Samba with NFSv4/ZFS ACL Support

Hello all. I was hoping I could start a discussion regarding Samba and the use of NFSv4 ACL's on ZFS.

I have been working for several days to allow Samba to use the new NFSv4 ACL's that are available with FreeBSD 8.1 and ZFS. I checked the existing Samba versions in the ports collection and I did not see any support for this feature. The only information that I could find regarding this subject was some references in http://wiki.freebsd.org/NFSv4_ACLs and some references to Samba and its vfs_zfsacl module in a Solaris forum. I was finally able to determine that I needed to customize a port to build this module. I installed the "libsunacl" port and patched the "samba34" port to use this library and to build the vfs_zfsacl module. I also had to tweak the smb.conf to make Samba work properly with this module and the ZFS ACL's.

As of this morning, everything appears to be working properly. I am able to set permissions on by Samba shares via the Security dialogs on Windows XP. The permissions are being changed on the NFSv4 ACL's and I am able to see the changes via getfacl on FreeBSD. I am also able to connect to the share via OS X and the permissions seem to be correct.

This was a rather difficult and time consuming task. I would rather it not be this difficult for future users. I would like to submit my modifications to the port, however, I am not sure how to do this properly. There are several open questions regarding the port modifications.

1) The vfs_zfsacl module appears to be completely separate from the --with-acl-support configuration option. As such, should vfs_zfsacl be included in the existing ACL_SUPPORT port configuration option or should it be a separate option? Perhaps it should be included in EXP_MODULES instead???

2) OS X was not able to properly "see" the ACL permissions. Windows was able to see the permissions and my username has full access to the share. Connecting to the share with OS X using the same username, I was not able to write to the root of the share. I did, however, have full access to any subfolders. I am not sure if this is an OS X issue or a Samba issue. I had to add "unix extensions = no" to the smb.conf (see http://splatdot.com/fixing-snow-leopard-10-6-3-samba-write-access). I believe there should be a note in the smb.conf installed by the port regarding this issue.

I am hoping that a port maintainer is monitoring this list and could assist me in possibly incorporating these changes in the Samba port(s).

These changes could also benefit other projects, such as FreeNAS. With the apparent death of OpenSolaris, FreeBSD is poised to become the primary opensource OS for ZFS. The continuing development on FreeBSD to add newer versions of ZFS and additional features, such as deduplication, is very exciting. For these reasons, and many others, I believe it would be of great benefit to integrate the features of NFSv4/ZFS into applications such as Samba.
 
jlohiser said:
I am hoping that a port maintainer is monitoring this list and could assist me in possibly incorporating these changes in the Samba port(s).
There aren't a lot of developers on this forum. Your best bet is probably the freebsd-ports mailinglist and/or the maintainer of the samba34 port.
 
jlohiser said:
Hello all. I was hoping I could start a discussion regarding Samba and the use of NFSv4 ACL's on ZFS.

I have been working for several days to allow Samba to use the new NFSv4 ACL's that are available with FreeBSD 8.1 and ZFS.

Right now I'm resolving the same issue without success. Could you tell us the configure steps? I think it would be useful for many freebsd/zfs users.
 
I've installed the "libsunacl" port, also installed samba34 compiled with the vfs_zfsacl module (added WANT_EXP_MODULES+=vfs_zfsacl into Makefile and changed all "<sys/acl.h>" into "<sunacl.h>" in all samba files). Samba seems to be working and I can write into shares but can't edit acls from windows dialog. At the same time I can set acls from command line by setfacl and see it in getfacl output but don't see any changes in windows security properties dialog. What I've missed?

FreeBSD 8.1R amd64,
smb.conf

Code:
[global]
   workgroup = EX
   server string = FS1 Samba Server
   security = ads
   hosts allow = 192.168.200. 192.168.201. 127.
   load printers = no
   log file = /var/log/samba34/log.%m
   max log size = 50
   password server = dc0.ex.com
   realm = EX.COM
   socket options = SO_RCVBUF=8192 SO_SNDBUF=8192 TCP_NODELAY
   local master = no
   os level = 10
   domain master = no
   preferred master = no
   domain logons = no
   dns proxy = no
   display charset = koi8-r
   unix charset = koi8-r
   dos charset = cp866
    nt acl support = yes
    inherit acls = yes
    map acl inherit = yes
case sensitive = No
winbind use default domain = Yes
idmap uid = 10000-20000
idmap gid = 10000-20000
winbind enum users = yes
winbind enum groups = yes
client ntlmv2 auth=yes
[general]
   comment = Public Stuff
   path = /noc/shares/general
   public = yes
   writable = yes
   printable = no
   write list = @Office
   admin users = druginin
   acl check permissions = True
   vfs objects = zfsacl
   nfs4: mode = special
 
dvg_lab,

You compiled Samba with the same configuration I used. Try setting "acl check permissions = no". As I understand it, that setting is for POSIX ACL's (which we are not trying to use) and will just interfere with the NFSv4 ACL's.

