[Samba] zfs permissions

[Tom Jermy]

Hello,

I'm using Samba Version 4.0.15-SerNet-RedHat-7.el6 (AD DC)
and zfs-0.6.2-1.el6.x86_64.

I cannot change permissions on files from either Windows ('Access Denied')
or the samba-tool on shares from local zfs mounts:

# samba-tool ntacl set 'O:LAG:S-1-22-2-0D:PAI(A;OICI;0x001301bf;;;WD)'
CompanyName/ Company/

fset_nt_acl_no_snum: fset_nt_acl returned NT_STATUS_ACCESS_DENIED.
ERROR(runtime): uncaught exception - (-1073741790, 'Access denied')
File "/usr/lib64/python2.6/site-packages/samba/netcmd/__init__.py", line
175, in _run
return self.run(*args, **kwargs)
File "/usr/lib64/python2.6/site-packages/samba/netcmd/ntacl.py", line 90,
in run
setntacl(lp, file, acl, str(domain_sid), xattr_backend, eadb_file,
use_ntvfs=use_ntvfs)
File "/usr/lib64/python2.6/site-packages/samba/ntacls.py", line 154, in
setntacl
smbd.set_nt_acl(file, security.SECINFO_OWNER | security.SECINFO_GROUP |
security.SECINFO_DACL | security.SECINFO_SACL, sd)

I cannot see where I am going wrong. I have zfs set
aclinheritance=passthrough-x, tried xattr on/off/sa/dir ...

Perhaps this belongs on the zfs list but would appreciate any feedback if
there are folk out there who have encountered this / not encountered this.

Thank you
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba

[Tom Jermy]

Should I share me smb.conf? I'll share my smb.conf. It's not complicated:

# Global parameters
[global]
workgroup = COMPANYNAME
realm = companyname.local
netbios name = PDC
server role = active directory domain controller
server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl,
winbind, ntp_signd, kcc, dnsupdate
allow dns updates = true
dns forwarder = 8.8.8.8

[netlogon]
path = /var/lib/samba/sysvol/company.local/scripts
read only = No

[sysvol]
path = /var/lib/samba/sysvol
read only = No

[Company]
path = /Companyname/Company/ # zfs mount
read only = No

[root]
path = /
read only = No
force user = root

[zfsTest]
path = /Companyname/test # another zfs mount for testing porpoises.
read only = No

[Ryan Bair]

Hi Tom,

The current release of zfsonlinux does not support ACLs, I'm guessing this
is what you are running into. There is support in trunk however so hope is
on the horizon (or right now if you're feeling dangerous and keep good
backups).

I know there used to be a Samba option to store ACLs in an xattr (which is
supported with current ZFS), however I couldn't find the config option in
the manual.

[David Disseldorp]

Hi Ryan and Tom,

On Wed, 12 Mar 2014 09:42:22 -0400, Ryan Bair wrote:

> Hi Tom,
>
> The current release of zfsonlinux does not support ACLs, I'm guessing this
> is what you are running into. There is support in trunk however so hope is
> on the horizon (or right now if you're feeling dangerous and keep good
> backups).
>
> I know there used to be a Samba option to store ACLs in an xattr (which is
> supported with current ZFS), however I couldn't find the config option in
> the manual.

I expect you're referring to the acl_xattr VFS module. Please refer to
the vfs_acl_xattr(8) man page.

Cheers, David

[Tom Jermy]

On 12 March 2014 14:11, David Disseldorp <dd...@suse.de> wrote:

> Hi Ryan and Tom,
>
> On Wed, 12 Mar 2014 09:42:22 -0400, Ryan Bair wrote:
>
> > Hi Tom,
> >
> > The current release of zfsonlinux does not support ACLs, I'm guessing
> this
> > is what you are running into. There is support in trunk however so hope
> is
> > on the horizon (or right now if you're feeling dangerous and keep good
> > backups).
> >
> > I know there used to be a Samba option to store ACLs in an xattr (which
> is
> > supported with current ZFS), however I couldn't find the config option in
> > the manual.
>
> I expect you're referring to the acl_xattr VFS module. Please refer to
> the vfs_acl_xattr(8) man page.
>
> Cheers, David
>

Thanks Ryan & David ... I set the following:

[zfsTest]
path = /Companyname/test # another zfs mount for testing porpoises.
read only = No

* vfs objects = acl_xattr*
* acl_xattr:ignore system acls = Yes*

... but there is no change ... any ideas?

[David Disseldorp]

On Wed, 12 Mar 2014 14:36:01 +0000, Tom Jermy wrote:

> Thanks Ryan & David ... I set the following:
>
> [zfsTest]
> path = /Companyname/test # another zfs mount for testing porpoises.
> read only = No
> * vfs objects = acl_xattr*
> * acl_xattr:ignore system acls = Yes*
>
> ... but there is no change ... any ideas?

Did you restart smbd? Is the root user able to set and get extended
attributes on the local /Companyname/test filesystem via [gs]etfattr?
Is your version of samba built with ACL support?

If yes, please raise a bug and attach your level 10 logs.

Cheers, David

[Klaus Hartnegg]

Maybe "vfs objects = zfsacl" ?
See "man vfs_zfsacl".

[Christopher Chan]

On Thursday, March 13, 2014 08:48 PM, Klaus Hartnegg wrote:
> Maybe "vfs objects = zfsacl" ?
> See "man vfs_zfsacl".
>

on FreeBSD, illumos and Solaris yes. Not on Linux as ZOL has not
implemented nfs4acls yet.

[Tom Jermy]

Hi All,

I did restart samba after making the changes, I have now tried:

[zfsTest]
path = /Companyname/test
read only = No
vfs objects = acl_tdb
acl_tdb:ignore system acls = Yes

which gives the same results.

I stopped samba, changed logging to 10, started it again, attempted to
change the permission, then stopped samba. I now have a 3.1mb log file. Can
you tell me what I need to do from here?

Thanks

[Tom Jermy]

I meant to say that I cleared the log prior to starting samba again...