samba - May 2022 - ZFS samba share not allowing ACL members access

a possible important detail I forgot to mention is that the filesystem 
is ZFS. Does that matter?
Just to be complete in info I'll include extra info on how the 
filesystem is set
* acltype=posixacl
* aclmode=discard
* aclinherit=discard

-------- Original Message --------
Subject: Re: [Samba] samba share not allowing owner of folder
Date: 30-04-2022 08:07
 From: maillists_samba at diversity.nl
To: samba at lists.samba.org

In the meantime I have added the
vfs objects = acl_xattr
  to the global section

I changed the chmod to 770 recursivly
I changed the owner (chown) to root:root recursivly
I added the proxmox user to the acl using setfacl

I am still failing ;( What am I missing?

# testparm -s
Load smb config files from /etc/samba/smb.conf
Loaded services file OK.
Weak crypto is allowed
Server role: ROLE_STANDALONE

# Global parameters
[global]
	log file = /var/log/samba/log.%m
	logging = file
	map to guest = Bad User
	max log size = 1000
	obey pam restrictions = Yes
	pam password change = Yes
	panic action = /usr/share/samba/panic-action %d
	passwd chat = *Enter\snew\s*\spassword:* %n\n 
*Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
	passwd program = /usr/bin/passwd %u
	server role = standalone server
	unix password sync = Yes
	idmap config * : backend = tdb
	vfs objects = acl_xattr

[proxmox-trx40]
	comment = Aiii
	inherit permissions = Yes
	path = /{redacted}/hypervisors/proxmox/trx40_1
	read only = No
	valid users = master proxmox

ls -l /{redacted}/
drwxrwx---+  3 root   root      3 Mar 24 18:04  hypervisors

getfacl hypervisors
# file: hypervisors
# owner: root
# group: root
user::rwx
user:master:rwx
user:proxmox:rwx
group::rwx
mask::rwx
other::---

smbclient "\\\\{redacted}\\proxmox-trx40" -U proxmox
Enter WORKGROUP\proxmox's password:
Try "help" to get a list of possible commands.
smb: \> ls
NT_STATUS_ACCESS_DENIED listing \*
smb: \>


On 11-04-2022 13:02, Rowland Penny via samba wrote:
> On Mon, 2022-04-11 at 12:30 +0200, maillists_samba--- via samba wrote:
>> How to allow the owner of a folder that is shared access to that
>> share?
>> 
>> I have;
>> 
>> Samba version 4.13.13-Debian
>> 
>> # testparm -s
>> Load smb config files from /etc/samba/smb.conf
>> Loaded services file OK.
>> Weak crypto is allowed
>> Server role: ROLE_STANDALONE
>> 
>> ----------
>> # Global parameters
>> [global]
>>          log file = /var/log/samba/log.%m
>>          logging = file
>>          map to guest = Bad User
>>          max log size = 1000
>>          obey pam restrictions = Yes
>>          pam password change = Yes
>>          panic action = /usr/share/samba/panic-action %d
>>          passwd chat = *Enter\snew\s*\spassword:* %n\n
>> *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
>>          passwd program = /usr/bin/passwd %u
>>          server role = standalone server
>>          unix password sync = Yes
>>          usershare allow guests = Yes
>>          idmap config * : backend = tdb
>> 
>> [proxmox-trx40]
>>          comment = Aiii
>>          inherit permissions = Yes
>>          path = /{redacted}/hypervisors/proxmox/trx40_1
>>          read only = No
>>          valid users = proxmox
>> 
>> ----------
>> 
>> ls -l /{redacted}/
>> 
>> drwxrwx---+  3 proxmox proxmox    3 Mar 24 18:04  hypervisors
> 
> On the face of it, only 'proxmox' and members of the
'proxmox' group
> can enter the hypervisors directory, but notice the '+' on the end
of
> the permissions, this means that you have extended ACLs set. However
> you are missing a parameter in the smb.conf global section.
> 
> Add 'vfs objects = acl_xattr' to smb.conf, restart Samba and then
read
> up on 'setfacl' and 'getfacl'.
> 
> Rowland

On Sat, 2022-04-30 at 13:04 +0200, maillists_samba--- via samba
wrote:
> a possible important detail I forgot to mention is that the
> filesystem 
> is ZFS. Does that matter?
> Just to be complete in info I'll include extra info on how the 
> filesystem is set
> * acltype=posixacl
> * aclmode=discard
> * aclinherit=discard
Is this Freebsd ? If it is, then you require a different VFS module
'zfsacl' instead of 'acl_xattr'

You may also need to install 'samba-vfs-modules' if it isn't already
installed.

