samba - Jun 2021 - Recommended ACL-related settings (Samba/ZFS)?

I guess this only partly Samba related, but I?m guessing many Samba sysadmins
using ZFS as backend has run into this issue. I know we?ve been running into it
many times atleast and it feels kind of like a moving target?


The question:

What is the recommended (modern) settings (both in Samba and in the filesystem
ACLs) that causes the least amount of grief for users for these use cases:

1. ZFS as backend filesystem - and working ZFS ACLs support (ie FreeBSD or
possibly Solaris)
2. Samba for SMB access serving Windows 10 and MacOS clients
3. NFSv4 for NFS access serving Linux/Unix clients.
4. HOME directories (with only the users full access)
5. Shared directories where users are expected to be able to share files

(And some (Linux) users want the old mode bits and no ACLs at all? Sigh)



Samba smb.conf (relevant settings, assuming latest version - 4.14.5):

vfs objects = zfsacl
nt acl support = yes
store dos attributes = yes
ea support = false
nfs4:acedup = merge
zfsacl:denymissingspecial = yes
zfsacl:map_dacl_protected = yes
inherit acls = no
inherit permissions = no

The idea is to let ZFS manage ACL inheritance etc. 


Home directory ACL:

% acltool lac peter86
# file: peter86
# owner: peter86
# group: employee
           owner@:rwxpDdaARWcCos:fd-----:allow
           group@:------a-R-c--s:fd-----:allow
     everyone@:------a-R-c--s:fd-----:allow

Or should one use separate owner@ ace?s for file-inherit and dir-inherit and
skip the ?x? bit for the files so things don?t turn up as executables all the
time?


Googling turns up a lot of old and probably (these days) incorrect settings so?
what are you using? Any real world big site users around who as felt the pain?
:-)

- Peter

> I guess this only partly Samba related, but I?m guessing many Samba
sysadmins using ZFS as backend has run into this issue. I know we?ve been
running into it many times atleast and it feels kind of like a moving target?
> 
> 
> The question:
> 
> What is the recommended (modern) settings (both in Samba and in the
filesystem ACLs) that causes the least amount of grief for users for these use
cases:
> 
> 1. ZFS as backend filesystem - and working ZFS ACLs support (ie FreeBSD or
possibly Solaris)
> 2. Samba for SMB access serving Windows 10 and MacOS clients
> 3. NFSv4 for NFS access serving Linux/Unix clients.
> 4. HOME directories (with only the users full access)
> 5. Shared directories where users are expected to be able to share files
> 
> (And some (Linux) users want the old mode bits and no ACLs at all? Sigh)
I am such an sysadmin, running a couple of FreeBSD 12.2 servers with Samba
(currently 4.13.7). The same situation as yours applies, except that we
basically have no home directories.

> Samba smb.conf (relevant settings, assuming latest version - 4.14.5):
> 
> vfs objects = zfsacl
> nt acl support = yes
> store dos attributes = yes
> ea support = false
> nfs4:acedup = merge
> zfsacl:denymissingspecial = yes
> zfsacl:map_dacl_protected = yes
> inherit acls = no
> inherit permissions = no
> 
> The idea is to let ZFS manage ACL inheritance etc. 
We have 'ea support' enabled, but for no obvious reason. It is enabled
by default. Both 'zfsacl:' settings are 'no' in our setup, which
is also the default. Additionally, we have the settings (but they are not
related to acls):

vfs objects               = shadow_copy2 zfsacl fruit streams_xattr
shadow:format             = %Y-%m-%d
shadow:snapdir            = .zfs/snapshot
shadow:snapdirseverywhere = yes
shadow:sort               = desc
fruit:aapl                = yes

> Home directory ACL:
> 
> % acltool lac peter86
> # file: peter86
> # owner: peter86
> # group: employee
>           owner@:rwxpDdaARWcCos:fd-----:allow
>           group@:------a-R-c--s:fd-----:allow
>     everyone@:------a-R-c--s:fd-----:allow
> 
> Or should one use separate owner@ ace?s for file-inherit and dir-inherit
and skip the ?x? bit for the files so things don?t turn up as executables all
the time?
What about zfs set aclinherit=passthrough-x <dataset> ? What is your
'aclmode' setting? We have 'passthrough', since the other
settings interfere with the acls (which is expected, but unwanted).

What does the act on group directories look like?
> Googling turns up a lot of old and probably (these days) incorrect settings
so? what are you using? Any real world big site users around who as felt the
pain? :-)
Oh, I feel your pain! I find it very hard to debug Samba/ZFS/acl problems. In my
opinion the documentation is so-so (meaning: I keep reading the vfs_zfsacl
manpage and related documentation, but I have a hard time to _really_ understand
what is meant). And then you have Microsoft Office, doing all kind of weird
stuff with the acl's, etc. In my defense: I inherited the systems, which
makes doing big changes almost undoable [without breaking stuff]. The biggest
problem is that we need to share the same data via NFS and Samba. I think it
would be much easier to share the data via Samba only.

-Remy