A couple of other notes...

I also have "nfs4:acedup = merge" and "nfs4:chown = yes" in smb.conf as per a recommended Solaris 10 configuration that I found. I have not yet researched their necessity.

If you are attempting to use OS X clients, you will probably need to set "unix extensions = no" in order for them to work properly with the ACL's.

While I was able to edit the ACL's via Windows, I am not certain that it places the ACL entries in the proper order for them to work properly in all circumstances. You will have to test this on your system check the results.

P.S. Sorry for not replying earlier. I was out of town.

Jim L.
 
Oh, and don't forget about the ZFS options "aclmode" and "aclinherit" and how they affect inherited permissions. You probably want to set "aclmode=passthrough" and "aclinherit=passthrough" on root of the share.
 
Thanks, jlohiser, now I can edit permission from windows dialog but something strange occurs. I create a file on the share then try to view permissions in Security properties dialog and windows claims me about wrong permissions ordering (?). So far after fixing it and set right permisions (only one group "Domain Users" with full access) I try to edit file in MS Word then save and after that I see new added permisions - groups "All" and "root (unix User\root)" with special access permisions. Do you know how to change samba behavior to windows like mode? Most of the clients of this server will be windows xp and windows 7, and all the clients will be work with files directly on shares.

Code:
fs1# zfs get aclinherit zroot/noc/shares
NAME              PROPERTY    VALUE             SOURCE
zroot/noc/shares  aclinherit  passthrough       local
fs1# zfs get aclmode zroot/noc/shares
NAME              PROPERTY  VALUE             SOURCE
zroot/noc/shares  aclmode   passthrough       local

smb.conf
Code:
[global]
   workgroup = EX
   server string = FS1 Samba Server
   security = ads
   hosts allow = 192.168.200. 192.168.201. 127.
   load printers = no
   log file = /var/log/samba34/log.%m
   max log size = 50
   password server = dc0.ex.com
   realm = EX.COM
   socket options = SO_RCVBUF=8192 SO_SNDBUF=8192 TCP_NODELAY
   local master = no
   os level = 10
   domain master = no
   preferred master = no
   domain logons = no
   dns proxy = no
   display charset = koi8-r
   unix charset = koi8-r
   dos charset = cp866

    nt acl support = yes
    inherit acls = no
    map acl inherit = yes
case sensitive = No
winbind use default domain = Yes
idmap uid = 10000-20000
idmap gid = 10000-20000
winbind enum users = yes
winbind enum groups = yes
client ntlmv2 auth=yes
acl check permissions = no
[general]
   comment = Public Stuff
   path = /noc/shares/general
   public = no
   writable = yes
   printable = no
   write list = @Office
   admin users = druginin
   unix extensions = no
   vfs objects = zfsacl
   nfs4: mode = special
   nfs4:acedup = merge
   nfs4:chown = yes
   nt acl support = yes

Thank you again, Jim.
DVG_Lab.
 
This is what I mean:

Code:
fs1# getfacl /noc/shares/general/inherit/
# file: /noc/shares/general/inherit/
# owner: root
# group: domain users
group:domain users:rwxpDdaARWcCos:fd----:allow
      group:office:rwxpDdaARWcCos:fd----:allow

fs1# getfacl /noc/shares/general/inherit/test.doc
# file: /noc/shares/general/inherit/test.doc
# owner: root
# group: domain users
group:domain users:rwxpDdaARWcCos:------:allow
      group:office:rwxpDdaARWcCos:------:allow
            owner@:--------------:------:deny
            owner@:rwxp---A-W-Co-:------:allow
            group@:--------------:------:deny
            group@:rwxp----------:------:allow
         everyone@:-------A-W-Co-:------:deny
         everyone@:rwxp--a-R-c--s:------:allow

I don't know where it inherit or create deny permisions if in parent directory it's absent.
It seems to me I should add some magic config lines to smb.conf. :)
 
I am running some experiments on my system and I will post my findings. I believe that the root of the problem is that the owner@, group@, and everyone@ permissions must remain defined on the root of the share. Ultimately, while the Windows interface is nice to use, I think that the permissions will need to be defined by setfacl in order for everything to work properly.
 
