Go to main content

man pages section 8: System Administration Commands

Exit Print View

Updated: Wednesday, February 9, 2022
 
 

vfs_zfsacl (8)

Name

vfs_zfsacl - ZFS ACL samba module

Synopsis

vfs objects = zfsacl

Description

System Administration tools                                      VFS_ZFSACL(8)



NAME
       vfs_zfsacl - ZFS ACL samba module

SYNOPSIS
       vfs objects = zfsacl

DESCRIPTION
       This VFS module is part of the samba(7) suite.

       The zfsacl VFS module is the home for all ACL extensions that Samba
       requires for proper integration with ZFS.

       Currently the zfsacl vfs module provides extensions in following areas
       :

              o   NFSv4 ACL Interfaces with configurable options for ZFS


       NOTE:This module follows the posix-acl behaviour and hence allows
       permission stealing via chown. Samba might allow at a later point in
       time, to restrict the chown via this module as such restrictions are
       the responsibility of the underlying filesystem than of Samba.

       This module makes use of the smb.conf parameter acl map full control =
       acl map full control When set to yes (the default), this parameter will
       add in the FILE_DELETE_CHILD bit on a returned ACE entry for a file
       (not a directory) that already contains all file permissions except for
       FILE_DELETE and FILE_DELETE_CHILD. This can prevent Windows
       applications that request GENERIC_ALL access from getting ACCESS_DENIED
       errors when running against a filesystem with NFSv4 compatible ACLs.

       This module is stackable.

       Since Samba 4.0 all options are per share options.

OPTIONS
       nfs4:mode = [ simple | special ]
           Controls substitution of special IDs (OWNER@ and GROUP@) on ZFS.
           The use of mode simple is recommended. In this mode only non
           inheriting ACL entries for the file owner and group are mapped to
           special IDs.

           The following MODEs are understood by the module:

                  o   simple(default) - use OWNER@ and GROUP@ special IDs for
                      non inheriting ACEs only.

                  o   special(deprecated) - use OWNER@ and GROUP@ special IDs
                      in ACEs for all file owner and group ACEs.


       nfs4:acedup = [dontcare|reject|ignore|merge]
           This parameter configures how Samba handles duplicate ACEs
           encountered in ZFS ACLs. ZFS allows/creates duplicate ACE for
           different bits for same ID.

           Following is the behaviour of Samba for different values :

                  o   dontcare (default) - copy the ACEs as they come

                  o   reject (deprecated) - stop operation and exit with error
                      on ACL set op

                  o   ignore (deprecated) - don't include the second matching
                      ACE

                  o   merge - bitwise OR the 2 ace.flag fields and 2 ace.mask
                      fields of the 2 duplicate ACEs into 1 ACE


       nfs4:chown = [yes|no]
           This parameter allows enabling or disabling the chown supported by
           the underlying filesystem. This parameter should be enabled with
           care as it might leave your system insecure.

           Some filesystems allow chown as a) giving b) stealing. It is the
           latter that is considered a risk.

           Following is the behaviour of Samba for different values :

                  o   yes - Enable chown if as supported by the under
                      filesystem

                  o   no (default) - Disable chown


       zfsacl:denymissingspecial = [yes|no]
           Prevent users from setting an ACL that lacks NFSv4 special entries
           (owner@, group@, everyone@). ZFS will automatically generate these
           these entries when calculating the inherited ACL of new files if
           the ACL of the parent directory lacks an inheriting special entry.
           This may result in user confusion and unexpected change in
           permissions of files and directories as the inherited ACL is
           generated.

                  o   yes

                  o   no (default)


       zfsacl:block_special = [yes|no]
           Prevent ZFS from automatically adding NFSv4 special entries
           (owner@, group@, everyone@). ZFS will automatically generate these
           these entries when calculating the inherited ACL of new files if
           the ACL of the parent directory lacks an inheriting special entry.
           This may result in user confusion and unexpected change in
           permissions of files and directories as the inherited ACL is
           generated. Blocking this behavior is achieved by setting an
           inheriting everyone@ that grants no permissions and not adding the
           entry to the file's Security Descriptor

                  o   yes (default)

                  o   no


       zfsacl:map_dacl_protected = [yes|no]
           If enabled and the ZFS ACL on the underlying filesystem does not
           contain any inherited access control entires, then set the
           SEC_DESC_DACL_PROTECTED flag on the Security Descriptor returned to
           SMB clients. This ensures correct Windows client behavior when
           disabling inheritance on directories.

           Following is the behaviour of Samba for different values :

                  o   yes - Enable mapping to SEC_DESC_DACL_PROTECTED

                  o   no (default)


EXAMPLES
       A ZFS mount can be exported via Samba as follows :

                   [samba_zfs_share]
                vfs objects = zfsacl
                path = /test/zfs_mount
                nfs4: mode = simple
                nfs4: acedup = merge

VERSION
       This man page is part of version 4.13.14 of the Samba suite.

AUTHOR
       The original Samba software and related utilities were created by
       Andrew Tridgell. Samba is now developed by the Samba Team as an Open
       Source project similar to the way the Linux kernel is developed.



ATTRIBUTES
       See attributes(7) for descriptions of the following attributes:


       +---------------+-----------------------+
       |ATTRIBUTE TYPE |   ATTRIBUTE VALUE     |
       +---------------+-----------------------+
       |Availability   | service/network/samba |
       +---------------+-----------------------+
       |Stability      | Volatile              |
       +---------------+-----------------------+

NOTES
       Source code for open source software components in Oracle Solaris can
       be found at https://www.oracle.com/downloads/opensource/solaris-source-
       code-downloads.html.

       This software was built from source available at
       https://github.com/oracle/solaris-userland.  The original community
       source was downloaded from
       https://download.samba.org/pub/samba/stable/samba-4.13.14.tar.gz.

       Further information about this software can be found on the open source
       community website at http://www.samba.org/.



Samba 4.13.14                     12/22/2021                     VFS_ZFSACL(8)