You also need to set the ACL's on the share directory and allow
everyone to get to the share directory.

Rowland

I changed the subject to better reflect my problem.

I am running samba
#testparm --version
Version 4.13.13-Debian

#modinfo zfs | grep version
version:        2.1.2-pve1
srcversion:     0F243348A3846ED6C1A546D
vermagic:       5.13.19-6-pve SMP mod_unload modversions

samba-vfs-modules is already the newest version 
(2:4.13.13+dfsg-1~deb11u3)

When setting in the globals section
vfs objects = zfsacl
shares are no longer available and when connecting I get
tree connect failed: NT_STATUS_BAD_NETWORK_NAME

So the goal is to have samba shares allow access to users in the ACL 
list on files and folders on ZFS

On 30-04-2022 14:03, Rowland Penny via samba wrote:
> On Sat, 2022-04-30 at 13:04 +0200, maillists_samba--- via samba wrote:
>> a possible important detail I forgot to mention is that the
>> filesystem
>> is ZFS. Does that matter?
>> Just to be complete in info I'll include extra info on how the
>> filesystem is set
>> * acltype=posixacl
>> * aclmode=discard
>> * aclinherit=discard
> 
> Is this Freebsd ? If it is, then you require a different VFS module
> 'zfsacl' instead of 'acl_xattr'
> 
> You may also need to install 'samba-vfs-modules' if it isn't
already
> installed.
> 
> You also need to set the ACL's on the share directory and allow
> everyone to get to the share directory.
> 
> Rowland
On 11-04-2022 13:02, Rowland Penny via samba wrote:
> On Mon, 2022-04-11 at 12:30 +0200, maillists_samba--- via samba wrote:
>> How to allow the owner of a folder that is shared access to that
>> share?
>> 
>> I have;
>> 
>> Samba version 4.13.13-Debian
>> 
>> # testparm -s
>> Load smb config files from /etc/samba/smb.conf
>> Loaded services file OK.
>> Weak crypto is allowed
>> Server role: ROLE_STANDALONE
>> 
>> ----------
>> # Global parameters
>> [global]
>>          log file = /var/log/samba/log.%m
>>          logging = file
>>          map to guest = Bad User
>>          max log size = 1000
>>          obey pam restrictions = Yes
>>          pam password change = Yes
>>          panic action = /usr/share/samba/panic-action %d
>>          passwd chat = *Enter\snew\s*\spassword:* %n\n
>> *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
>>          passwd program = /usr/bin/passwd %u
>>          server role = standalone server
>>          unix password sync = Yes
>>          usershare allow guests = Yes
>>          idmap config * : backend = tdb
>> 
>> [proxmox-trx40]
>>          comment = Aiii
>>          inherit permissions = Yes
>>          path = /{redacted}/hypervisors/proxmox/trx40_1
>>          read only = No
>>          valid users = proxmox
>> 
>> ----------
>> 
>> ls -l /{redacted}/
>> 
>> drwxrwx---+  3 proxmox proxmox    3 Mar 24 18:04  hypervisors
> 
> On the face of it, only 'proxmox' and members of the
'proxmox' group
> can enter the hypervisors directory, but notice the '+' on the end
of
> the permissions, this means that you have extended ACLs set. However
> you are missing a parameter in the smb.conf global section.
> 
> Add 'vfs objects = acl_xattr' to smb.conf, restart Samba and then
read
> up on 'setfacl' and 'getfacl'.
> 
> Rowland