I want to make sure, before creating one, that making a Windows share will not impose Windows ACLs permissions on the files/folder?
I recently did a fresh install because Windows ALCs were causing problems with the integration of multiple plugins. To avoid this, I'm trying to stick to UNIX permissions. However, I want to be able to access all my files on Mac, Windows, (less often) Linux systems.
@dlavigne @cyberjock , I'm a bit out of my depth here. Feel free to confirm or correct the following.
ZFS uses NFSv4 ACLs. There is no way to stop it from using these ACLs. ZFS on Linux has a feature flag "acltype" which when set to "acltype = posixacl", which transparently translates NFSv4 ACLs to POSIX draft ACLs. FreeBSD does not implement this feature flag. When the aclmode property is set to "passthrough" and you are using trivial ACLs, you will not notice any difference in behavior between ZFS permissions and permissions in UFS/EXT{2-4}.
FreeNAS changes the behavior of ACLs depending on how you plan to use the dataset. When you set a dataset to "Windows" FreeNAS will change ZFS's "aclmode" property to "restricted". When the aclmode property is set in this manner, chmod is prevented from clobbering non-trivial ACLs on a dataset. This behavior was set in FreeNAS here:
https://bugs.freenas.org/issues/5070 and is further documented
here.
Examples of ACLS:
Trivial ACL
Code:
# file: dtruss.out
# owner: root
# group: wheel
owner@:rw-p--aARWcCos:-------:allow
group@:r-----a-R-c--s:-------:allow
everyone@:r-----a-R-c--s:-------:allow
Non-Trivial ACL
Code:
# file: IT/
# owner: root
# group: DOMAIN\domain admins
group:DOMAIN\IT Staff:rwxp-daARWc---:fd-----:allow
group:DOMAIN\backupusers:r-x---a-R-c---:fd-----:allow
group@:rwxpDdaARWcCo-:fd-----:allow
owner@:rwxpDdaARWcCo-:fd-----:allow
The entry
Code:
group:DOMAIN\IT Staff:rwxp-daARWc---:fd-----:allow
is a non-trivial ACE.
You can easily see why I don't want an application to clobber the above non-trivial ACL (IT Staff would lose access to the share). It will also clobber "deny" ACLs that are set on the file. This can seriously undermine security in a multi-user environment, and so FreeNAS defaults to a 'safe' config that is more secure in this way.
As long as you do not intend to set non-trivial ACLs on a dataset (which is fairly typical in a single-user environment), you should be fine using "unix" permissions type on a CIFS share (which sets the aclmode property to "passthrough"). I would still disable the "zfsacl" VFS module from samba to be sure that a windows application won't try to write non-trivial ACLs on files / folders.
@pirateghost does this on his server (unix permissions type) and doesn't have problems.
