I’ve been using ZFS on FreeBSD since it was first made available in 7.0, and it was not until FreeBSD 8.2 when NFSv4 ACL’s were implemented.
At $oldJob, I had a list of “To do’s”, really cool things like:
- “Integrate Puppet into CMDB”,
- “Rewrite the Bacula addClient script”,
- “Build a MooseFS Cluster”…
At the top though, I had:
- Implement ACL’s on ZFS/Samba fileserver
Actually, come to thing of it, I think the top of my list was:
- Find a new Job
Ha, okay, I think I’m the only one that finds that funny :)
Anyway my $newJob always has a high demand for storage and sharing data. I had to quickly do the following:
- Proxy a custom TCP based file transfer protocol with Nginx (maybe I’ll talk about that some other time)
- Save the data from that the proxy server accepts to a large NFS exported filesystem
- Allow other users to access that over CIFS
Since I was in a rush, it was the perfect time to finally stop what I was doing and get ACL’s to work in Samba on a ZFS filesystem.
You have to have at least zpool version 18, which was in FreeBSD 8.0 -> 8.2 (I think 8.3 has v28), or newer ( 8.3).
Set the ACL Mode and Inheritance to passthrough:
$ zfs create -o mountpoint=/data0 vol0/data0 $ zfs set aclmode=passthrough vol0/data0 $ zfs set aclinherit=passthrough vol0/data0
Now, you have ACL’s:
# getfacl /data0 # file: /data0 # owner: root # group: wheel everyone@:rwxpD-a-R-c--s:------:allow user:lucasc:r-x---a-R-c--s:fd----:allow user:robm:r-x---a-R-c--s:fd----:allow owner@:rwxpD-aARWcCos:------:allow group@:rwxpD-a-R-c--s:------:allow
Now, unlike Solaris, which displays ZFS acl’s though ls -Z, FreeBSD uses setfacl and getfacl to set and get ACL’s.
Samba needs to be compiled with the expirementel modules, as well as AD.
Here is my options file for net/samba35:
cat /var/db/ports/samba35/options # This file is auto-generated by 'make config'. # No user-servicable parts inside! # Options for samba35-3.5.11 _OPTIONS_READ=samba35-3.5.11 WITH_LDAP=true WITH_ADS=true WITHOUT_CUPS=true WITH_WINBIND=true WITHOUT_SWAT=true WITH_ACL_SUPPORT=true WITH_AIO_SUPPORT=true WITHOUT_FAM_SUPPORT=true WITHOUT_SYSLOG=true WITHOUT_QUOTAS=true WITHOUT_UTMP=true WITHOUT_PAM_SMBPASS=true WITHOUT_DNSUPDATE=true WITHOUT_AVAHI=true WITH_EXP_MODULES=true WITH_POPT=true WITH_IPV6=true WITHOUT_MAX_DEBUG=true WITHOUT_SMBTORTURE=true
After, that you can create a Samba share with these options:
[rpt] path = /data0 admin users = @"BAYPHOTO\domain admins" map acl inherit = yes browseable = yes public = yes writable = yes inherit permissions = yes posix locking = yes nt acl support = yes create mask = 0775 directory mask = 0775 strict locking = no store dos attributes = yes csc policy = disable inherit acls = Yes inherit owner = Yes map archive = No map readonly = no vfs objects = zfsacl nfs4:mode = special nfs4:acedup = merge nfs4:chown = yes