SOLVED Windows share not correctly inheriting ACLs

[MainUser]

Hello FreeNAS community,

I am having a problem when sharing my datasets (set to use Windows-ACLs) to windows clients using CIFS. While accessing the shares and modifying the permissions from a windows client works great, newly created files and folders show extra access rights, that where not inherited from the parent folder.

For example when I create a file "test.txt" in a given folder using a windows7 client the result is:

Code:

[root@st1] /mnt/RAID0-1/Users/test# getfacl ./
# file: ./
# owner: administrator
# group: usersadmins
     group:usersr:r-x---a-R-c---:fd----:allow
group:usersadmins:rwxpDdaARWcCo-:fd----:allow
    group:usersrw:rwxp-daARWc---:fd----:allow
[root@st1] /mnt/RAID0-1/Users/test# getfacl test.txt
# file: test.txt
# owner: administrator
# group: usersadmins
     group:usersr:r-x---a-R-c---:------:allow
group:usersadmins:rwxpDdaARWcCo-:------:allow
    group:usersrw:rwxp-daARWc---:------:allow
           owner@:rw-p--aARWcCos:------:allow
           group@:rw-p--a-R-c--s:------:allow
        everyone@:rw-p--a-R-c--s:------:allow

I did expect the new file to have exactly the same ACL as the parent folder, without the "fd" of course. Especially I do not want the added rights for "everyone". But actually I was hoping to get an exact (inherited) copy of the parent folders rights for new folders and files.
Showing the ACLs on the windows clients, for new folders, the correctly inherited rights are recognized as such, while the unwanted rights are folder specific (not inherited). For created files, none of the rights are shown as inherited.

This shares smb.conf part reads:

Code:

    path = /mnt/RAID0-1/Users/test
    printable = no
    veto files = /.snap/.windows/.zfs/
    writeable = yes
    browseable = no
    inherit owner = yes
    inherit permissions = no
    vfs objects =  zfsacl
    guest ok = no
    inherit acls = Yes
    map archive = No
    map readonly = no
    nfs4:mode = special
    nfs4:acedup = merge
    nfs4:chown = yes

I am running Build "FreeNAS-9.2.0-RELEASE-x64",
CIFS has "EA Support" and "Support DOS File Attributes" checked.
The share has "Inherit Owner" set, because I do not want the user to be able to change ACLs (screws up my backup).

Unchecking "Inherit Owner" does not solve the problem. I tried through a lot of combinations supplying "inherit *" config values to samba, checking/unchecking "Inherit Owner"/"Inherit Permissions", but could not find a way to solve my problem.

I would really appreciate if any of you had a suggestion for me to get rid of these unwanted ACL entries. Should you need any additional intel, please ask and I will gladly supply it.

MainUser

 

[bigphil]

I think the problem is that you need to set the "share permissions" for the CIFS share. There is an ongoing bug report that we are trying to get the functionality tweaked a bit so that share permissions do not get inherited down the line, but NTFS permissions do. Check out post #17 here for what you need to do (after upgrading to at least the 9.2.1 release). Also, if your dataset permissions are set to Windows/Mac ACL, DO NOT use the option "Inherit permissions" on the CIFS share...see the FreeNAS CIFS share wiki.

 

[MainUser]

Thank you very much for your help!

It seems, that updating to FreeNAS 9.2.1.3 did the trick. I am redoing all my ACLs (on file AND share level) right now and it looks promising.

I'll consider this solved and report back in case anything unexpected should come up.