zfs discuss - Jul 2009 - Set New File/Folder ZFS ACLs Automatically through Samba?

Do any of you know how to set the default ZFS ACLs for newly created
files and folders when those files and folders are created through Samba?

I want to have all new files and folders only inherit extended
(non-trivial) ACLs that are set on the parent folders.  But when a file
is created through samba on the zfs file system, it gets mode 744
(trivial) added to it.  For directories, it gets mode 755 added to it.

I''ve tried everything I could find and think of:

1.) Setting a umask.
2.) Editing /etc/sfw/smb.conf ''force create mode'' and
''force directory
mode".  Then `svcadm restart samba`.
3.) Adding trivial inheritable ACLs to the parent folder.

Changes 1 and 2 had no effect.

In number 3 I got folders to effectively do what I want, but not files.
 I set the ACLs of the parent to:
> drwx------+ 24 AD+administrator AD+records    2132 Jul 28 12:01 records/
>     user:AD+administrator:rwxpdDaARWcCos:fdi---:allow
>     user:AD+administrator:rwxpdDaARWcCos:------:allow
>     group:AD+records:rwxpd-aARWc--s:fdi---:allow
>     group:AD+records:rwxpd-aARWc--s:------:allow
>     group:AD+release:r-x---a-R-c---:------:allow
>             owner@:rwxp---A-W-Co-:fd----:allow
>             group@:rwxp----------:fd----:deny
>          everyone@:rwxp---A-W-Co-:fd----:deny
Then new directories and files get created like this from a windows
workstation connected to the server:
> drwx------+  2 AD+testuser AD+domain users       2 Jul 28 12:01 test
>     user:AD+administrator:rwxpdDaARWcCos:fdi---:allow
>     user:AD+administrator:rwxpdDaARWcCos:------:allow
>     group:AD+records:rwxpd-aARWc--s:fdi---:allow
>     group:AD+records:rwxpd-aARWc--s:------:allow
>             owner@:rwxp---A-W-Co-:fdi---:allow
>             owner@:-------A-W-Co-:------:allow
>             group@:rwxp----------:fdi---:deny
>             group@:--------------:------:deny
>          everyone@:rwxp---A-W-Co-:fdi---:deny
>          everyone@:-------A-W-Co-:------:deny
>             owner@:--------------:------:deny
>             owner@:rwxp---A-W-Co-:------:allow
>             group@:-w-p----------:------:deny
>             group@:r-x-----------:------:allow
>          everyone@:-w-p---A-W-Co-:------:deny
>          everyone@:r-x---a-R-c--s:------:allow
> -rwxr--r--+  1 AD+testuser AD+domain users       0 Jul 28 12:01 test.txt
>     user:AD+administrator:rwxpdDaARWcCos:------:allow
>     group:AD+records:rwxpd-aARWc--s:------:allow
>             owner@:-------A-W-Co-:------:allow
>             group@:--------------:------:deny
>          everyone@:-------A-W-Co-:------:deny
>             owner@:--------------:------:deny
>             owner@:rwxp---A-W-Co-:------:allow
>             group@:-wxp----------:------:deny
>             group@:r-------------:------:allow
>          everyone@:-wxp---A-W-Co-:------:deny
>          everyone@:r-----a-R-c--s:------:allow
I need group "AD+release" to have read-only access to only
specific files within records.  I could set that up, but any new files or
folders that are created will be viewable by AD+release.  That
would not be acceptable.

Do any of you know how to set the samba file/folder creation ACLS on ZFS
file systems?  Or do you have something I could try?

Thank you for your time.

