samba/docs/manpages/vfs_zfsacl.8

'\" t
.\"     Title: vfs_zfsacl
.\"    Author: [see the "AUTHOR" section]
.\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/>
.\"      Date: 01/28/2020
.\"    Manual: System Administration tools
.\"    Source: Samba 4.11.6
.\"  Language: English
.\"
.TH "VFS_ZFSACL" "8" "01/28/2020" "Samba 4\&.11\&.6" "System Administration tools"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.\" http://bugs.debian.org/507673
.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html
.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.ie \n(.g .ds Aq \(aq
.el       .ds Aq '
.\" -----------------------------------------------------------------
.\" * set default formatting
.\" -----------------------------------------------------------------
.\" disable hyphenation
.nh
.\" disable justification (adjust text to left margin only)
.ad l
.\" -----------------------------------------------------------------
.\" * MAIN CONTENT STARTS HERE *
.\" -----------------------------------------------------------------
.SH "NAME"
vfs_zfsacl \- ZFS ACL samba module
.SH "SYNOPSIS"
.HP \w'\ 'u
vfs objects = zfsacl
.SH "DESCRIPTION"
.PP
This VFS module is part of the
\fBsamba\fR(7)
suite\&.
.PP
The
zfsacl
VFS module is the home for all ACL extensions that Samba requires for proper integration with ZFS\&.
.PP
Currently the zfsacl vfs module provides extensions in following areas :
.RS
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}
NFSv4 ACL Interfaces with configurable options for ZFS
.RE
.sp
.RE
.PP
NOTE:This module follows the posix\-acl behaviour and hence allows permission stealing via chown\&. Samba might allow at a later point in time, to restrict the chown via this module as such restrictions are the responsibility of the underlying filesystem than of Samba\&.
.PP
This module makes use of the smb\&.conf parameter
\m[blue]\fBacl map full control = acl map full control\fR\m[]
When set to yes (the default), this parameter will add in the FILE_DELETE_CHILD bit on a returned ACE entry for a file (not a directory) that already contains all file permissions except for FILE_DELETE and FILE_DELETE_CHILD\&. This can prevent Windows applications that request GENERIC_ALL access from getting ACCESS_DENIED errors when running against a filesystem with NFSv4 compatible ACLs\&.
.PP
This module is stackable\&.
.PP
Since Samba 4\&.0 all options are per share options\&.
.SH "OPTIONS"
.PP
nfs4:mode = [ simple | special ]
.RS 4
Controls substitution of special IDs (OWNER@ and GROUP@) on ZFS\&. The use of mode simple is recommended\&. In this mode only non inheriting ACL entries for the file owner and group are mapped to special IDs\&.
.sp
The following MODEs are understood by the module:
.RS
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}
simple(default)
\- use OWNER@ and GROUP@ special IDs for non inheriting ACEs only\&.
.RE
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}
special(deprecated)
\- use OWNER@ and GROUP@ special IDs in ACEs for all file owner and group ACEs\&.
.RE
.sp
.RE
.RE
.PP
nfs4:acedup = [dontcare|reject|ignore|merge]
.RS 4
This parameter configures how Samba handles duplicate ACEs encountered in ZFS ACLs\&. ZFS allows/creates duplicate ACE for different bits for same ID\&.
.sp
Following is the behaviour of Samba for different values :
.RS
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}
dontcare (default)
\- copy the ACEs as they come
.RE
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}
reject
\- stop operation and exit with error on ACL set op
.RE
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}
ignore
\- don\*(Aqt include the second matching ACE
.RE
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}
merge
\- bitwise OR the 2 ace\&.flag fields and 2 ace\&.mask fields of the 2 duplicate ACEs into 1 ACE
.RE
.sp
.RE
.RE
.PP
nfs4:chown = [yes|no]
.RS 4
This parameter allows enabling or disabling the chown supported by the underlying filesystem\&. This parameter should be enabled with care as it might leave your system insecure\&.
.sp
Some filesystems allow chown as a) giving b) stealing\&. It is the latter that is considered a risk\&.
.sp
Following is the behaviour of Samba for different values :
.RS
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}
yes
\- Enable chown if as supported by the under filesystem
.RE
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}
no (default)
\- Disable chown
.RE
.sp
.RE
.RE
.SH "EXAMPLES"
.PP
A ZFS mount can be exported via Samba as follows :
.sp
.if n \{\
.RS 4
.\}
.nf
        \fI[samba_zfs_share]\fR
	\m[blue]\fBvfs objects = zfsacl\fR\m[]
	\m[blue]\fBpath = /test/zfs_mount\fR\m[]
	\m[blue]\fBnfs4: mode = special\fR\m[]
	\m[blue]\fBnfs4: acedup = merge\fR\m[]
.fi
.if n \{\
.RE
.\}
.SH "VERSION"
.PP
This man page is part of version 4\&.11\&.6 of the Samba suite\&.
.SH "AUTHOR"
.PP
The original Samba software and related utilities were created by Andrew Tridgell\&. Samba is now developed by the Samba Team as an Open Source project similar to the way the Linux kernel is developed\&.