samba inherit with zfs and active directory not working

[maulbongo]

Hi folks,

I hope someone could help me, I already tried everything but don't get it.
I set up zfs and created a dataset with standard settings (here called testdataset).
I've got a domain and joined the nas4free Server, that worked flawless.
Now I wanted to share this dataset, so I set up samba with active directory authentication.
Then I created the share called (testdataset) with zfs acl support (If this is not set, it is not possible to grant any other rights than local zfs auths) and inheritance enabled.
Now the share is up and I can connect it via Windows Server 2008r2
For the next step I took over the ownership of this share (otherwise no rights can be set and this error is reported in log: smbd[17698]: set_canon_ace_list: sys_acl_set_file type file failed for file . (Invalid argument).).
The owner was local root of this nas4free and I granted ownership to the administrator of the Windows Server 2008r2 machine.
Now I grant full access to this share for domain users and also for subfolders and files.
But now the problem comes up.
The inheritance is not working fully, when I create a new Folder the domain users are created, too but not with full rights. And if I created a new file in this share it's nearly the same and no full rights for domain users.
I also got an openfiler nas running and there the inheritance is working like a charme and I tested all kind of settings now for round about a week and I ended up with no more clues.
If you need more informations, no problem, I also took loads of screenshots but for the moment I don't put them unless someone needs it for more understanding.

[rostreich]

Enable extended attribute support

Switch this on in CIFS and do a rejoin for the domain.

Then you can set your permissions. Its gone after a reboot, but I dunno if its because of embedded installation.

[maulbongo]

Hello rostreich,

extended attribute support is activated.
And here you can see, on the share domain user have full rights

But for a created folder it looks like that:


And for a file it looks like this:

[Semicolon]

This website proved useful to me: http://www.1stbyte.com/2009/07/24/zfs-c ... heritance/ Basically the commands are zfs set aclmode=passthrough "pool/[dataset]" and zfs set aclinherit=passthrough "pool/[dataset]"; the -o is not a valid switch in the version I'm running version (9.1). Unfortunately, I'm having other problems with CIFS/Samba right now, but this one was key for me.

[dpatino1]

I'm having the same problem as above. I have enabled zfs acl, extended attributes, and configured the domain. I used rsync to move some files from a windows share to the nas4free share and it seemed to overwrite all the permissions. Now I can not change permissions on any files. Within windows, it shows the users with permissions as Everyone, root, and wheel. They have "special permissions" checked. I'm unsure how to grant ownership to the windows domain administrator.

[maulbongo]

This really seems to be a bug, I tested it and also created a new testdomain from scratch, but always the same problems.
Shall we open a bug report?

[maulbongo]

This website proved useful to me: http://www.1stbyte.com/2009/07/24/zfs-c ... heritance/ Basically the commands are zfs set aclmode=passthrough "pool/[dataset]" and zfs set aclinherit=passthrough "pool/[dataset]"; the -o is not a valid switch in the version I'm running version (9.1). Unfortunately, I'm having other problems with CIFS/Samba right now, but this one was key for me.

Awsome, I today tried the aclmode and aclinherit passthrough and now it is working like a charme.
The standard setting is

Code: Select all

aclmode discard default aclinherit restricted default

So this is the fix:

Code: Select all

zfs set aclmode=passthrough pool/share

and

Code: Select all

zfs set aclinherit=passthrough pool/share

(where pool/share has to be the name of your pool and share).

[totalimpact]

I set the 2 commands mentioned, but I still get an error (on r636) when trying to change permissions from a windows client: "The parameter is incorrect"

Any advice?

[maulbongo]

After you created the share you have to take over ownership, because it initially set for root.
The it should work.

[totalimpact]

After you created the share you have to take over ownership, because it initially set for root.
The it should work.

I already did that, then hit "OK" all the way out of the dialogs, and tried to go back in to the permissions to add an account, and same error.

[kkd]

Turn acl on