samba - Aug 2014 - samba 4.1.9 group share issues with nfsv4 acl

Dear list,

I have a freebsd 10 server with a ZFS pool, where data is shared with
samba. ZFS ACLs are compliant with NFSv4 ACL.

ZFS acl mode and inherit are set to passthrough (not sure it's really
relevant here).

The server is a domain member, and "standard" file service works well.

I had the same setup with samba 3.5, where I was able to have a single
share for all groups, so I can have a single network drive for every
users, where a subdirectory appeared for each group they're part of.

---
[groups]
	path = /data/group
	read only = No
	create mask = 0660
	directory mask = 0770
	hide unreadable = Yes
---

each subfolder just had to be set with root owner and the suitable
group, and every users were able to read and write on their group
folders. (no need for any acl)


It seems that it doesn't work this way anymore, from samba 3.6 to samba
4.1.on

I saw that a way to handle that was to use acl, so I configured to use
the zfs_acl vfs.

My configuration is currently :

---
[midterm]
	path = /data/midterm
	read only = No
	create mask = 0770
	directory mask = 0770
	inherit acls = Yes
	inherit owner = Yes
	map acl inherit = Yes
	hide unreadable = Yes
	map archive = No
	map readonly = no
	store dos attributes = Yes
	csc policy = disable
	strict locking = No
	vfs objects = zfsacl
	nfs4:chown = Yes
	nfs4:acedup = merge
	nfs4:mode = simple
---

and, for example, with the directory "midterm/it":
drwxrwx---+  4 root       it             6 Jul 30 12:07 it

and its ACL:

---
# file: it
# owner: root
# group: it

            owner@:rwxpDdaARWcCos:fd----:allow
            group@:rwxpDdaARWcCos:fd----:allow
         everyone@:------a-R-c--s:------:allow
---

with this acl, I can't see this it directory while using my account
which is part of the it group.

If I add myself to the acl:

---
# file: it
# owner: root
# group: it
     user:pjoubert:rwxpDdaARWcCos:fd----:allow
            owner@:rwxp--aARWcCos:------:allow
            group@:rwxpDdaARWcCos:fd----:allow
         everyone@:------a-R-c--s:------:allow
---

I see the directory, can create files and directories in it, while the
owner and group remain root and it.

Why does acl work for users and not for groups ? Do I miss something ?

It is very convenient to be able to just set an acl for the group and
not individual users for each share, as groups are handled on the domain
directly (and we have ).

I can give more details of my setup if needed.


Cheers,
-- 
Pablo Joubert
EMBL IT Team