It seems to me that about 3-4 years ago when I experimented with ACL on UFS2 the things looks a bit easier and production ready. I think I should play with ACL on UFS2 and compare it with ZFS. Actually, I don't want to migrate to UFS because of snapshots an etc.
Anyhow it looks like samba with ACL on ZFS doesn't ready for production use right now.
 
dvg_lab said:
Actually, I don't want to migrate to UFS because of snapshots an etc.

If you want to use UFS2 AND also have ZFS snapshots then you can create a ZFS block device volume, and format it using UFS2.

Andy.
 
I'm sorry to ask: how to "patch the "samba34" port to use this library and to build the vfs_zfsacl module" or to "change all "<sys/acl.h>" into "<sunacl.h>" in all samba files"

I need samba to work with zfs's acl, thanks for your solution.
 
I install libsunacl and do what in this thread but can not build modules/vfs_zfsacl.c

I do this
Code:
fb81# cd /usr/ports/net/samba34/

fb81# make patch

fb81# grep -rl "sys/acl.h" .
./source3/modules/vfs_hpuxacl.c.bak
./source3/modules/nfs4_acls.h.bak
./source3/lib/util.c.bak
./source3/include/config.h.in.bak
./source3/configure.bak
./source3/configure.in.bak
./source3/configure.in.orig.bak
./lib/replace/system/filesys.h.bak
./lib/replace/system/config.m4.bak

fb81# find ./ -exec grep "sys/acl.h" '{}' \; -exec sed -i .bak 's/sys\/acl.h/sunacl.h/g' {} \;
fb81# make build

the error is
Code:
Compiling modules/vfs_zfsacl.c
modules/vfs_zfsacl.c: In function 'zfs_get_nt_acl_common':
modules/vfs_zfsacl.c:42: error: 'ace_t' undeclared (first use in this function)
modules/vfs_zfsacl.c:42: error: (Each undeclared identifier is reported only once
modules/vfs_zfsacl.c:42: error: for each function it appears in.)
modules/vfs_zfsacl.c:42: error: 'acebuf' undeclared (first use in this function)
modules/vfs_zfsacl.c:47: error: 'ACE_GETACLCNT' undeclared (first use in this function)
modules/vfs_zfsacl.c:60: error: expected expression before ')' token
modules/vfs_zfsacl.c:65: error: 'ACE_GETACL' undeclared (first use in this function)
modules/vfs_zfsacl.c:82: error: 'ACE_OWNER' undeclared (first use in this function)
modules/vfs_zfsacl.c:85: error: 'ACE_GROUP' undeclared (first use in this function)
modules/vfs_zfsacl.c:88: error: 'ACE_EVERYONE' undeclared (first use in this function)
modules/vfs_zfsacl.c: In function 'zfs_process_smbacl':
modules/vfs_zfsacl.c:106: error: 'ace_t' undeclared (first use in this function)
modules/vfs_zfsacl.c:106: error: 'acebuf' undeclared (first use in this function)
modules/vfs_zfsacl.c:112: error: expected expression before ')' token
modules/vfs_zfsacl.c:130: error: 'ACE_EVERYONE' undeclared (first use in this function)
modules/vfs_zfsacl.c:133: error: 'ACE_OWNER' undeclared (first use in this function)
modules/vfs_zfsacl.c:136: error: 'ACE_GROUP' undeclared (first use in this function)
modules/vfs_zfsacl.c:148: error: 'ACE_SETACL' undeclared (first use in this function)
The following command failed:
cc -O2 -pipe -DLDAP_DEPRECATED -fno-strict-aliasing -I. -I/usr/ports/net/samba34/work/samba-3.4.8/source3 -I/usr/ports/net/samba34/work/samba-
3.4.8/source3/iniparser/src -Iinclude -I./include  -I. -I. -I./../lib/replace -I/usr/local/include   -I./../lib/tevent -I./../lib/tdb/include -
I./libaddns -I./librpc -I./.. -DHAVE_CONFIG_H  -I/usr/local/include -Iinclude -I./include -I. -I. -I./../lib/replace -I/usr/local/include -
I./../lib/tevent -I./../lib/tdb/include -I./libaddns -I./librpc -I./.. -I./../lib/popt -I/usr/local/include -I /usr/local/include -
DLDAP_DEPRECATED  -I/usr/ports/net/samba34/work/samba-3.4.8/source3/lib -I.. -I../source4 -D_SAMBA_BUILD_=3 -D_SAMBA_BUILD_=3 -fPIC -DPIC -c 
modules/vfs_zfsacl.c -o modules/vfs_zfsacl.o
gmake: *** [modules/vfs_zfsacl.o] Error 1
 
