1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-24 21:34:56 +03:00
samba-mirror/docs-xml/manpages/vfs_zfsacl.8.xml
awalker 30f9e1dd59 vfs_zfsacl: fix issue with ACL inheritance in zfsacl
Add parameter zfsacl:map_dacl_protected to address issue preventing Windows Clients
from disabling inheritance on ACLs. FreeBSD does not currently expose the ACL_PROTECTED
NFS4.1 flag, but it does expose ACE4_INHERITED_ACE. When the parameter is enabled,
map the absence of ACE4_INHERITED_ACE to SEC_DESC_DACL_PROTECTED.

See also the discussion at

https://gitlab.com/samba-team/samba/merge_requests/719

Signed-off-by: Andrew Walker <awalker@ixsystems.com>
Reviewed-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Fri Dec 20 23:24:54 UTC 2019 on sn-devel-184
2019-12-20 23:24:54 +00:00

195 lines
6.8 KiB
XML

<?xml version="1.0" encoding="iso-8859-1"?>
<!DOCTYPE refentry PUBLIC "-//Samba-Team//DTD DocBook V4.2-Based Variant V1.0//EN" "http://www.samba.org/samba/DTD/samba-doc">
<refentry id="vfs_zfsacl.8">
<refmeta>
<refentrytitle>vfs_zfsacl</refentrytitle>
<manvolnum>8</manvolnum>
<refmiscinfo class="source">Samba</refmiscinfo>
<refmiscinfo class="manual">System Administration tools</refmiscinfo>
<refmiscinfo class="version">&doc.version;</refmiscinfo>
</refmeta>
<refnamediv>
<refname>vfs_zfsacl</refname>
<refpurpose>ZFS ACL samba module</refpurpose>
</refnamediv>
<refsynopsisdiv>
<cmdsynopsis>
<command>vfs objects = zfsacl</command>
</cmdsynopsis>
</refsynopsisdiv>
<refsect1>
<title>DESCRIPTION</title>
<para>This VFS module is part of the
<citerefentry><refentrytitle>samba</refentrytitle>
<manvolnum>7</manvolnum></citerefentry> suite.</para>
<para>The <command>zfsacl</command> VFS module is the home
for all ACL extensions that Samba requires for proper integration
with ZFS.
</para>
<para>Currently the zfsacl vfs module provides extensions in following areas :
<itemizedlist>
<listitem><para>NFSv4 ACL Interfaces with configurable options for ZFS</para></listitem>
</itemizedlist>
</para>
<para><command>NOTE:</command>This module follows the posix-acl behaviour
and hence allows permission stealing via chown. Samba might allow at a later
point in time, to restrict the chown via this module as such restrictions
are the responsibility of the underlying filesystem than of Samba.
</para>
<para>This module makes use of the smb.conf parameter
<smbconfoption name="acl map full control">acl map full control</smbconfoption>
When set to yes (the default), this parameter will add in the FILE_DELETE_CHILD
bit on a returned ACE entry for a file (not a directory) that already
contains all file permissions except for FILE_DELETE and FILE_DELETE_CHILD.
This can prevent Windows applications that request GENERIC_ALL access
from getting ACCESS_DENIED errors when running against a filesystem
with NFSv4 compatible ACLs.
</para>
<para>This module is stackable.</para>
<para>Since Samba 4.0 all options are per share options.</para>
</refsect1>
<refsect1>
<title>OPTIONS</title>
<variablelist>
<varlistentry>
<term>nfs4:mode = [ simple | special ]</term>
<listitem>
<para>
Controls substitution of special IDs (OWNER@ and GROUP@) on ZFS.
The use of mode simple is recommended.
In this mode only non inheriting ACL entries for the file owner
and group are mapped to special IDs.
</para>
<para>The following MODEs are understood by the module:</para>
<itemizedlist>
<listitem><para><command>simple(default)</command> - use OWNER@ and GROUP@ special IDs for non inheriting ACEs only.</para></listitem>
<listitem><para><command>special(deprecated)</command> - use OWNER@ and GROUP@ special IDs in ACEs for all file owner and group ACEs.</para></listitem>
</itemizedlist>
</listitem>
</varlistentry>
<varlistentry>
