I'm experimenting with moving disks, with data intact, from another system to TrueNAS SCALE. I will preface the rest of this post by saying that I know that this is completely unsupported and probably a silly idea, but nevertheless I'm curious 
Fortuitously, the other system happens to also use ZFS (albeit the FreeBSD flavour) and Samba, and after a quick adjustment of ZFS mountpoint properties to match what TrueNAS expects, this very nearly Just Works -- I can plug the old disks into my new TrueNAS SCALE box and all my data is there and accessible. Both systems are joined to the same AD, and I've configured TrueNAS's ID mapper to use the same UIDs/GIDs as the source system, so the file ownership all looks right.
However, the other system happens to have stored SMB ACLs in a different way to TrueNAS. The source system has stored a representation of the NTFS-style (SID-based) ACL, c/o Samba's vfs_acl_xattr, in an extended attribute named "user.NTACL". ("security.NTACL" would be a more usual xattr name used for this. The ACL format saved by this system in "user.NTACL" is exactly the same as would be stored in "security.NTACL".)
I can read the existing ACL using "samba-tool ntacl get" (either after renaming the user.NTACL xattr to security.NTACL, or via a one-line patch to samba-tool to use an xattr name of user.NTACL):
I am trying to find a way to convert this style of ACL storage to TrueNAS's NFSv4-style ACLs (which it stores in a different xattr, "security.nfs4_acl_xdr", in a different format). NB: I'm not trying to convert to POSIX ACLs.
I have not yet found a good way to write an ACL out in TrueNAS's preferred format from outside of Samba. "samba-tool ntacl set" doesn't seem to support setting nfs4_acl_xdr-style ACLs (only POSIX ACLs or rewriting back to security.NTACL, I think) -- perhaps because use of nfs4_acl_xdr seems to be a TrueNAS-specific addition to Samba.
Can anyone think of a way to script the conversion of NT ACLs, ideally in the above SDDL format, to something that can go into TrueNAS's security.nfs4_acl_xdr xattr?
smbcacls looks somewhat promising, except it seems unhappy with the SDDL output from samba-tool (smbcacls seems to be generating some bogus SIDs, e.g. for the implicit Domain Users group referenced as "G:DU" in the above), and also can only handle one file at once (I have millions so this approach may take some time...).
Thanks.
Fortuitously, the other system happens to also use ZFS (albeit the FreeBSD flavour) and Samba, and after a quick adjustment of ZFS mountpoint properties to match what TrueNAS expects, this very nearly Just Works -- I can plug the old disks into my new TrueNAS SCALE box and all my data is there and accessible. Both systems are joined to the same AD, and I've configured TrueNAS's ID mapper to use the same UIDs/GIDs as the source system, so the file ownership all looks right.
However, the other system happens to have stored SMB ACLs in a different way to TrueNAS. The source system has stored a representation of the NTFS-style (SID-based) ACL, c/o Samba's vfs_acl_xattr, in an extended attribute named "user.NTACL". ("security.NTACL" would be a more usual xattr name used for this. The ACL format saved by this system in "user.NTACL" is exactly the same as would be stored in "security.NTACL".)
I can read the existing ACL using "samba-tool ntacl get" (either after renaming the user.NTACL xattr to security.NTACL, or via a one-line patch to samba-tool to use an xattr name of user.NTACL):
Code:
# ./samba-tool ntacl get --use-ntvfs -s ~/smb.conf --as-sddl /mnt/test0/vol/data/test_cifs/foo O:S-1-5-21-1785231444-2345965658-2934847549-3534G:DUD:AI(A;OICIID;0x001f01ff;;;BA)(A;ID;0x001f01ff;;;S-1-5-21-1785231444-2345965658-2934847549-3534)(A;OICIIOID;0x001f01ff;;;CO)(A;ID;0x001200a9;;;DU)(A;OICIIOID;0x001200a9;;;CG)(A;OICIIOID;0x001200a9;;;DU)(A;OICIIOID;0x001f01ff;;;S-1-5-21-1785231444-2345965658-2934847549-3534)
I am trying to find a way to convert this style of ACL storage to TrueNAS's NFSv4-style ACLs (which it stores in a different xattr, "security.nfs4_acl_xdr", in a different format). NB: I'm not trying to convert to POSIX ACLs.
I have not yet found a good way to write an ACL out in TrueNAS's preferred format from outside of Samba. "samba-tool ntacl set" doesn't seem to support setting nfs4_acl_xdr-style ACLs (only POSIX ACLs or rewriting back to security.NTACL, I think) -- perhaps because use of nfs4_acl_xdr seems to be a TrueNAS-specific addition to Samba.
Can anyone think of a way to script the conversion of NT ACLs, ideally in the above SDDL format, to something that can go into TrueNAS's security.nfs4_acl_xdr xattr?
smbcacls looks somewhat promising, except it seems unhappy with the SDDL output from samba-tool (smbcacls seems to be generating some bogus SIDs, e.g. for the implicit Domain Users group referenced as "G:DU" in the above), and also can only handle one file at once (I have millions so this approach may take some time...).
Thanks.