the new ports has update :

http://www.freshports.org/net/samba35/

These upgrade notes are taken from /usr/ports/UPDATING
2010-10-26
Affects: users of net/samba35
Author: Timur Bakeyev <timur@FreeBSD.org>
Reason:
This is the latest stable release of the Samba3 distribution. It has
been extended with the experimetal support of the NFS4-like ACLs on
ZFS partitions, thanks to the sysutils/libsunacl library by Edward
Tomasz Napierala(trasz). This support haven't been tested throrughly,
so try it on your own risk.

This port reverted back to the pre- net/samba34 layout of the
directories and now they are again $PREFIX/etc/samba, /var/run/samba,
/var/log/samba, /var/db/samba and /var/spool/samba respectively.

In case, you are upgrading from net/samba34, please rename
corresponding samba34/ subdirectories into samba/ ones. Upgrades from
older versions of Samba and fresh installations should be seamless.
 
It seems to me that we should play with it again :) I hope ACL inheritance have been fixed.
I'll try it on the next week.
 
On my FreeBSD 8.1-STABLE amd64 system the compile of Samba 3.5.6 with ACL and EXP_MODULES fails. Was hoping to test the usage of Samba on ZFS with ACL's, please let me know if anyone succeeds....

Code:
Compiling winbindd/idmap_ad.c
winbindd/idmap_ad.c: In function 'idmap_ad_unixids_to_sids':
winbindd/idmap_ad.c:390: error: incompatible types in assignment
winbindd/idmap_ad.c:410: warning: assignment makes pointer from integer without a cast
winbindd/idmap_ad.c:412: warning: assignment makes pointer from integer without a cast
winbindd/idmap_ad.c: In function 'idmap_ad_sids_to_unixids':
winbindd/idmap_ad.c:583: error: incompatible types in assignment
winbindd/idmap_ad.c:603: warning: assignment makes pointer from integer without a cast
winbindd/idmap_ad.c:605: warning: assignment makes pointer from integer without a cast
winbindd/idmap_ad.c: In function 'nss_ad_get_info':
winbindd/idmap_ad.c:874: warning: assignment makes pointer from integer without a cast
winbindd/idmap_ad.c:875: warning: assignment makes pointer from integer without a cast
winbindd/idmap_ad.c:876: warning: assignment makes pointer from integer without a cast
winbindd/idmap_ad.c:906: error: incompatible types in assignment
winbindd/idmap_ad.c:912: warning: assignment makes pointer from integer without a cast
winbindd/idmap_ad.c:913: warning: assignment makes pointer from integer without a cast
winbindd/idmap_ad.c:914: warning: assignment makes pointer from integer without a cast
winbindd/idmap_ad.c: In function 'nss_ad_map_to_alias':
winbindd/idmap_ad.c:985: error: incompatible types in assignment
winbindd/idmap_ad.c:991: warning: assignment makes pointer from integer without a cast
winbindd/idmap_ad.c: In function 'nss_ad_map_from_alias':
winbindd/idmap_ad.c:1064: error: incompatible types in assignment
winbindd/idmap_ad.c:1071: warning: assignment makes pointer from integer without a cast
The following command failed:
cc -O2 -pipe -fno-strict-aliasing -I. -I/usr/ports/net/samba35/work/samba-3.5.6/source3 
-I/usr/ports/net/samba35/work/samba-3.5.6/source3/iniparser/src -Iinclude 
-I./include  -I. -I. -I./../lib/replace -I./../lib/tevent -I./libaddns -I./librpc 
-I./.. -DHAVE_CONFIG_H  -I/usr/local/include -Iinclude -I./include -I. -I. 
-I./../lib/replace -I./../lib/tevent -I./libaddns -I./librpc -I./.. 
-I./../lib/popt -I/usr/local/include  -I/usr/ports/net/samba35/work/samba-3.5.6/source3/lib -I.. 
-I../source4 -D_SAMBA_BUILD_=3 
-D_SAMBA_BUILD_=3  -fPIC -DPIC -c winbindd/idmap_ad.c -o winbindd/idmap_ad.o
gmake: *** [winbindd/idmap_ad.o] Error 1
*** Error code 1

Stop in /usr/ports/net/samba35.
*** Error code 1

Stop in /usr/ports/net/samba35.
 
