SMB share and inherited ACLs

[bozho]

Hi all,

I'm still learning about FreeNAS and I have the following scenario that I'm trying to figure out.

I've created a local user, bozho - mainly for non-root SSH access to FreeNAS and jails. The user is a member of bozho and wheel groups.

For testing purposes, I've created a dataset, test, with Windows permissions and created an SMB share with defaults. Running getfacl on it returns this (as expected):

Code:

# file: test
# owner: root
# group: wheel
            owner@:rwxpDdaARWcCos:fd-----:allow
            group@:rwxpDdaARWcCos:fd-----:allow
         everyone@:r-x---a-R-c---:fd-----:allow

Since the user bozho is a member of the group wheel, I can connect from Windows and create a file there. Running getfacl on it returns (again, as expected):

Code:

# file: test/a.txt
# owner: bozho
# group: wheel
            owner@:rwxpDdaARWcCos:------I:allow
            group@:rwxpDdaARWcCos:------I:allow
         everyone@:r-x---a-R-c---:------I:allow

When I touch a file as root over SSH, the file has these permissions:

Code:

# file: test/b.txt
# owner: root
# group: wheel
            owner@:rwxpDdaARWcCos:------I:allow
            group@:rwxpDdaARWcCos:------I:allow
         everyone@:r-x---a-R-c---:------I:allow

If I use Windows explorer to add explicit full permissions to the user bozho on the test share and run getfacl again on both the directory and the files, I get these:

Code:

# file: test
# owner: root
# group: wheel
            owner@:rwxpDdaARWcCo-:fd-----:allow
            group@:rwxpDdaARWcCo-:fd-----:allow
         everyone@:r-x---a-R-c---:fd-----:allow
        user:bozho:rwxpDdaARWcCo-:fd-----:allow

# file: test/a.txt
# owner: bozho
# group: wheel
         user:root:rwxpDdaARWcCo-:------I:allow
            group@:rwxpDdaARWcCo-:------I:allow
         everyone@:r-x---a-R-c---:------I:allow
            owner@:rwxpDdaARWcCo-:------I:allow

# file: test/b.txt
# owner: root
# group: wheel
            owner@:rwxpDdaARWcCo-:------I:allow
            group@:rwxpDdaARWcCo-:------I:allow
         everyone@:r-x---a-R-c---:------I:allow
        user:bozho:rwxpDdaARWcCo-:------I:allow

It looks like if I'm setting explicit permissions for a user and that user is the owner of a file, the explicit ACL does not get set.

If I create another file after setting the explicit user permission on the share, it gets the expected permissions:

Code:

# file: test/c.txt
# owner: bozho
# group: wheel
            owner@:rwxpDdaARWcCo-:------I:allow
            group@:rwxpDdaARWcCo-:------I:allow
         everyone@:r-x---a-R-c---:------I:allow
        user:bozho:rwxpDdaARWcCo-:------I:allow

If I then change ownership of a.txt to the root user, the files keeps its explicit root user permissions, but it doesn't get explicit bozho permissions:

Code:

# file: test/a.txt
# owner: root
# group: wheel
         user:root:rwxpDdaARWcCo-:------I:allow
            group@:rwxpDdaARWcCo-:------I:allow
         everyone@:r-x---a-R-c---:------I:allow
            owner@:rwxpDdaARWcCo-:------I:allow

Is that expected? Is this a Windows problem? Is this how setting ACLs is supposed to work?

If I wanted to have a good control over explicit permissions, would it be a good idea to set share and file ownership to nobody:nobody by default?

Thank you!

 

[anodos]

Try setting the following auxiliary parameter on the share and see if it gets the result you want:
nfs4:mode = simple

 

[bozho]

It doesn't seem so.

I do get CREATOR OWNER and CREATOR GROUP entries on Windows, but the behaviour I see with a.txt is the same: if I'm adding an explicit inherited permission for bozho to the test directory, any files within already owned by me don't get the explicit ACL for bozho.

Any files created by me after adding the permission do get an explicit ACL for bozho