Samba vfs_zfsacl: should I set acedup="dontcare", or leave at default "merge"?

[Stilez]

The two relevant parameters of the acedup property are described in the samba docs as follows:

This parameter configures how Samba handles duplicate ACEs encountered in ZFS ACLs. ZFS allows/creates duplicate ACE for different bits for same ID.

• dontcare (default) - copy the ACEs as they come

• merge - bitwise OR the 2 ace.flag fields and 2 ace.mask fields of the 2 duplicate ACEs into 1 ACE

It looks like on FreeNAS, the default option is merge. At least, it shows up as that in testparm for me.

The possible issue with merge, is that Windows is extremely fussy about ACL ordering. Suppose two ACEs of the same type (allow/deny) are set on a specific user or group, because one of these is set to inherit, and the other isn't. Windows needs implicit (inherited)/explicit ACEs ordered a specific way, but FreeBSD/ZFS/Samba just read them in index order. The criteria for merging ACEs is same user/group, and same type, from the docs. So the result of merging ACEs might be to "flatten" ACEs which Windows needs to find in a specific order in the list.

Example: ACEs as seen on server:

user:Andy:w::deny
user:Bob:w::allow
user:Andy:rx:d:allow
user:Bob:rx:d:allow

From the description, with acedup=merge it sounds like Samba might flatten the ACL, and present them to Windows in an order which (to Windows) is perhaps incorrect. Maybe not in this specific example, but perhaps in other cases.

Is it safer to set the option to dontcare, or are there reasons why I should have it set to merge?

 

[dlavigne]

Did you find the answer to your question?

 

[Stilez]

Did you find the answer to your question?

No - can you help me find an answer?