FreeNAS

A little background: I use unison for bi-directional sync on FreeBSD. Unison does not sync ACLs. So I do not use zfsacl on those shares. I'm trying to use FreeNAS to accomplish similar on another system. I would like to prevent Windows users changing the ACLs on my 'unix' filesystem -- because those ACLs will not replicate which could lockout users.

I'll paste my smb4.conf below.

Also, I'm curious what technically happens due to setting a filesystem's "share type" to unix/windows/etc.

[global]
    interfaces = 10.10.0.22
    disable netbios = yes
    security = ads
    realm = FOO.LOCAL
    workgroup = FOO
    idmap config *: backend = tdb
    idmap config *: range = 90000001-100000000
    idmap config FOO: backend = rid
    idmap config FOO: range = 20000-90000000
    winbind enum users = yes
    winbind enum groups = yes
    log file = /var/log/samba4/log.foo
    log level = 1
    store dos attributes = yes
    local master = no
    directory name cache size = 0
    domain master = no
    preferred master = no
    syslog = 0

# Work around samba inotify/kqueue bug -- see pcbsd bug 4728, samba bug 11063, serverfault 683623
    kernel change notify = no

[Projects]
    path = /agp1/projects
    veto files = /.snapshot/.windows/.mac/.zfs/Thumbs.db/
    writeable = yes
    browseable = yes
    vfs objects = full_audit
    full_audit:prefix = %u|%I|%m|%S
    full_audit:success = open pwrite
    full_audit:failure = open pwrite
    full_audit:facility = local7
    full_audit:priority = NOTICE
    oplocks = no
    create mask = 0770
    force create mode = 660
    directory mask = 0770
    force directory mode = 770
    strict allocate = yes
    hide unreadable = yes

Samba will only interpret the last "vfs objects" line in a share definition. This means that if you set, for example, the auxiliary parameter "vfs objects = streams_xattr full_audit", then "zfsacl" will no longer be enabled. Do note however that some VFS objects are sensitive about ordering. Try to replicate what you see in FreeNAS under /usr/local/etc/smb4.conf

Setting the share type to "windows" changes the dataset's aclmode property to "restricted". This protects it from having an inerrant chmod break ACLs. On "unix" datasets the aclmode is set to "passthrough".

John Hixson wrote:

Kris Moore wrote:

John, this safe/wise to do?

It's safe. Wise? depends on user case ;-) Honestly, I'm not happy about the VFS objects that are automatically added when on a ZFS filesystem either. I would like the default to be to add them, but to be removable if not wanted (in cases like this). Currently, other than adding to auxiliary parameters to override the entire VFS objects line, there is no way to do this.

What about checking the aclmode for the dataset being shared? If it's set to "restricted", then add "zfsacl". Otherwise don't add it. I can't really think of a reason why someone would have a "windows" dataset without wanting to use zfsacl, and we all know that "zfsacl" + "passthrough" is kinda borken.

I've done the work to make ZFS VFS objects optional. They are added by default on new shares, but can be removed. This has exposed another issue, however. You can't remove all VFS objects and have an empty list. This is desirable behavior as well, so I will dig into this as well.

Thanks for your help guys!