner: root
# group: wheel
user::rwx
group::r-x
other::r-x

If I create new shares as described by JinSoo Suh ACLs are as they should be, but the existing ones are messed up:

zfs create -o aclinherit=passthrough -o aclmode=passthrough storage/tester2
chown root:'domänen-benutzer' /storage/tester2
setfacl -m g:"domänen-benutzer":modify_set:fd----:allow /storage/tester2
setfacl -m g:"domänen-admins":full_set:fd----:allow /storage/tester2
getfacl /storage/tester2


Code:
# file: /storage/tester2
# owner: root
# group: domänen-benutzer
group:domänen-admins:rwxpDdaARWcCos:fd-----:allow
group:domänen-benutzer:rwxpDdaARWc--s:fd-----:allow
  owner@:rwxp--aARWcCos:-------:allow
  group@:r-x---a-R-c--s:-------:allow
  everyone@:r-x---a-R-c--s:-------:allow


I added a cache drive to the zpool yesterday, but that should not affect the ZFS filesystems on the pool. It never did on all the other machines I have running with FreeBSD and ZFS.

Edit: This does not seem a samba issue but a zfs issue to me.

Regards,
Benjamin
 
Top