How to apply zfs quota on user's homedirs

[TheSmoker]

Hellow everyone!

I have the following configuration:
Supermicro 3U server chassis with redundant PSU
Supermicro Server motherboard with 2 Xeon Quad Core CPUs with 32G ECC Ram
2 M1015 flashed to IT mode
12 x Toshiba Enterprise 2TB@7200 RPM SATA drives

FreeNAS version 9.2.1.6 RC
ZFS RAIDZ2 configured across all 12 drives
FNAS is configured as a files server and linked to an AD/Samba domain running Samba 4.1.6

What i need help with is to set correct ACL permissions for AD users & groups as well as zfs quota on AD user's home directories.

Samba config:

Code:

[global]
    server max protocol = SMB2
    encrypt passwords = yes
    dns proxy = no
    strict locking = no
    oplocks = yes
    deadtime = 15
    max log size = 51200
    max open files = 11070
    load printers = no
    printing = bsd
    printcap name = /dev/null
    disable spoolss = yes
    getwd cache = yes
    guest account = nobody
    map to guest = Bad User
    obey pam restrictions = Yes
    directory name cache size = 0
    kernel change notify = no
    panic action = /usr/local/libexec/samba/samba-backtrace
    server string = FreeNAS Server
    ea support = yes
    store dos attributes = yes
    hostname lookups = yes
    unix extensions = no
    acl allow execute always = true
    server role = member server
    netbios name = JUKEBOX01
    workgroup = LARI
    realm = LARI.LOCAL
    security = ADS
    client use spnego = yes
    cache directory = /var/tmp/.cache/.samba
    local master = no
    domain master = no
    preferred master = no
    acl check permissions = true
    acl map full control = true
    dos filemode = yes
    idmap config *:backend = tdb
    idmap config *:range = 90000000-100000000
    winbind cache time = 7200
    winbind offline logon = yes
    winbind enum users = yes
    winbind enum groups = yes
    winbind nested groups = yes
    winbind use default domain = no
    winbind refresh tickets = yes
    idmap config LARI: backend = rid
    idmap config LARI: range = 20000-20000000
    allow trusted domains = no
    template shell = /bin/sh
    template homedir = /home/%D/%U
    pid directory = /var/run/samba
    smb passwd file = /var/etc/private/smbpasswd
    private dir = /var/etc/private
    create mask = 0666
    directory mask = 0777
    client ntlmv2 auth = yes
    dos charset = CP437
    unix charset = UTF-8
    log level = 1
 
 
[homes]
    comment = Home Directories
    valid users = %D\%U
    writable = yes
    browseable = no
    path = /mnt/tank0/homedirs/%D/%U
    directory_mode: parameter = 0700
    read only = no
    csc policy = documents
    root preexec = /mnt/tank0/mksmbhdir.sh %D %U

What I am trying to do here is that with every user that logs in AD and accesses the JUKEBOX01 fileserver a home directory will be created and proper permissions and ifs quota will be applied to it.

The script that I've build specifically for this:

Code:

#!/usr/local/bin/bash
 
if [ ! -d /mnt/tank0/homedirs/$1/$2 ]; then
        /bin/mkdir /mnt/tank0/homedirs/$1/$2
        /bin/chmod g+s /mnt/tank0/homedirs/$1/$2
        /bin/chown $1\\$2":"LARI\domain users" /mnt/tank0/homedirs/$1/$2
        /bin/chmod 770 /mnt/tank0/homedirs/$1/$2
        /bin/setfacl -m g:"LARI\domain users":rwx /mnt/tank0/homedirs/$1/$2
        /bin/setfacl -m u:\""$1\\$2"\":rwx /mnt/tank0/homedirs/$1/$2
        /sbin/zfs set userquota@\""$1\\$2"\"=5G tank0/homedirs
fi
exit 0

The script creates the folders applies correct owner and group based on AD user & group but it does not applies correct user and group ACLs and quota.

When trying to run those commands (setfacl) by hand I get the following errors (test user is tgm):

Code:

[root@jukebox01] /var/log# /bin/setfacl -m g:"LARI\domain users":rwx /mnt/tank0/homedirs/LARI/tgm
setfacl: /mnt/tank0/homedirs/LARI/tgm: branding mismatch; existing ACL is NFSv4, entry to be merged is POSIX.1e

Code:

[root@jukebox01] /var/log# /bin/setfacl -m u:"LARI\tgm":rwx /mnt/tank0/homedirs/LARI/tgm
setfacl: /mnt/tank0/homedirs/LARI/tgm: branding mismatch; existing ACL is NFSv4, entry to be merged is POSIX.1e

The thing with setting the quota is a bit different as by hand works but when ran from script it does not:

Code:

[root@jukebox01] ~tgm/secure# zfs list -o userquota@"LARI\tgm" tank0/homedirs
USERQUOTA@LARI\TGM
              10G
[root@jukebox01] ~tgm/secure# zfs set userquota@"LARI\tgm"=20G tank0/homedirs
[root@jukebox01] ~tgm/secure# zfs list -o userquota@"LARI\tgm" tank0/homedirs
USERQUOTA@LARI\TGM
              20G

But when running from script it will do nothing.

Any kind of help would be greatly appreciated.

Also let me know if any additional info in regards to the configuration and the setup is required.

One last comment: until now everything works as advertised. Users, groups, AD, accesses and everything that is AD/fileserver/FreeNAS related. One last thing to make this perfect is to be able to set up permissions and of course quota on homedirs.

Cheers!

 

[dlavigne]

Regarding the branding error, try the suggestion in http://forums.freenas.org/index.php?threads/freenas-et-acl.11328/.

The quotas are just silently failing?

 

[TheSmoker]

Regarding the branding error, try the suggestion in http://forums.freenas.org/index.php?threads/freenas-et-acl.11328/.

The quotas are just silently failing?

Thanks for the answer in regards to the ACLs. I will need to work on my french-foo for that. :)

Yes, quotas are silently failing when ran from bash script. If ran by hand will work.