{"id":436,"date":"2011-02-01T07:28:09","date_gmt":"2011-02-01T07:28:09","guid":{"rendered":"http:\/\/poojanwagh.opalstacked.com\/techblog\/?p=436"},"modified":"2011-02-01T07:28:09","modified_gmt":"2011-02-01T07:28:09","slug":"re-doing-public-samba-share-with-freebsdzfs","status":"publish","type":"post","link":"https:\/\/tech.poojanblog.com\/blog\/unix-linux\/re-doing-public-samba-share-with-freebsdzfs\/","title":{"rendered":"Re-doing Public Samba Share with FreeBSD\/ZFS"},"content":{"rendered":"

This time, I’m going to to try using FreeBSD’s support for NFS ACL’s, using http:\/\/forums.freebsd.org\/showthread.php?t=17627<\/a> as a reference:<\/p>\n


\nserver# zfs set aclmode=passthrough tank\/Users
\nserver# zfs set aclinherit=passthrough tank\/Users
\n<\/code><\/p>\n

I created ZFS filesystems within tank\/Users\/Public like so:<\/p>\n

[cce_bash]
\nserver% cat add_pub.sh
\n#!\/bin\/sh<\/p>\n

u=”$1″
\nzfs create tank\/Users\/$u
\nchown nobody:nogroup \/tank\/Users\/$u
\nfor d in “Documents” “Music” “Videos” “Pictures”; do
\n zfs create tank\/Users\/$u\/$d
\n zfs set aclmode=passthrough tank\/Users\/$u\/$d
\n zfs set aclinherit=passthrough tank\/Users\/$u\/$d
\n chown nobody:nogroup “\/tank\/Users\/$u\/$d”
\ndone
\nzfs set compression=gzip tank\/Users\/$u\/Documents
\n[\/cce_bash]<\/p>\n

Note the zfs set aclmode<\/code> and zfs set aclinherit<\/code> lines. These prevent a calculation of effective permissions based on the umask which pretty much renders the ACL commands useless (documented here<\/a>). Now, to let myself read\/write\/etc tank\/Users\/Public:<\/p>\n


\nserver# setfacl -m \"user:Poojan:rwxp:fd:allow\" \/tank\/Users\/Public
\n<\/code><\/p>\n

Or, more generally:<\/p>\n

[cce_bash]
\nserver% cat prm_pub.sh
\n#!\/bin\/sh<\/p>\n

u=”$1″
\nfor d in “Documents” “Music” “Videos” “Pictures”; do
\n setfacl -m “user:${u}:rwxp:fd:allow” “\/tank\/Users\/Public\/$d”
\ndone
\n[\/cce_bash]<\/p>\n

I’ll admit that I have no idea how this works, but it looks like it does.<\/p>\n

For samba, here’s my smb.conf:
\n[cce_ini]
\n# This is the main Samba configuration file. You should read the
\n# smb.conf(5) manual page in order to understand the options listed
\n# here. Samba has a huge number of configurable options (perhaps too
\n# many!) most of which are not shown in this example
\n#
\n# For a step to step guide on installing, configuring and using samba,
\n# read the Samba-HOWTO-Collection. This may be obtained from:
\n# http:\/\/www.samba.org\/samba\/docs\/Samba-HOWTO-Collection.pdf
\n#
\n# Many working examples of smb.conf files can be found in the
\n# Samba-Guide which is generated daily and can be downloaded from:
\n# http:\/\/www.samba.org\/samba\/docs\/Samba-Guide.pdf
\n#
\n# Any line which starts with a ; (semi-colon) or a # (hash)
\n# is a comment and is ignored. In this example we will use a #
\n# for commentry and a ; for parts of the config file that you
\n# may wish to enable
\n#
\n# NOTE: Whenever you modify this file you should run the command “testparm”
\n# to check that you have not made any basic syntactic errors.
\n#
\n#======================= Global Settings =====================================
\n[global]<\/p>\n

# workgroup = NT-Domain-Name or Workgroup-Name, eg: MIDEARTH
\n workgroup = MYGROUP<\/p>\n

# server string is the equivalent of the NT Description field
\n server string = Samba Server<\/p>\n

# Security mode. Defines in which mode Samba will operate. Possible
\n# values are share, user, server, domain and ads. Most people will want
\n# user level security. See the Samba-HOWTO-Collection for details.
\n security = user<\/p>\n

# This option is important for security. It allows you to restrict
\n# connections to machines which are on your local network. The
\n# following example restricts access to two C class networks and
\n# the “loopback” interface. For more examples of the syntax see
\n# the smb.conf man page
\n; hosts allow = 192.168.1. 192.168.2. 127.<\/p>\n

# If you want to automatically load your printer list rather
\n# than setting them up individually then you’ll need this
\n load printers = yes<\/p>\n

