published on in Featured Geekyness ACLs FreeBSD Samba ZFS

zfs and acls with samba

I’ve been using ZFS on FreeBSD since it was first made available in 7.0, and it was not until FreeBSD 8.2 when NFSv4 ACL’s were implemented.

At $oldJob, I had a list of “To do’s”, really cool things like:

  • “Integrate Puppet into CMDB”,
  • “Rewrite the Bacula addClient script”,
  • “Build a MooseFS Cluster”…

At the top though, I had:

  • Implement ACL’s on ZFS/Samba fileserver

Actually, come to thing of it, I think the top of my list was:

  • Find a new Job

Ha, okay, I think I’m the only one that finds that funny :)

Anyway my $newJob always has a high demand for storage and sharing data. I had to quickly do the following:

  • Proxy a custom TCP based file transfer protocol with Nginx (maybe I’ll talk about that some other time)
  • Save the data from that the proxy server accepts to a large NFS exported filesystem
  • Allow other users to access that over CIFS

Since I was in a rush, it was the perfect time to finally stop what I was doing and get ACL’s to work in Samba on a ZFS filesystem.

ZFS Settings

You have to have at least zpool version 18, which was in FreeBSD 8.0 -> 8.2 (I think 8.3 has v28), or newer ( 8.3).

Set the ACL Mode and Inheritance to passthrough:

    $ zfs create -o mountpoint=/data0 vol0/data0
    $ zfs set aclmode=passthrough vol0/data0
    $ zfs set aclinherit=passthrough vol0/data0

Now, you have ACL’s:

    # getfacl /data0
    # file: /data0
    # owner: root
    # group: wheel
             everyone@:rwxpD-a-R-c--s:------:allow
           user:lucasc:r-x---a-R-c--s:fd----:allow
             user:robm:r-x---a-R-c--s:fd----:allow
                owner@:rwxpD-aARWcCos:------:allow
                group@:rwxpD-a-R-c--s:------:allow

Now, unlike Solaris, which displays ZFS acl’s though ls -Z, FreeBSD uses setfacl and getfacl to set and get ACL’s.

Samba

Samba needs to be compiled with the expirementel modules, as well as AD.

Here is my options file for net/samba35:

     cat /var/db/ports/samba35/options
    # This file is auto-generated by 'make config'.
    # No user-servicable parts inside!
    # Options for samba35-3.5.11
    _OPTIONS_READ=samba35-3.5.11
    WITH_LDAP=true
    WITH_ADS=true
    WITHOUT_CUPS=true
    WITH_WINBIND=true
    WITHOUT_SWAT=true
    WITH_ACL_SUPPORT=true
    WITH_AIO_SUPPORT=true
    WITHOUT_FAM_SUPPORT=true
    WITHOUT_SYSLOG=true
    WITHOUT_QUOTAS=true
    WITHOUT_UTMP=true
    WITHOUT_PAM_SMBPASS=true
    WITHOUT_DNSUPDATE=true
    WITHOUT_AVAHI=true
    WITH_EXP_MODULES=true
    WITH_POPT=true
    WITH_IPV6=true
    WITHOUT_MAX_DEBUG=true
    WITHOUT_SMBTORTURE=true

After, that you can create a Samba share with these options:

 [rpt]
     path = /data0
     admin users = @"BAYPHOTO\domain admins"
     map acl inherit = yes
     browseable = yes
     public = yes
     writable = yes
     inherit permissions = yes
     posix locking = yes
     nt acl support = yes
     create mask = 0775
     directory mask = 0775
     strict locking = no
     store dos attributes = yes
     csc policy = disable
    
     inherit acls = Yes
     inherit owner = Yes
     map archive = No
     map readonly = no
     vfs objects = zfsacl
     nfs4:mode = special
     nfs4:acedup = merge
     nfs4:chown = yes