Dear list,
I have a freebsd 10 server with a ZFS pool, where data is shared with
samba. ZFS ACLs are compliant with NFSv4 ACL.
ZFS acl mode and inherit are set to passthrough (not sure it's really
relevant here).
The server is a domain member, and "standard" file service works well.
I had the same setup with samba 3.5, where I was able to have a single
share for all groups, so I can have a single network drive for every
users, where a subdirectory appeared for each group they're part of.
---
[groups]
path = /data/group
read only = No
create mask = 0660
directory mask = 0770
hide unreadable = Yes
---
each subfolder just had to be set with root owner and the suitable
group, and every users were able to read and write on their group
folders. (no need for any acl)
It seems that it doesn't work this way anymore, from samba 3.6 to samba
4.1.on
I saw that a way to handle that was to use acl, so I configured to use
the zfs_acl vfs.
My configuration is currently :
---
[midterm]
path = /data/midterm
read only = No
create mask = 0770
directory mask = 0770
inherit acls = Yes
inherit owner = Yes
map acl inherit = Yes
hide unreadable = Yes
map archive = No
map readonly = no
store dos attributes = Yes
csc policy = disable
strict locking = No
vfs objects = zfsacl
nfs4:chown = Yes
nfs4:acedup = merge
nfs4:mode = simple
---
and, for example, with the directory "midterm/it":
drwxrwx---+ 4 root it 6 Jul 30 12:07 it
and its ACL:
---
# file: it
# owner: root
# group: it
owner@:rwxpDdaARWcCos:fd----:allow
group@:rwxpDdaARWcCos:fd----:allow
everyone@:------a-R-c--s:------:allow
---
with this acl, I can't see this it directory while using my account
which is part of the it group.
If I add myself to the acl:
---
# file: it
# owner: root
# group: it
user:pjoubert:rwxpDdaARWcCos:fd----:allow
owner@:rwxp--aARWcCos:------:allow
group@:rwxpDdaARWcCos:fd----:allow
everyone@:------a-R-c--s:------:allow
---
I see the directory, can create files and directories in it, while the
owner and group remain root and it.
Why does acl work for users and not for groups ? Do I miss something ?
It is very convenient to be able to just set an acl for the group and
not individual users for each share, as groups are handled on the domain
directly (and we have ).
I can give more details of my setup if needed.
Cheers,
--
Pablo Joubert
EMBL IT Team