# you may wish to override the location of the printcap file
\n; printcap name = \/etc\/printcap<\/p>\n

# on SystemV system setting printcap name to lpstat should allow
\n# you to automatically obtain a printer list from the SystemV spool
\n# system
\n; printcap name = lpstat<\/p>\n

# It should not be necessary to specify the print system type unless
\n# it is non-standard. Currently supported print systems include:
\n# bsd, cups, sysv, plp, lprng, aix, hpux, qnx
\n; printing = cups<\/p>\n

# Uncomment this if you want a guest account, you must add this to \/etc\/passwd
\n# otherwise the user “nobody” is used
\n; guest account = pcguest<\/p>\n

# this tells Samba to use a separate log file for each machine
\n# that connects
\n log file = \/var\/log\/samba\/log.%m<\/p>\n

# Put a capping on the size of the log files (in Kb).
\n max log size = 50<\/p>\n

# Use password server option only with security = server
\n# The argument list may include:
\n# password server = My_PDC_Name [My_BDC_Name] [My_Next_BDC_Name]
\n# or to auto-locate the domain controller\/s
\n# password server = *
\n; password server = <\/p>\n

# Use the realm option only with security = ads
\n# Specifies the Active Directory realm the host is part of
\n; realm = MY_REALM<\/p>\n

# Backend to store user information in. New installations should
\n# use either tdbsam or ldapsam. smbpasswd is available for backwards
\n# compatibility. tdbsam requires no further configuration.
\n; passdb backend = tdbsam<\/p>\n

# Using the following line enables you to customise your configuration
\n# on a per machine basis. The %m gets replaced with the netbios name
\n# of the machine that is connecting.
\n# Note: Consider carefully the location in the configuration file of
\n# this line. The included file is read at that point.
\n; include = \/usr\/local\/etc\/smb.conf.%m<\/p>\n

# Most people will find that this option gives better performance.
\n# See the chapter ‘Samba performance issues’ in the Samba HOWTO Collection
\n# and the manual pages for details.
\n# You may want to add the following on a Linux system:
\n; socket options = SO_RCVBUF=8192 SO_SNDBUF=8192<\/p>\n

# Configure Samba to use multiple interfaces
\n# If you have multiple network interfaces then you must list them
\n# here. See the man page for details.
\n; interfaces = 192.168.12.2\/24 192.168.13.2\/24 <\/p>\n

# Browser Control Options:
\n# set local master to no if you don’t want Samba to become a master
\n# browser on your network. Otherwise the normal election rules apply
\n; local master = no<\/p>\n

# OS Level determines the precedence of this server in master browser
\n# elections. The default value should be reasonable
\n; os level = 33<\/p>\n

# Domain Master specifies Samba to be the Domain Master Browser. This
\n# allows Samba to collate browse lists between subnets. Don’t use this
\n# if you already have a Windows NT domain controller doing this job
\n; domain master = yes <\/p>\n

# Preferred Master causes Samba to force a local browser election on startup
\n# and gives it a slightly higher chance of winning the election
\n; preferred master = yes<\/p>\n

# Enable this if you want Samba to be a domain logon server for
\n# Windows95 workstations.
\n; domain logons = yes<\/p>\n

# if you enable domain logons then you may want a per-machine or
\n# per user logon script
\n# run a specific logon batch file per workstation (machine)
\n; logon script = %m.bat
\n# run a specific logon batch file per username
\n; logon script = %U.bat<\/p>\n

# Where to store roving profiles (only for Win95 and WinNT)
\n# %L substitutes for this servers netbios name, %U is username
\n# You must uncomment the [Profiles] share below
\n; logon path = \\\\%L\\Profiles\\%U<\/p>\n

# Windows Internet Name Serving Support Section:
\n# WINS Support – Tells the NMBD component of Samba to enable it’s WINS Server
\n; wins support = yes<\/p>\n

# WINS Server – Tells the NMBD components of Samba to be a WINS Client
\n#\tNote: Samba can be either a WINS Server, or a WINS Client, but NOT both
\n; wins server = w.x.y.z<\/p>\n

# WINS Proxy – Tells Samba to answer name resolution queries on
\n# behalf of a non WINS capable client, for this to work there must be
\n# at least one\tWINS Server on the network. The default is NO.
\n; wins proxy = yes<\/p>\n

# DNS Proxy – tells Samba whether or not to try to resolve NetBIOS names
\n# via DNS nslookups. The default is NO.
\n dns proxy = no <\/p>\n

# Charset settings
\n; display charset = koi8-r
\n; unix charset = koi8-r
\n; dos charset = cp866<\/p>\n

# Use extended attributes to store file modes
\n; store dos attributes = yes
\n; map hidden = no
\n; map system = no
\n; map archive = no<\/p>\n

