Bug #23439
ZFS VFS objects are optional
Description
I set "share type" to unix on a particular filesystem. smb4.conf is still created with "vfs objects = zfsacl" I expect/desire zfsacl to be disabled for the share pointing to this file system.
Related issues
Associated revisions
History
#1
Updated by Bonnie Follweiler almost 4 years ago
- Assignee set to Kris Moore
#2
Updated by Kris Moore almost 4 years ago
- Category changed from 39 to 57
- Assignee changed from Kris Moore to John Hixson
- Target version set to 9.10.4
John, this safe/wise to do?
#3
Updated by Chris Stankevitz almost 4 years ago
A little background: I use unison for bi-directional sync on FreeBSD. Unison does not sync ACLs. So I do not use zfsacl on those shares. I'm trying to use FreeNAS to accomplish similar on another system. I would like to prevent Windows users changing the ACLs on my 'unix' filesystem -- because those ACLs will not replicate which could lockout users.
I'll paste my smb4.conf below.
Also, I'm curious what technically happens due to setting a filesystem's "share type" to unix/windows/etc.
[global] interfaces = 10.10.0.22 disable netbios = yes security = ads realm = FOO.LOCAL workgroup = FOO idmap config *: backend = tdb idmap config *: range = 90000001-100000000 idmap config FOO: backend = rid idmap config FOO: range = 20000-90000000 winbind enum users = yes winbind enum groups = yes log file = /var/log/samba4/log.foo log level = 1 store dos attributes = yes local master = no directory name cache size = 0 domain master = no preferred master = no syslog = 0 # Work around samba inotify/kqueue bug -- see pcbsd bug 4728, samba bug 11063, serverfault 683623 kernel change notify = no [Projects] path = /agp1/projects veto files = /.snapshot/.windows/.mac/.zfs/Thumbs.db/ writeable = yes browseable = yes vfs objects = full_audit full_audit:prefix = %u|%I|%m|%S full_audit:success = open pwrite full_audit:failure = open pwrite full_audit:facility = local7 full_audit:priority = NOTICE oplocks = no create mask = 0770 force create mode = 660 directory mask = 0770 force directory mode = 770 strict allocate = yes hide unreadable = yes
#4
Updated by an odos almost 4 years ago
Samba will only interpret the last "vfs objects" line in a share definition. This means that if you set, for example, the auxiliary parameter "vfs objects = streams_xattr full_audit", then "zfsacl" will no longer be enabled. Do note however that some VFS objects are sensitive about ordering. Try to replicate what you see in FreeNAS under /usr/local/etc/smb4.conf
Setting the share type to "windows" changes the dataset's aclmode property to "restricted". This protects it from having an inerrant chmod break ACLs. On "unix" datasets the aclmode is set to "passthrough".
#5
Updated by John Hixson almost 4 years ago
- Status changed from Unscreened to Screened
- Priority changed from No priority to Nice to have
Kris Moore wrote:
John, this safe/wise to do?
It's safe. Wise? depends on user case ;-) Honestly, I'm not happy about the VFS objects that are automatically added when on a ZFS filesystem either. I would like the default to be to add them, but to be removable if not wanted (in cases like this). Currently, other than adding to auxiliary parameters to override the entire VFS objects line, there is no way to do this.
#6
Updated by an odos almost 4 years ago
John Hixson wrote:
Kris Moore wrote:
John, this safe/wise to do?
It's safe. Wise? depends on user case ;-) Honestly, I'm not happy about the VFS objects that are automatically added when on a ZFS filesystem either. I would like the default to be to add them, but to be removable if not wanted (in cases like this). Currently, other than adding to auxiliary parameters to override the entire VFS objects line, there is no way to do this.
What about checking the aclmode for the dataset being shared? If it's set to "restricted", then add "zfsacl". Otherwise don't add it. I can't really think of a reason why someone would have a "windows" dataset without wanting to use zfsacl, and we all know that "zfsacl" + "passthrough" is kinda borken.
#7
Updated by Kris Moore almost 4 years ago
- Target version changed from 9.10.4 to 11.1
#8
Updated by John Hixson over 3 years ago
I've done the work to make ZFS VFS objects optional. They are added by default on new shares, but can be removed. This has exposed another issue, however. You can't remove all VFS objects and have an empty list. This is desirable behavior as well, so I will dig into this as well.
#9
Updated by John Hixson over 3 years ago
- Status changed from Screened to Resolved
#10
Updated by Chris Stankevitz over 3 years ago
Thanks for your help guys!
#11
Updated by Dru Lavigne over 3 years ago
- Subject changed from samba vfs zfsacl still enabled for "unix" shares to Don't set zfsacl vfs module by default
#12
Updated by Dru Lavigne over 3 years ago
- Target version changed from 11.1 to 11.1-BETA1
#13
Updated by Dru Lavigne over 3 years ago
- Subject changed from Don't set zfsacl vfs module by default to ZFS VFS objects are optional
#14
Updated by Joe Maloney about 3 years ago
- Needs QA changed from Yes to No
- QA Status Test Passes FreeNAS added
- QA Status deleted (
Not Tested)
#15
Updated by Timur Bakeyev almost 3 years ago
- Related to Bug #26994: Add zfs_space and zfsacl as default modules to VFS objects added