<term>nfs4:acedup = [dontcare|reject|ignore|merge]</term>
<listitem>
<para>
This parameter configures how Samba handles duplicate ACEs encountered in ZFS ACLs.
ZFS allows/creates duplicate ACE for different bits for same ID.
</para>
<para>Following is the behaviour of Samba for different values :</para>
<itemizedlist>
<listitem><para><command>dontcare (default)</command> - copy the ACEs as they come</para></listitem>
<listitem><para><command>reject (deprecated)</command> - stop operation and exit with error on ACL set op</para></listitem>
<listitem><para><command>ignore (deprecated)</command> - don't include the second matching ACE</para></listitem>
<listitem><para><command>merge</command> - bitwise OR the 2 ace.flag fields and 2 ace.mask fields of the 2 duplicate ACEs into 1 ACE</para></listitem>
</itemizedlist>
</listitem>
</varlistentry>
<varlistentry>
<term>nfs4:chown = [yes|no]</term>
<listitem>
<para>This parameter allows enabling or disabling the chown supported
by the underlying filesystem. This parameter should be enabled with
care as it might leave your system insecure.</para>
<para>Some filesystems allow chown as a) giving b) stealing. It is the latter
that is considered a risk.</para>
<para>Following is the behaviour of Samba for different values : </para>
<itemizedlist>
<listitem><para><command>yes</command> - Enable chown if as supported by the under filesystem</para></listitem>
<listitem><para><command>no (default)</command> - Disable chown</para></listitem>
</itemizedlist>
</listitem>
</varlistentry>
<varlistentry>
<term>zfsacl:denymissingspecial = [yes|no]</term>
<listitem>
<para>Prevent users from setting an ACL that lacks NFSv4 special entries
(owner@, group@, everyone@). ZFS will automatically generate these these entries
when calculating the inherited ACL of new files if the ACL of the parent directory
lacks an inheriting special entry. This may result in user confusion and unexpected
change in permissions of files and directories as the inherited ACL is generated.</para>
<itemizedlist>
<listitem><para><command>yes</command></para></listitem>
<listitem><para><command>no (default)</command></para></listitem>
</itemizedlist>
</listitem>
</varlistentry>
<varlistentry>
<term>zfsacl:map_dacl_protected = [yes|no]</term>
<listitem>
<para>If enabled and the ZFS ACL on the underlying filesystem does not contain
any inherited access control entires, then set the SEC_DESC_DACL_PROTECTED flag
on the Security Descriptor returned to SMB clients.
This ensures correct Windows client behavior when disabling inheritance on
directories.</para>
<para>Following is the behaviour of Samba for different values : </para>
<itemizedlist>
<listitem><para><command>yes</command> - Enable mapping to
SEC_DESC_DACL_PROTECTED</para></listitem>
<listitem><para><command>no (default)</command></para></listitem>
</itemizedlist>
</listitem>
</varlistentry>
</variablelist>
</refsect1>
<refsect1>
<title>EXAMPLES</title>
<para>A ZFS mount can be exported via Samba as follows :</para>
<programlisting>
<smbconfsection name="[samba_zfs_share]"/>
<smbconfoption name="vfs objects">zfsacl</smbconfoption>
<smbconfoption name="path">/test/zfs_mount</smbconfoption>
<smbconfoption name="nfs4: mode">simple</smbconfoption>
<smbconfoption name="nfs4: acedup">merge</smbconfoption>
</programlisting>
</refsect1>
<refsect1>
<title>VERSION</title>
<para>This man page is part of version &doc.version; of the Samba suite.
</para>
</refsect1>
<refsect1>
<title>AUTHOR</title>
<para>The original Samba software and related utilities
were created by Andrew Tridgell. Samba is now developed
by the Samba Team as an Open Source project similar
to the way the Linux kernel is developed.</para>
</refsect1>
</refentry>