# Use inherited ACLs for directories
\n; nt acl support = yes
\n; inherit acls = yes
\n; map acl inherit = yes <\/p>\n

# These scripts are used on a domain controller or stand-alone
\n# machine to add or delete corresponding unix accounts
\n; add user script = \/usr\/sbin\/useradd %u
\n; add group script = \/usr\/sbin\/groupadd %g
\n; add machine script = \/usr\/sbin\/adduser -n -g machines -c Machine -d \/dev\/null -s \/bin\/false %u
\n; delete user script = \/usr\/sbin\/userdel %u
\n; delete user from group script = \/usr\/sbin\/deluser %u %g
\n; delete group script = \/usr\/sbin\/groupdel %g<\/p>\n

# This is a DRAFT sample configuration for the ACLs on the ZFS partition.
\n#
\n nt acl support = yes
\n inherit acls = no
\n map acl inherit = yes<\/p>\n

#============================ Share Definitions ==============================
\n[homes]
\n comment = Home Directories
\n browseable = no
\n writable = yes
\n path = \/tank\/Users\/%S<\/p>\n

# Un-comment the following and create the netlogon directory for Domain Logons
\n; [netlogon]
\n; comment = Network Logon Service
\n; path = \/usr\/local\/samba\/lib\/netlogon
\n; guest ok = yes
\n; writable = no
\n; share modes = no<\/p>\n

# Un-comment the following to provide a specific roving profile share
\n# the default is to use the user’s home directory
\n;[Profiles]
\n; path = \/usr\/local\/samba\/profiles
\n; browseable = no
\n; guest ok = yes<\/p>\n

# NOTE: If you have a BSD-style print system there is no need to
\n# specifically define each individual printer
\n[printers]
\n comment = All Printers
\n path = \/var\/spool\/samba
\n browseable = no
\n# Set public = yes to allow user ‘guest account’ to print
\n guest ok = no
\n writable = no
\n printable = yes<\/p>\n

# This one is useful for people to share files
\n;[tmp]
\n; comment = Temporary file space
\n; path = \/tmp
\n; read only = no
\n; public = yes<\/p>\n

# A publicly accessible directory, but read only, except for people in
\n# the “staff” group
\n;[public]
\n; comment = Public Stuff
\n; path = \/home\/samba
\n; public = yes
\n; writable = yes
\n; printable = no
\n; write list = @staff<\/p>\n

# Other examples.
\n#
\n# A private printer, usable only by fred. Spool data will be placed in fred’s
\n# home directory. Note that fred must have write access to the spool directory,
\n# wherever it is.
\n;[fredsprn]
\n; comment = Fred’s Printer
\n; valid users = fred
\n; path = \/homes\/fred
\n; printer = freds_printer
\n; public = no
\n; writable = no
\n; printable = yes<\/p>\n

# A private directory, usable only by fred. Note that fred requires write
\n# access to the directory.
\n;[fredsdir]
\n; comment = Fred’s Service
\n; path = \/usr\/somewhere\/private
\n; valid users = fred
\n; public = no
\n; writable = yes
\n; printable = no<\/p>\n

# a service which has a different directory for each machine that connects
\n# this allows you to tailor configurations to incoming machines. You could
\n# also use the %U option to tailor it by user name.
\n# The %m gets replaced with the machine name that is connecting.
\n;[pchome]
\n; comment = PC Directories
\n; path = \/usr\/pc\/%m
\n; public = no
\n; writable = yes<\/p>\n

# A publicly accessible directory, read\/write to all users. Note that all files
\n# created in the directory by users will be owned by the default user, so
\n# any user with access can delete any other user’s files. Obviously this
\n# directory must be writable by the default user. Another user could of course
\n# be specified, in which case all files would be owned by that user instead.
\n;[public]
\n; path = \/usr\/somewhere\/else\/public
\n; public = yes
\n; only guest = yes
\n; writable = yes
\n; printable = no<\/p>\n

# The following two entries demonstrate how to share a directory so that two
\n# users can place files there that will be owned by the specific users. In this
\n# setup, the directory should be writable by both users and should have the
\n# sticky bit set on it to prevent abuse. Obviously this could be extended to
\n# as many users as required.
\n;[myshare]
\n; comment = Mary’s and Fred’s stuff
\n; path = \/usr\/somewhere\/shared
\n; valid users = mary fred
\n; public = no
\n; writable = yes
\n; printable = no
\n; create mask = 0765
\n;<\/p>\n

# This is a DRAFT sample configuration for the ACLs on the ZFS partition.
\n#
\n; nt acl support = yes
\n; inherit acls = no
\n; map acl inherit = yes
\n;
\n;[zpool]
\n; path = \/tank\/zpool
\n; unix extensions = no
\n; vfs objects = zfsacl
\n; nfs4:mode = special
\n; nfs4:acedup = merge
\n; nfs4:chown = yes<\/p>\n

[Public]
\n comment = Public (user-wide) directories
\n browseable = yes
\n read only = no
\n path = \/tank\/Users\/Public
\n vfs objects = zfsacl
\n nfs4:mode = special
\n nfs4:acedup = merge
\n nfs4:chown = yes
\n[\/cce_ini]<\/p>\n