The Samba-Bugzilla – Bug 6056
Unable to disable ACL usage
Last modified: 2009-09-19 13:22:31 UTC
Right now it is impossible to disable ACL usage completely for a share.
The problem occurs with zfs [mounted per lofs into a zone]:
1) the zfsacl stack is not working at all
2) disable zfsacl has no effect, since smbd uses than Solaris aka Posix ACLs
3) Posix ACLs are not working/fail on ZFS
4) setting all *acl* directives to no has no effect - smbd still uses Solaris ACLs
# collected from testparm -v
acl compatibility = auto
acl check permissions = Yes
acl group control = No
acl map full control = Yes
force unknown acl user = No
inherit acls = No
nt acl support = Yes
profile acls = No
map acl inherit = No
comment = office
path = /export/share/office
valid users = @office
force group = office
acl check permissions = No
acl map full control = No
nt acl support = No
public = no
writable = yes
printable = no
create mode = 660
directory mode = 770
browseable = yes
strict locking = yes
So assume User A and B and group G: If user A:G owns a file with 0660, user B:G is able to open the file (e.g. bla.xls), but is not able to save it - results in a *tmp file of size 0 set to mode 0000 including an ACL entry for rw permisson for B:G. This very basic/simple scenario (edit perms per [work]group) could be accomplished by avoiding ACLs at all (i.e. traditional UNIX file handling), however right now there is no known way to disable ACL usage.
Wrt. zfsacl stack: The problem seems to occure with MS Office 2007: office seems to create a tempfile and tries to set the same ACLs as in the original file, which leads to a chown call, which tries to set user A as the file owner, which fails, because the process is not running with super-user rights:
chown:entry chmod 27384:110 bla/4180D0D9.tmp
Can you try "dos filemode = yes" with the zfs acl module?
Not sure about 3.3.0, but the problem wrt. ZFS <--> Win ACLs was fixed by Jeremy in the 3.3.1pre tree on 2009/02/20 (see IRC log if available). So there is no need to completely disable ACLs anymore - the permissions end up as ACLs on ZFS anyway.
Jeremy, is that a blocker for 3.3.8?
From the comments I'd call this just fixed. Haven't tried myself though. Jens, please re-open if it is still an issue.