Windows ACL questions

[Henning Kessler]

Hello,

being quite new to FreeNAS I have a question about Windows ACLs. I have an AD bounded FreeNAS installation and created a dataset with Windows permission. User permissions are granted to DOMAIN\admin and group permissions to DOMAIN\somegroup. All other parameters are left default. I then created a Windows share from this dataset again with leaving all parameters default.

This is how the permissions are set watching them from the CLI

Code:

root@host[12:38][/mnt/ext01rz1]: ls -al
total XXX
drwxr-xr-x   5 root               wheel                      5 Jan 12 11:00 .
drwxr-xr-x   6 root               wheel                    200 Dec 30 13:23 ..
drwxrwxr-x+  4 DOMAIN\admin       DOMAIN\somegroup           6 Jan 12 11:14 acltest

root@host[12:38][/mnt/ext01rz1]: getfacl acltest
# file: acltest
# owner: DOMAIN\admin
# group: DOMAIN\somegroup
            owner@:rwxpDdaARWcCos:fd----:allow
            group@:rwxpDdaARWcCos:fd----:allow
         everyone@:r-x---a-R-c---:fd----:allow

When I know connect to this share from a Windows PC and remove the access for everyone the result looks like this:

Code:

root@host[12:41][/mnt/ext01rz1]: ls -al
total XXX
drwxr-xr-x   5 root               wheel                      5 Jan 12 11:00 .
drwxr-xr-x   6 root               wheel                    200 Dec 30 13:23 ..
d---rwx---+  4 DOMAIN\admin       DOMAIN\somegroup           6 Jan 12 11:14 acltest

root@host[12:47][/mnt/ext01rz1]: getfacl acltest
# file: acltest
# owner: DOMAIN\admin
# group: DOMAIN\somegroup
group:DOMAIN\admin:rwxpDdaARWcCo-:fd----:allow
            group@:rwxpDdaARWcCo-:fd----:allow

Is it intended behavior that POSIX right for the owner are deleted by this and that ACL owner entry is changed to a "group:DOMAIN\admin:"entry?

Have I done something wrong or did I miss to configure some more parameters like some VFS modules?

Maybe someone could give me a hint for something to read to improve my knowledge on this?

Regards

Henning

Code:

smb4.conf
[global]
    server max protocol = SMB3
    encrypt passwords = yes
    dns proxy = no
    strict locking = no
    oplocks = yes
    deadtime = 15
    max log size = 51200
    max open files = 942923
    load printers = no
    printing = bsd
    printcap name = /dev/null
    disable spoolss = yes
    getwd cache = yes
    guest account = nobody
    map to guest = Bad User
    obey pam restrictions = yes
    directory name cache size = 0
    kernel change notify = no
    panic action = /usr/local/libexec/samba/samba-backtrace
    nsupdate command = /usr/local/bin/samba-nsupdate -g
    server string = FreeNAS Server
    ea support = yes
    store dos attributes = yes
    lm announce = yes
    acl allow execute always = true
    acl check permissions = true
    dos filemode = yes
    multicast dns register = yes
    domain logons = no
    idmap config *: backend = tdb
    idmap config *: range = 90000001-100000000
    server role = member server
    netbios name = HOST
    workgroup = DOMAIN
    realm = DOMAIN.COM
    security = ADS
    client use spnego = yes
    cache directory = /var/tmp/.cache/.samba
    local master = no
    domain master = no
    preferred master = no
    ads dns update = yes
    winbind cache time = 7200
    winbind offline logon = yes
    winbind enum users = yes
    winbind enum groups = yes
    winbind nested groups = yes
    winbind use default domain = no
    winbind refresh tickets = yes
    idmap config DOMAIN: backend = rid
    idmap config DOMAIN: range = 20000-90000000
    allow trusted domains = no
    client ldap sasl wrapping = plain
    template shell = /bin/sh
    template homedir = /home/%D/%U
    pid directory = /var/run/samba
    create mask = 0666
    directory mask = 0777
    client ntlmv2 auth = yes
    dos charset = CP437
    unix charset = UTF-8
    log level = 1

[acltest]
    path = /mnt/ext02rz1/acltest
    printable = no
    veto files = /.snapshot/.windows/.mac/.zfs/
    writeable = yes
    browseable = yes
    vfs objects = zfs_space zfsacl aio_pthread streams_xattr
    hide dot files = yes
    guest ok = no
    nfs4:mode = special
    nfs4:acedup = merge
    nfs4:chown = true
    zfsacl:acesort = dontcare

 

[anodos]

This is a side-effect of the samba parameter "nfsv4: special". It causes somewhat erratic behavior such as what you are seeing, which will cause problems later on (because now you have no owner@ ACE). It is for this reason that I typically set the owner of the dataset to "root". Samba gets less confused by this.

The samba project lists the parameter "nfsv4: special" as deprecated in favor of "nfsv4: simple", which maps owner@ and group@ ACEs to non-inheriting creator / owner NTFS ACEs. Perhaps someone from ixsystems, like @cyberjock can explain why we use nfsv4: special. :D

 

[Henning Kessler]

He anodos,

thanks a lot for your answer .
I will check the setup with setting root as the owner and will read the provided links in your signature.

Henning