Solved smb4 and ACL permissions

[mefizto]

Greetings all,

I have a problem with setting permissions on a folder shared by smb4. The /export/projects with the following ACL permissions:

# file: /export/projects
# owner: root
# group: wheel
     user:myuser:rwxp----------:-------:allow
            owner@:rwxp--aARWcCos:-------:allow
            group@:r-x---a-R-c--s:-------:allow
         everyone@:------a-R-c--s:-------:allow

is shared on Windows 7 machine. However, I cannot write to the folder. On the Windows machine, the Properties window and security tab show only the owner, group and everyone. When I attempt to add the myuser, Windows asks for network credentials, and upon entering them, adds the myuser. However, the write permission is missing, and even when I only try to confirm the addition of the myuser, Windows responds with Access denied.

The myuser has been added to the SambaSAMAccount database: # pdbedit -a myuser], and its password has been set: # smbpasswd -a myuser.

Here is the smb4.conf:

[global]
workgroup = WORKGROUP
server string = Server
netbios name = mefisto
security = user

# Allow user mysuser to /export/projects
[projects]
path = /export/projects
public = no
guest ok = no
writable = yes
read only = no
browsable = yes

Any help would be appreciated.

Kindest regards,

M

 

[SirDice]

Add valid users = myuser to your share.

 

[mefizto]

Hi SirDice,

thank you for your help, it did not work; the same response from Windows.

write list = myuser

does not work either.

Kindest regards,

M

 

[msplsh]

I noticed you said you used passwd but I think you should be using /usr/local/bin/smbpasswd -a myuser

 

[mefizto]

Hi msplsh,

thank you for catching the misprint in the original post, I indeed used smbpasswd. I will correct the original post.

Kindest regards,

M

 

[msplsh]

Is this on ZFS?

 

[mefizto]

Hi msplsh,

yes it is.

Kindest regards,

M

 

[msplsh]

I have this setup minus the explicit ACLs. I sidestepped this by mapping ACLs to xattrs by loading a module into vfs objects = in smb.conf precisely because I was seeing problems in the logs I could not figure out. I wonder if you need one of these loaded, namely zfsacl.

https://www.samba.org/samba/docs/current/man-html/

 

[mefizto]

Hi msplsh,

I have been suspecting some permission problem, but I cannot figure out what it is. First, I am rather confused about the ACLs. If I am interpreting Handbook Chapter 14, correctly, the POSIX 1e ACL are supported only on UFS. However setfacl(1) refers to both, though I understand that they are not compatible. However, mount lists the ACLs as nsv4acl.

I am also confused by your statement: "I sidestepped this by mapping ACLs to xattrs by loading a module into vfs objects = in smb.conf", because the xattr on the export/project is set to off and an attempt to change it results in notification that the xattr is unsupported. Could you please post your set up?

A search on this issue results in literally hundreds of links, none of which worked for me.

Kindest regards,

M

 

[msplsh]

[global]
security = user
map to guest = Bad User
netbios name = Server
log file = /var/log/samba4/log-%m
log level = 1
mangled names = illegal
preserve case = yes
server min protocol = SMB2
load printers = no


vfs objects = catia fruit streams_xattr acl_xattr
fruit:aapl = yes
fruit:advertise_fullsync = true
fruit:time machine = yes

The fruit options are for time machine clients.

The share options are similar to yours, set the path, read only to no, add the username to valid users

 

[msplsh]

I tried passing through ACLs directly to ZFS and I got these errors when I enabled zfsacl

# "zfsacl_get_nt_acl: No stat info for"
# "SMB_VFS_NEXT_FSET_NT_ACL" failed

I tried doing stuff like zfs set on aclmode and aclinherit to discard (because I just didn't care) and that didn't seem to solve anything. That's when I gave up trying to get the ACLs to pass through to ZFS and enabled the xattr ones.

I'm using the pkg binary version of samba413.

I am using Windows 10, however. That may be why it works for me.

 

[mefizto]

Hi msplsh,

thank you very much for your replies. Attempting to map the vfs objects = did not work.

Like you, I had read about the aclmode an aclinherit and tried the different combinations, but again, nothing works.

Kindest regards,

M

 

[msplsh]

I'll try and poke at it and see what I get.

 

[mefizto]

Hi msplsh,

thank you, but please do not spent time solving my problem. I will keep working on it, I really do not want to go back to OmniOS and I need the functionality.

It is rather mysterious, because I have re-read the pertinent portion of Samba's Wiki that the pass-through via vfs objects = should have worked.

Also, Wiki claims that Samba might have been built with ACL support, but: # smbd -b | grep HAVE_LIBACL does not return anything, and looking at the options for compilation doe not show anything.

The FreeBSD handbook is not helpful either.

Kindest regards,

M

 

[mefizto]

Hi msplsh,

I have solved the problem. The key was setting

vfs objects = vfs_zfsacl

and then set the options nfs4:*.

Thank you for your help.

Kindest regards,

M