Do any of you know how to set the default ZFS ACLs for newly created files and folders when those files and folders are created through Samba?
I want to have all new files and folders only inherit extended (non-trivial) ACLs that are set on the parent folders. But when a file is created through samba on the zfs file system, it gets mode 744 (trivial) added to it. For directories, it gets mode 755 added to it. I've tried everything I could find and think of: 1.) Setting a umask. 2.) Editing /etc/sfw/smb.conf 'force create mode' and 'force directory mode". Then `svcadm restart samba`. 3.) Adding trivial inheritable ACLs to the parent folder. Changes 1 and 2 had no effect. In number 3 I got folders to effectively do what I want, but not files. I set the ACLs of the parent to: > drwx------+ 24 AD+administrator AD+records 2132 Jul 28 12:01 records/ > user:AD+administrator:rwxpdDaARWcCos:fdi---:allow > user:AD+administrator:rwxpdDaARWcCos:------:allow > group:AD+records:rwxpd-aARWc--s:fdi---:allow > group:AD+records:rwxpd-aARWc--s:------:allow > group:AD+release:r-x---a-R-c---:------:allow > owner@:rwxp---A-W-Co-:fd----:allow > group@:rwxp----------:fd----:deny > everyone@:rwxp---A-W-Co-:fd----:deny Then new directories and files get created like this from a windows workstation connected to the server: > drwx------+ 2 AD+testuser AD+domain users 2 Jul 28 12:01 test > user:AD+administrator:rwxpdDaARWcCos:fdi---:allow > user:AD+administrator:rwxpdDaARWcCos:------:allow > group:AD+records:rwxpd-aARWc--s:fdi---:allow > group:AD+records:rwxpd-aARWc--s:------:allow > owner@:rwxp---A-W-Co-:fdi---:allow > owner@:-------A-W-Co-:------:allow > group@:rwxp----------:fdi---:deny > group@:--------------:------:deny > everyone@:rwxp---A-W-Co-:fdi---:deny > everyone@:-------A-W-Co-:------:deny > owner@:--------------:------:deny > owner@:rwxp---A-W-Co-:------:allow > group@:-w-p----------:------:deny > group@:r-x-----------:------:allow > everyone@:-w-p---A-W-Co-:------:deny > everyone@:r-x---a-R-c--s:------:allow > -rwxr--r--+ 1 AD+testuser AD+domain users 0 Jul 28 12:01 test.txt > user:AD+administrator:rwxpdDaARWcCos:------:allow > group:AD+records:rwxpd-aARWc--s:------:allow > owner@:-------A-W-Co-:------:allow > group@:--------------:------:deny > everyone@:-------A-W-Co-:------:deny > owner@:--------------:------:deny > owner@:rwxp---A-W-Co-:------:allow > group@:-wxp----------:------:deny > group@:r-------------:------:allow > everyone@:-wxp---A-W-Co-:------:deny > everyone@:r-----a-R-c--s:------:allow I need group "AD+release" to have read-only access to only specific files within records. I could set that up, but any new files or folders that are created will be viewable by AD+release. That would not be acceptable. Do any of you know how to set the samba file/folder creation ACLS on ZFS file systems? Or do you have something I could try? Thank you for your time. -- Jeff Hulen _______________________________________________ zfs-discuss mailing list zfs-discuss@opensolaris.org http://mail.opensolaris.org/mailman/listinfo/zfs-discuss
