Jeff,
On Tue, 28 Jul 2009, Jeff Hulen wrote:
Do any of you know how to set the default ZFS ACLs for newly created
files and folders when those files and folders are created through Samba?
I want to have all new files and folders only inherit extended
(non-trivial) ACLs that are set on the parent folders. But when a file
is created through samba on the zfs file system, it gets mode 744
(trivial) added to it. For directories, it gets mode 755 added to it.
I've tried everything I could find and think of:
1.) Setting a umask.
2.) Editing /etc/sfw/smb.conf 'force create mode' and 'force directory
mode". Then `svcadm restart samba`.
3.) Adding trivial inheritable ACLs to the parent folder.
Changes 1 and 2 had no effect.
In number 3 I got folders to effectively do what I want, but not files.
I set the ACLs of the parent to:
drwx------+ 24 AD+administrator AD+records 2132 Jul 28 12:01 records/
user:AD+administrator:rwxpdDaARWcCos:fdi---:allow
user:AD+administrator:rwxpdDaARWcCos:------:allow
group:AD+records:rwxpd-aARWc--s:fdi---:allow
group:AD+records:rwxpd-aARWc--s:------:allow
group:AD+release:r-x---a-R-c---:------:allow
owner@:rwxp---A-W-Co-:fd----:allow
group@:rwxp----------:fd----:deny
everyone@:rwxp---A-W-Co-:fd----:deny
Then new directories and files get created like this from a windows
workstation connected to the server:
drwx------+ 2 AD+testuser AD+domain users 2 Jul 28 12:01 test
user:AD+administrator:rwxpdDaARWcCos:fdi---:allow
user:AD+administrator:rwxpdDaARWcCos:------:allow
group:AD+records:rwxpd-aARWc--s:fdi---:allow
group:AD+records:rwxpd-aARWc--s:------:allow
owner@:rwxp---A-W-Co-:fdi---:allow
owner@:-------A-W-Co-:------:allow
group@:rwxp----------:fdi---:deny
group@:--------------:------:deny
everyone@:rwxp---A-W-Co-:fdi---:deny
everyone@:-------A-W-Co-:------:deny
owner@:--------------:------:deny
owner@:rwxp---A-W-Co-:------:allow
group@:-w-p----------:------:deny
group@:r-x-----------:------:allow
everyone@:-w-p---A-W-Co-:------:deny
everyone@:r-x---a-R-c--s:------:allow
-rwxr--r--+ 1 AD+testuser AD+domain users 0 Jul 28 12:01 test.txt
user:AD+administrator:rwxpdDaARWcCos:------:allow
group:AD+records:rwxpd-aARWc--s:------:allow
owner@:-------A-W-Co-:------:allow
group@:--------------:------:deny
everyone@:-------A-W-Co-:------:deny
owner@:--------------:------:deny
owner@:rwxp---A-W-Co-:------:allow
group@:-wxp----------:------:deny
group@:r-------------:------:allow
everyone@:-wxp---A-W-Co-:------:deny
everyone@:r-----a-R-c--s:------:allow
I need group "AD+release" to have read-only access to only
specific files within records. I could set that up, but any new files or
folders that are created will be viewable by AD+release. That
would not be acceptable.
Do any of you know how to set the samba file/folder creation ACLS on ZFS
file systems? Or do you have something I could try?
The following setup works quite well for us with a self compiled
Samba 3.0.34 taken from the SFW source tree. The only problem
we ran into was that Microsoft Office sometimes seems to set
permissions on files in an, at least for me, unpredictable way.
smb.conf:
...
[data]
;
; public fileserver share
;
path = /smb/data
comment = user and group directories
public = no
writable = yes
browseable = yes
vfs objects = zfsacl
inherit permissions = yes
inherit acls = yes
store dos attributes = yes
hide dot files = no
nfs4: mode = simple
nfs4: acedup = merge
zfsacl: acesort = dontcare
; delete readonly = yes
;
; set to "no" else Microsoft Excel/Word cause
permission problems
;
map archive = no
map hidden = no
map read only = no
map system = no
Some zfs properties of the top-level zfs which get inherited to
the children
NAME PROPERTY VALUE SOURCE
smb snapdir visible local
smb aclmode groupmask default
smb aclinherit restricted default
smb casesensitivity sensitive -
Now for every "group" directory reflecting a particular department
such as "kizinfra" we set permissions as
# ls -ldV kizinfra
drwxr-sr-x+ 10 root kizinfra 9 Apr 26 17:36 kizinfra
owner@:rwxpdDaARWcCos:fd-----:allow
group@:r-x---a-R-c--s:-------:allow
group@:------a-R-c--s:fdi----:allow
everyone@:r-x---a-R-c--s:-------:allow
everyone@:------a-R-c--s:fdi----:allow
Every user get's a home directory underneath
# ls -ldV kizinfra/nau
drwx--S---+ 2 nau kizinfra 2 Jul 27 18:10 kizinfra/nau
owner@:rwxpdDaARWcCos:fdi---I:allow
owner@:rwxpdDaARWcCos:------I:allow
group@:------a-R-c--s:fdi---I:allow
group@:------a-R-c--s:------I:allow
everyone@:------a-R-c--s:fdi---I:allow
everyone@:------a-R-c--s:------I:allow
with those settings inheritance works as expected. Please note that
we also set the group-set-ID bit to ensure that files underneath
the groups top-level directory will always be assigned to the group
even a user of a different one gets access granted
Hope that helps
Thomas
-----------------------------------------------------------------
GPG fingerprint: B1 EE D2 39 2C 82 26 DA A5 4D E0 50 35 75 9E ED
_______________________________________________
zfs-discuss mailing list
zfs-discuss@opensolaris.org
http://mail.opensolaris.org/mailman/listinfo/zfs-discuss
