Samba with NFSv4/ZFS ACL Support

FreeBSD 8.2 - Samba and ZFS

I'm using 8.2 with Samba 3.5.6 and a ZFS share. I followed the instructions in this thread but I'm getting the incorrectly ordered error message.

I compiled Samba 3.5.6 with ACL_SUPPORT with pulls in vfs_zfsacl and libsuncal.

Makefile
Code:
.if defined(WITH_ACL_SUPPORT)
CONFIGURE_ARGS+=        --with-acl-support
.       if ${OSVERSION} > 800000
WANT_EXP_MODULES+=      vfs_zfsacl
LIB_DEPENDS+=           sunacl.1:${PORTSDIR}/sysutils/libsunacl
.       endif
.else
CONFIGURE_ARGS+=        --without-acl-support
.endif

And work/samba-3.5.6/source3/configure appears to fix up the references to sys/acl.h to reference sunacl.h.
Code:
for ac_header in sys/acl.h acl/libacl.h sunacl.h
do :
  as_ac_Header=`$as_echo "ac_cv_header_$ac_header" | $as_tr_sh`
ac_fn_c_check_header_mongrel "$LINENO" "$ac_header" "$as_ac_Header" "$ac_includes_default"
if eval test \"x\$"$as_ac_Header"\" = x"yes"; then :
  cat >>confdefs.h <<_ACEOF     
#define `$as_echo "HAVE_$ac_header" | $as_tr_cpp` 1
_ACEOF
          
fi
        
done

The share has aclmode and aclinherit set to passthrough.
Code:
NAME               USED  AVAIL  REFER  MOUNTPOINT
zdisk              355K  39.0G  30.6K  /zdisk
zdisk/share       58.6K  39.0G  30.6K  /zdisk/share
zdisk/share/user  28.0K  39.0G  28.0K  /zdisk/share/user

zdisk/share/user  aclmode               passthrough            inherited from zdisk/share
zdisk/share/user  aclinherit            passthrough            inherited from zdisk/share

Here's the smb.conf.
Code:
[global]
    workgroup = WORKGROUP
    netbios name = FILER
    server string = FILER

    unix extensions = No
    dns proxy = No
    map acl inherit = Yes

    log file = /var/log/samba/log.%m
    max log size = 50

[share]
    path = /zdisk/share/user
    valid users = user
    read only = No
    inherit permissions = Yes
    inherit acls = Yes
    inherit owner = Yes
    map archive = No
    map readonly = no
    vfs objects = zfsacl
    nfs4:acedup = merge
    nfs4:mode = special
    nfs4:chown = yes

What am I missing?
 
Use setfacl, for now...

I opened this thread initially. Unfortunately, work became crazy for a few months and I was unable to follow up. Since then, I have upgraded by server to 8.2-RELEASE and I am using the new amba 3.5 port. This is great since I no longer need to patch the port to get ZFS ACL support. I just needed to make config the port and pick the appropriate build options.

In regards to incorrectly ordered permissions, I cannot confirm that gosevo's configuration works to fix the ordering issue. If you set the permissions via Windows and then look at them via getfacl, you can see what Windows is trying to do. To the best of my understanding, it would appear that the ZFS/FreeBSD ACL and the Windows ACL ordering are not truly compatible. The solution would probably be a patch for Samba that would translate the ordering so that Windows sees the ordering it needs and ZFS gets the correct actual ACL's.

On my server, I simply set all of the permissions directly with setfacl. I have given up using the Windows interface for now. Doing this, I am able get the proper permissions on the server (i.e. in FreeBSD) and on my Windows and Mac clients via Samba. Here is what I do. (I am not in front of my server right now, so please forgive me if the syntax is not correct.)

1) I create the root of my share. For me, this usually involves creating a new ZFS filesystem on my storage pool (zfs create -o utf8only=on tank/Pictures).

2) Next I set the ZFS inheritance options. zfs aclmode=passthrough tank/Pictures and zfs set aclinherit=passthrough tank/Pictures. (Yeah, I know these probably can be combined into step 1, but I am doing this from memory.)

3) I modify the default default permissions with chown. For example, if I know that "other" users should not ever access these files, I do chown o-rwx /tank/Pictures). Do the same with the group permission if you know what you need.

4) Now look at the ACL's with getfacl and take note of them. I try to leave the defaults alone, if possible. I also usually leave root as the owner.

5) Now I add my per user permissions. Usually this involves giving me full control. So use setfacl to insert my username at the TOP of the ACL permission set with the appropriate permissions. For my user, I allow everything. I also set file_inherit and dir_inherit on (I think?).

As I said, this works great for me. I do not know if this can be translated into a working setup for and Active Directory integrated server.

Since OpenSolaris uses its kernel based SMB/CIFS server, it does not seem to have these issues (at least I have not noticed them as much). Like I said, I think the current answer would lie in some sort of ACL ordering translator in Samba to "fix" the view Windows sees.

I really hope a resolution can be found. I have been eagerly following the progress of ZFS on FreeBSD. I am so anxious to try 9.0 as I think it has v28. I am also very excited by the continuing development progress on redesigned version of FreeNAS. If this issue can be corrected, it would make FreeBSD and FreeNAS into an awesome file server platform.

Hope this helps even a little bit. Good luck!
 
jlohiser,

You appear to be dead on. I modified vfs_zfsacl.c to return non-inherited DENY ACEs before ALLOW ACEs and Windows is happy. Unfortunately, when you update the file permissions via Windows, ZFS doesn't like Windows' ACE ordering.

From what I can tell Windows and ZFS/NFSv4 ACL ordering rules differ.
 
For Solaris ZFS based systems apparently Sun recommend setting:

Code:
vfs objects = zfsacl
inherit permissions = Yes
inherit acls = Yes
nfs4:acedup = merge
nfs4:chown = yes
nfs4: mode = special
zfsacl: acesort = dontcare

A couple of things in there, such as chown and acesort don't seem to have been set by people on this thread, perhaps they might help, if they aren't Solaris specific...?

ta Andy.
 
file size won't change after editing

I'm using FreeBSD 8.2, ZFS ACL and Samba 3.5.8 and I have a problem. With Samba 3.5.6 was the same. I create a file and after editing the file the size won't modify until I press F5 (refresh). I'm using Windows XP, Windows 7, both with Windows Explorer as client and I have the same issue with KDE - Dolphin.

I don't know what to do. Please tell me if I could change something.
 
Back
Top