Hmmm, tried it again and succeeded in compiling Samba 3.5.6 with sysutils/libsunacl. Great!

I can edit ACL's from Windows clients but receive a warning about permissions being incorrectly ordered.

Getting closer ;-)
 
I had the same effect. Incorrectly ordering permissions. I still haven't tried UFS2 and etc. because absolutely have no free time to experiment with samba :(
 
I managed to win "incorrectly ordered"

HELLO ALL
I managed to win "incorrectly ordered"
Now run a file server ZFS+SAMBA(3.5.6)+AD
That's part of my configuration, which works through the windows and everything correctly ordered.
Code:
[global]
        workgroup = DOMAIN
        realm = DOMAIN.LAN
        server string = FILESERVER
        security = ADS
        allow trusted domains = No
        map to guest = Bad User
        password server = 192.168.0.228
        client NTLMv2 auth = Yes
        map untrusted to domain = Yes
        log file = /var/log/samba/log.%m
        max log size = 50000
        unix extensions = No
        client signing = Yes
        load printers = No
        printcap name = /etc/printcap
        disable spoolss = Yes
        os level = 10
        local master = No
        domain master = No
        dns proxy = No
        idmap alloc backend = tdb
        idmap uid = 10000-100000
        idmap gid = 10000-100000
        template homedir = /tank/home/%U
        winbind enum users = Yes
        winbind enum groups = Yes
        winbind use default domain = Yes
        winbind refresh tickets = Yes
        winbind offline logon = Yes
        admin users = DOMAIN\it-mans
        write list = DOMAIN\it-mans
        hosts allow = 192.168.0., 192.168.1., 127.
        map acl inherit = Yes
        case sensitive = No

[homes]
        comment = Home Directories
        read only = No
        browseable = No
        root preexec = /usr/bin/createhome.sh '%U'
        vfs objects = zfsacl
        nfs4:mode = special
        nfs4:acedup = merge
        nfs4:chown = yes

[data]
        comment = Shares for Documents
        path = /tank/data
        read only = No
        [B]inherit permissions = Yes
        inherit acls = Yes
        inherit owner = Yes
        map archive = No
        map readonly = no
        vfs objects = zfsacl
        nfs4:mode = special
        nfs4:acedup = merge
        nfs4:chown = yes[/B]
 
Thanks for the update Gosevo!

Did you also set
Code:
aclmode=passthrough
and
Code:
aclinherit=passthrough
on tank/data in order to get this setup working correctly?
 
Hi pruik
Of course I have set these parameters.
Here are my settings file system
Code:
fileserver# zfs get all tank/data
NAME       PROPERTY              VALUE                  SOURCE
tank/data  type                  filesystem             -
tank/data  creation              Tue Sep 28 11:54 2010  -
tank/data  used                  182M                   -
tank/data  available             1.53T                  -
tank/data  referenced            182M                   -
tank/data  compressratio         1.00x                  -
tank/data  mounted               yes                    -
tank/data  quota                 none                   default
tank/data  reservation           none                   default
tank/data  recordsize            128K                   default
tank/data  mountpoint            /tank/data             default
tank/data  sharenfs              off                    default
tank/data  checksum              on                     default
tank/data  compression           off                    default
tank/data  atime                 on                     default
tank/data  devices               on                     default
tank/data  exec                  on                     default
tank/data  setuid                on                     default
tank/data  readonly              off                    default
tank/data  jailed                off                    default
tank/data  snapdir               hidden                 default
tank/data  aclmode               passthrough            local
tank/data  aclinherit            passthrough            local
tank/data  canmount              on                     default
tank/data  shareiscsi            off                    default
tank/data  xattr                 off                    temporary
tank/data  copies                1                      default
tank/data  version               3                      -
tank/data  utf8only              off                    -
tank/data  normalization         none                   -
tank/data  casesensitivity       sensitive              -
tank/data  vscan                 off                    default
tank/data  nbmand                off                    default
tank/data  sharesmb              off                    default
tank/data  refquota              none                   default
tank/data  refreservation        none                   default
tank/data  primarycache          all                    default
tank/data  secondarycache        all                    default
tank/data  usedbysnapshots       0                      -
tank/data  usedbydataset         182M                   -
tank/data  usedbychildren        0                      -
tank/data  usedbyrefreservation  0                      -

And I also noticed that files created in Total Commander violate the order at the top appears @everyone and when creating directories fine.
Windows commander and FAR commander all right.

Tried to work with vfs_acl_xattr and vfs_acl_tdb with but they do not work correctly with zfs.
 
Back
Top