Joe Frank
2017-Aug-10 16:13 UTC
[Samba] zfsacl problem with share permissions set from Computer Management
I'm using zfsacl on samba 4.6.6 on FreeBSD. File system ACLs work correctly, and Computer Management allows me to set share permissions (permissions are updated and displayed back correctly), but access doesn't appear to honor the configured share permissions. For example, users with file level ACLs that grant write permission are allowed to write even when share level permissions only grant read access to "Everyone". I noticed a comment on a FreeNAS discussion that seems to indicate that zfsacl is incompatible with permissions stored in share_info.tdb: "Caveat: It appears that samba will evaluates share_info.tdb and ZFS ACLs out of order. ZFS ACLs are given precedence. This means that administrators may need to disable the zfsacl vfs module in order for samba to properly use share_info.tdb to control access to shares." This is in a post from December 2015: https://forums.freenas.org/index.php?threads/cifs-smb-samba-tips-and-tricks.34995/ I didn't find any bug report related to this. Is anyone aware of this issue or a work-around?
Andrew Walker
2017-Aug-10 17:12 UTC
[Samba] zfsacl problem with share permissions set from Computer Management
On Thu, Aug 10, 2017 at 11:13 AM, Joe Frank via samba <samba at lists.samba.org> wrote:> > I didn't find any bug report related to this. Is anyone aware of this > issue or a work-around? > >The workaround may be to have the client log out and log back in after making the changes. :-) I just tested on a FreeBSD system. The permissions work as expected once the client establishes a fresh connection.
Joe Frank
2017-Aug-11 14:27 UTC
[Samba] zfsacl problem with share permissions set from Computer Management
> The workaround may be to have the client log out and log back in after> making the changes. :-) I just tested on a FreeBSD system. The permissions > work as expected once the client establishes a fresh connection.It appears that when a user has SeDiskOperatorPrivilege they always have full access regardless of the share permissions. When I attempt access using credentials without SeDiskOperatorPrivilege, the share permissions block access.
Apparently Analagous Threads
- zfsacl problem with share permissions set from Computer Management
- Can one set the owner of a folder to BUILTIN\Administrators?
- Can one set the owner of a folder to BUILTIN\Administrators?
- Can one set the owner of a folder to BUILTIN\Administrators?
- Improving 30-40MB/sec Sequential Reads