Bug 12027 - samba-tool ntacl sysvolreset doesn't work with ZFS, even if zfsacl is used
samba-tool ntacl sysvolreset doesn't work with ZFS, even if zfsacl is used
Status: NEW
Product: Samba 4.1 and newer
Classification: Unclassified
Component: VFS Modules
x64 FreeBSD
: P5 normal
: ---
Assigned To: Samba QA Contact
Samba QA Contact
Depends on:
  Show dependency treegraph
Reported: 2016-07-18 14:21 UTC by Jørn Åne
Modified: 2016-07-18 15:40 UTC (History)
2 users (show)

See Also:


Note You need to log in before you can comment on or make changes to this bug.
Description Jørn Åne 2016-07-18 14:21:42 UTC
My setup:

Fresh samba43 on FreeBSD jail with ZFS.

ZFS is mounted with aclinherit=passthrough and aclmode=passthrough

A new DC is provisioned:

    samba-tool domain provision […] --use-xattrs=no --use-ntvfs

After provisioning, the following lines were removed from /usr/local/etc/smb4.conf:

    'server services', 'dcerpc endpoint servers', 'posix:eadb'

The following line was added to /etc/smb4.conf:

    vfs objects = zfsacl

This, as I understand it, is the procedure as it is recommended by FreeBSD ports.


I tried samba44 as well, but it didn't have --use-ntvfs available.  Not using --use-ntvfs causes an error stating that ACLs are not supported.

Problem description:

When I try to run `samba-tool ntacl sysvolreset`, the program fails with an error:

    ERROR(<class 'samba.provision.ProvisioningError'>): uncaught exception - ProvisioningError: Your filesystem or build does not support posix ACLs, which s3fs requires.  Try the mounting the filesystem with the 'acl' option.

Upon inspection of the referred script, I find the following Python file:


Which reads starting on line 1547:

        smbd.set_simple_acl(file.name, 0755, gid)
    except OSError:
        raise ProvisioningError("Your filesystem or build does not support posix ACLs […]")

The smbd object comes from samba.samba3, which is an .so file.

What I have found so far:

There is a thread on the mailing list from 2013 already identifying this problem.


I have asked on Server Fault, where the answer is that NFSv4 ACLs should be used. Which is what Windows uses and what ZFS uses, but not what s3fs uses.


A comment on the question states "aha. That's a bug in the tool, I would take it up upstream (samba project). In fact, it would be much better for samba to support those ace's [sic] out of the box, they are much more like Windows ace's [sic]".