vfs_zfsacl 8 Samba System Administration tools &doc.version; vfs_zfsacl ZFS ACL samba module vfs objects = zfsacl DESCRIPTION This VFS module is part of the samba 7 suite. The zfsacl VFS module is the home for all ACL extensions that Samba requires for proper integration with ZFS. Currently the zfsacl vfs module provides extensions in following areas : NFSv4 ACL Interfaces with configurable options for ZFS NOTE:This module follows the posix-acl behaviour and hence allows permission stealing via chown. Samba might allow at a later point in time, to restrict the chown via this module as such restrictions are the responsibility of the underlying filesystem than of Samba. This module makes use of the smb.conf parameter acl map full control When set to yes (the default), this parameter will add in the FILE_DELETE_CHILD bit on a returned ACE entry for a file (not a directory) that already contains all file permissions except for FILE_DELETE and FILE_DELETE_CHILD. This can prevent Windows applications that request GENERIC_ALL access from getting ACCESS_DENIED errors when running against a filesystem with NFSv4 compatible ACLs. ZFS has mutiple dataset configuration parameters that determine ACL behavior. Although the nuances of these parameters are outside the scope of this manpage, the "aclmode" and "aclinherit" are of particular importance for samba shares. For datasets that are intended solely as Samba shares, "aclmode = restricted" and "aclinherit = passthrough" provide inheritance behavior most consistent with NTFS ACLs. A "restricted" aclmode prevents chmod() on files that have a non-trivial ACL (one that cannot be expressed as a POSIX mode without loss of information). Consult the relevant ZFS manpages for further information. This module is stackable. Since Samba 4.0 all options are per share options. OPTIONS zfsacl:denymissingspecial = [yes|no] Prevent users from setting an ACL that lacks NFSv4 special entries (owner@, group@, everyone@). ZFS will automatically generate these these entries when calculating the inherited ACL of new files if the ACL of the parent directory lacks an inheriting special entry. This may result in user confusion and unexpected change in permissions of files and directories as the inherited ACL is generated. yes no (default) zfsacl:block_special = [yes|no] Prevent ZFS from automatically adding NFSv4 special entries (owner@, group@, everyone@). ZFS will automatically generate these these entries when calculating the inherited ACL of new files if the ACL of the parent directory lacks an inheriting special entry. This may result in user confusion and unexpected change in permissions of files and directories as the inherited ACL is generated. Blocking this behavior is achieved by setting an inheriting everyone@ that grants no permissions and not adding the entry to the file's Security Descriptor yes (default) no zfsacl:map_dacl_protected = [yes|no] If enabled and the ZFS ACL on the underlying filesystem does not contain any inherited access control entires, then set the SEC_DESC_DACL_PROTECTED flag on the Security Descriptor returned to SMB clients. This ensures correct Windows client behavior when disabling inheritance on directories. Following is the behaviour of Samba for different values : yes - Enable mapping to SEC_DESC_DACL_PROTECTED no (default) EXAMPLES A ZFS mount can be exported via Samba as follows : zfsacl /test/zfs_mount simple merge VERSION This man page is part of version &doc.version; of the Samba suite. AUTHOR The original Samba software and related utilities were created by Andrew Tridgell. Samba is now developed by the Samba Team as an Open Source project similar to the way the Linux kernel is developed.