On 1/12/22 14:44, Patrick Goetz via samba wrote:> I'm about to deploy a Samba fileserver where the underlying filesystem > on the data partition is ZFS, and someone on the zfsonlinux list got me > worried that there might be some problems with doing this (e.g. > particularly when it comes to extended POSIX ACLs, which I use heavily). > > This lead me to this page: > https://www.samba.org/samba/docs/current/man-html/vfs_zfsacl.8.html > > where I saw this:? "This module follows the posix-acl behaviour and > hence allows permission stealing via chown."you can just ignore the zfsacl VFS module, see below.> I have no idea what permission stealing is, and when I tried to google > it, I just got references to this man page. > > Also, this "This module makes use of the smb.conf parameter acl map full > control = acl map full control. When set to yes ..." > > acl map full control = acl map full control ? > > Is that a typo?? I would expect to see, for example > acl map full control = yes > > or something like this. > > Finally, am I going to run into extended ACL issues by Samba sharing ZFS > datasets?no, it should work afaict. Just beware that afair ZFS on Linux doesn't support NFSv4 ACLs, just POSIX ACLs. As Samba will work with POSIX ACLs by default, other ACL flavours require loading a dedicated ZFS module, your setup should basically just work. But ff course, the devil's in the details, so you should do some decent researcg abd testing before deploying a production system. :) Cheers! -slow -- Ralph Boehme, Samba Team https://samba.org/ SerNet Samba Team Lead https://sernet.de/en/team-samba -------------- next part -------------- A non-text attachment was scrubbed... Name: OpenPGP_signature Type: application/pgp-signature Size: 840 bytes Desc: OpenPGP digital signature URL: <http://lists.samba.org/pipermail/samba/attachments/20220112/f10b061f/OpenPGP_signature.sig>
> On 12. Jan 2022, at 16.07, Ralph Boehme via samba <samba at lists.samba.org> wrote: > > On 1/12/22 14:44, Patrick Goetz via samba wrote: >> I'm about to deploy a Samba fileserver where the underlying filesystem on the data partition is ZFS, and someone on the zfsonlinux list got me worried that there might be some problems with doing this (e.g. particularly when it comes to extended POSIX ACLs, which I use heavily). >> This lead me to this page: >> https://www.samba.org/samba/docs/current/man-html/vfs_zfsacl.8.html >> where I saw this: "This module follows the posix-acl behaviour and hence allows permission stealing via chown." > > you can just ignore the zfsacl VFS module, see below. > >> I have no idea what permission stealing is, and when I tried to google it, I just got references to this man page. >> Also, this "This module makes use of the smb.conf parameter acl map full control = acl map full control. When set to yes ..." >> acl map full control = acl map full control ? >> Is that a typo? I would expect to see, for example >> acl map full control = yes >> or something like this. >> Finally, am I going to run into extended ACL issues by Samba sharing ZFS datasets? > > no, it should work afaict. Just beware that afair ZFS on Linux doesn't support NFSv4 ACLs, just POSIX ACLs. As Samba will work with POSIX ACLs by default, other ACL flavours require loading a dedicated ZFS module, your setup should basically just work. But ff course, the devil's in the details, so you should do some decent researcg abd testing before deploying a production system. :) >I?m using ZoL (Ubuntu) with Samba and POSIX ACLs. Works great, although not as granular as NFSv4 but good enough for most basic use cases. -Perttu
On Wed, Jan 12, 2022 at 03:07:05PM +0100, Ralph Boehme via samba wrote:> >no, it should work afaict. Just beware that afair ZFS on Linux doesn't >support NFSv4 ACLs, just POSIX ACLs. As Samba will work with POSIX >ACLs by default, other ACL flavours require loading a dedicated ZFS >module, your setup should basically just work. But ff course, the >devil's in the details, so you should do some decent researcg abd >testing before deploying a production system. :)If you're planning this from scratch as a Samba-only filesystem, I'd really recommend setting the filesystem up as case insensitive. You'll get much better performance on large directories that way.