I'm about to deploy a Samba fileserver where the underlying filesystem on the data partition is ZFS, and someone on the zfsonlinux list got me worried that there might be some problems with doing this (e.g. particularly when it comes to extended POSIX ACLs, which I use heavily). This lead me to this page: https://www.samba.org/samba/docs/current/man-html/vfs_zfsacl.8.html where I saw this: "This module follows the posix-acl behaviour and hence allows permission stealing via chown." I have no idea what permission stealing is, and when I tried to google it, I just got references to this man page. Also, this "This module makes use of the smb.conf parameter acl map full control = acl map full control. When set to yes ..." acl map full control = acl map full control ? Is that a typo? I would expect to see, for example acl map full control = yes or something like this. Finally, am I going to run into extended ACL issues by Samba sharing ZFS datasets?
On Wed, 2022-01-12 at 07:44 -0600, Patrick Goetz via samba wrote:> I'm about to deploy a Samba fileserver where the underlying > filesystem > on the data partition is ZFS, and someone on the zfsonlinux list got > me > worried that there might be some problems with doing this (e.g. > particularly when it comes to extended POSIX ACLs, which I use > heavily). > > This lead me to this page: > https://www.samba.org/samba/docs/current/man-html/vfs_zfsacl.8.html > > where I saw this: "This module follows the posix-acl behaviour and > hence allows permission stealing via chown." > > I have no idea what permission stealing is, and when I tried to > google > it, I just got references to this man page. > > Also, this "This module makes use of the smb.conf parameter acl map > full > control = acl map full control. When set to yes ..." > > acl map full control = acl map full control ? > > Is that a typo? I would expect to see, for example > acl map full control = yes > > or something like this. > > Finally, am I going to run into extended ACL issues by Samba sharing > ZFS > datasets?Unless you are running Freebsd you can ignore the vfs_zfsacl module, ZFS != zfsonlinux (aka ZOL). As far as I am aware ZOL uses ACL's in the same way as ext4. Rowland
On 1/12/22 14:44, Patrick Goetz via samba wrote:> I'm about to deploy a Samba fileserver where the underlying filesystem > on the data partition is ZFS, and someone on the zfsonlinux list got me > worried that there might be some problems with doing this (e.g. > particularly when it comes to extended POSIX ACLs, which I use heavily). > > This lead me to this page: > https://www.samba.org/samba/docs/current/man-html/vfs_zfsacl.8.html > > where I saw this:? "This module follows the posix-acl behaviour and > hence allows permission stealing via chown."you can just ignore the zfsacl VFS module, see below.> I have no idea what permission stealing is, and when I tried to google > it, I just got references to this man page. > > Also, this "This module makes use of the smb.conf parameter acl map full > control = acl map full control. When set to yes ..." > > acl map full control = acl map full control ? > > Is that a typo?? I would expect to see, for example > acl map full control = yes > > or something like this. > > Finally, am I going to run into extended ACL issues by Samba sharing ZFS > datasets?no, it should work afaict. Just beware that afair ZFS on Linux doesn't support NFSv4 ACLs, just POSIX ACLs. As Samba will work with POSIX ACLs by default, other ACL flavours require loading a dedicated ZFS module, your setup should basically just work. But ff course, the devil's in the details, so you should do some decent researcg abd testing before deploying a production system. :) Cheers! -slow -- Ralph Boehme, Samba Team https://samba.org/ SerNet Samba Team Lead https://sernet.de/en/team-samba -------------- next part -------------- A non-text attachment was scrubbed... Name: OpenPGP_signature Type: application/pgp-signature Size: 840 bytes Desc: OpenPGP digital signature URL: <http://lists.samba.org/pipermail/samba/attachments/20220112/f10b061f/OpenPGP_signature.sig>