-- 
Jeff Hulen

Jeff,


On Tue, 28 Jul 2009, Jeff Hulen wrote:
> Do any of you know how to set the default ZFS ACLs for newly created
> files and folders when those files and folders are created through Samba?
>
> I want to have all new files and folders only inherit extended
> (non-trivial) ACLs that are set on the parent folders.  But when a file
> is created through samba on the zfs file system, it gets mode 744
> (trivial) added to it.  For directories, it gets mode 755 added to it.
>
> I''ve tried everything I could find and think of:
>
> 1.) Setting a umask.
> 2.) Editing /etc/sfw/smb.conf ''force create mode'' and
''force directory
> mode".  Then `svcadm restart samba`.
> 3.) Adding trivial inheritable ACLs to the parent folder.
>
> Changes 1 and 2 had no effect.
>
> In number 3 I got folders to effectively do what I want, but not files.
> I set the ACLs of the parent to:
>> drwx------+ 24 AD+administrator AD+records    2132 Jul 28 12:01
records/
>>     user:AD+administrator:rwxpdDaARWcCos:fdi---:allow
>>     user:AD+administrator:rwxpdDaARWcCos:------:allow
>>     group:AD+records:rwxpd-aARWc--s:fdi---:allow
>>     group:AD+records:rwxpd-aARWc--s:------:allow
>>     group:AD+release:r-x---a-R-c---:------:allow
>>             owner@:rwxp---A-W-Co-:fd----:allow
>>             group@:rwxp----------:fd----:deny
>>          everyone@:rwxp---A-W-Co-:fd----:deny
>
> Then new directories and files get created like this from a windows
> workstation connected to the server:
>> drwx------+  2 AD+testuser AD+domain users       2 Jul 28 12:01 test
>>     user:AD+administrator:rwxpdDaARWcCos:fdi---:allow
>>     user:AD+administrator:rwxpdDaARWcCos:------:allow
>>     group:AD+records:rwxpd-aARWc--s:fdi---:allow
>>     group:AD+records:rwxpd-aARWc--s:------:allow
>>             owner@:rwxp---A-W-Co-:fdi---:allow
>>             owner@:-------A-W-Co-:------:allow
>>             group@:rwxp----------:fdi---:deny
>>             group@:--------------:------:deny
>>          everyone@:rwxp---A-W-Co-:fdi---:deny
>>          everyone@:-------A-W-Co-:------:deny
>>             owner@:--------------:------:deny
>>             owner@:rwxp---A-W-Co-:------:allow
>>             group@:-w-p----------:------:deny
>>             group@:r-x-----------:------:allow
>>          everyone@:-w-p---A-W-Co-:------:deny
>>          everyone@:r-x---a-R-c--s:------:allow
>> -rwxr--r--+  1 AD+testuser AD+domain users       0 Jul 28 12:01
test.txt
>>     user:AD+administrator:rwxpdDaARWcCos:------:allow
>>     group:AD+records:rwxpd-aARWc--s:------:allow
>>             owner@:-------A-W-Co-:------:allow
>>             group@:--------------:------:deny
>>          everyone@:-------A-W-Co-:------:deny
>>             owner@:--------------:------:deny
>>             owner@:rwxp---A-W-Co-:------:allow
>>             group@:-wxp----------:------:deny
>>             group@:r-------------:------:allow
>>          everyone@:-wxp---A-W-Co-:------:deny
>>          everyone@:r-----a-R-c--s:------:allow
>
> I need group "AD+release" to have read-only access to only
> specific files within records.  I could set that up, but any new files or
> folders that are created will be viewable by AD+release.  That
> would not be acceptable.
>
> Do any of you know how to set the samba file/folder creation ACLS on ZFS
> file systems?  Or do you have something I could try?

The following setup works quite well for us with a self compiled
Samba 3.0.34 taken from the SFW source tree. The only problem
we ran into was that Microsoft Office sometimes seems to set
permissions on files in an, at least for me, unpredictable way.

smb.conf:
...
 	[data]
 			;
 			; public fileserver share
 			;
 			path = /smb/data
 			comment = user and group directories
 			public = no
 			writable = yes
 			browseable = yes
 			vfs objects = zfsacl
 			inherit permissions = yes
 			inherit acls = yes
 			store dos attributes = yes
 			hide dot files = no
 			nfs4: mode = simple
 			nfs4: acedup = merge
 			zfsacl: acesort = dontcare
 			; delete readonly = yes
 			;
 			; set to "no" else Microsoft Excel/Word cause permission problems
 			;
 			map archive = no
 			map hidden = no
 			map read only = no
 			map system = no


Some zfs properties of the top-level zfs which get inherited to
the children

 	NAME  PROPERTY         VALUE        SOURCE
 	smb   snapdir          visible      local
 	smb   aclmode          groupmask    default
 	smb   aclinherit       restricted   default
 	smb   casesensitivity  sensitive    -

Now for every "group" directory reflecting a particular department
such as "kizinfra" we set permissions as

 	# ls -ldV kizinfra
 	drwxr-sr-x+ 10 root     kizinfra       9 Apr 26 17:36 kizinfra
 		   owner@:rwxpdDaARWcCos:fd-----:allow
 		   group@:r-x---a-R-c--s:-------:allow
 		   group@:------a-R-c--s:fdi----:allow
 		everyone@:r-x---a-R-c--s:-------:allow
 		everyone@:------a-R-c--s:fdi----:allow

Every user get''s a home directory underneath

 	# ls -ldV kizinfra/nau
 	drwx--S---+  2 nau      kizinfra       2 Jul 27 18:10 kizinfra/nau
 		   owner@:rwxpdDaARWcCos:fdi---I:allow
 		   owner@:rwxpdDaARWcCos:------I:allow
 		   group@:------a-R-c--s:fdi---I:allow
 		   group@:------a-R-c--s:------I:allow
 		everyone@:------a-R-c--s:fdi---I:allow
 		everyone@:------a-R-c--s:------I:allow

with those settings inheritance works as expected. Please note that
we also set the group-set-ID bit to ensure that files underneath
the groups top-level directory will always be assigned to the group
even a user of a different one gets access granted

Hope that helps
Thomas

-----------------------------------------------------------------
GPG fingerprint: B1 EE D2 39 2C 82 26 DA  A5 4D E0 50 35 75 9E ED