Help with ACL, NFS and SMB

I have encountered a problem that I can describe like this.

I have a dataset called “data” inside a zpool called MassData

I have set up an NFS share for this “data”.
Inside the advanced options, I have:

Mapall User = nobody
Mapall Group = nobody

I have an authorized network.

In my storage → pools - I have ACL permissions set as simply:
Owner
User: Nobody
Group: Nogroup

No other ACL. This works fine, my NFS is mounted and shared and accessible by applications.

However, I also have an SMB share. This SMB share requires that you add an ACL to access it via windows through a user.

But first, looking at “getfacl” for the data set reveals these permissions, so we have a starting point.

# owner: nobody
# group: nogroup
            owner@:rwxp--aARWcCos:-------:allow
            group@:rwxp--a-R-c--s:-------:allow
         everyone@:--x---a-R-c--s:-------:allow

This is working with my NFS.

When I go to “Edit Permissions” for ‘data’ and I add ACL, I select the pre-set “Open” and there are items that are created by default:

owner@
group@
everyone@

I then add my user “smbuser”

The problem is then that my NFS fails, nothing has access anymore. SMB works, but NFS does not.

Looking at getfacl I see these results:

# owner: nobody
# group: nogroup
         everyone@:rwxpDdaARWc--s:-------:allow
            owner@:rwxpDdaARWcCos:-------:allow
            group@:rwxpDdaARWcCos:-------:allow
        user:smbuser:rwxpDdaARWc--s:fd-----:allow
         everyone@:--------------:fd-----:allow

I have no idea why all of a sudden the NFS stops working. Still owned by nobody, has a group nogroup - no permissions have changed anywhere else.

If I go back and strip the ACL - the NFS share works again.

Anyone got any advice?

You’ve recursively stripped inheritable permissions from everything.

# owner: nobody
# group: nogroup
         everyone@:rwxpDdaARWc--s:-------:allow
            owner@:rwxpDdaARWcCos:-------:allow
            group@:rwxpDdaARWcCos:-------:allow
        user:smbuser:rwxpDdaARWc--s:fd-----:allow
         everyone@:--------------:fd-----:allow

Note that only smbuser has fd in the flags (inherit on files and directories). This means everything under this is only accessible to smbuser.

Valid permissions would more likely be:

# owner: nobody
# group: nogroup
         everyone@:rwxpDdaARWc--s:fd-----:allow
            owner@:rwxpDdaARWcCos:fd-----:allow
            group@:rwxpDdaARWcCos:fd-----:allow
        user:smbuser:rwxpDdaARWc--s:fd-----:allow
         everyone@:--------------:fd-----:allow
1 Like

Thank you, I was able to get valid permissions as you set out and that got my NFS working.

However, my SMB share now doesn’t allow for me to look into any of the subfolders because the permissions are not set recursively, I can look in the top level folder, but that is all?

I then apply it recursively and my NFS breaks.

Even though my permissions look like this (I did not select child datasets this time):

# owner: nobody
# group: nogroup
            owner@:rwxpDdaARWcCos:fd-----:allow
            group@:rwxpDdaARWcCos:fd-----:allow
         everyone@:rwxpDdaARWc--s:fd-----:allow
        user:smbuser:rwxpDdaARWc--s:fd-----:allow
         everyone@:--------------:fd-----:allow

Which I think matches what you said the output should be - but still my NFS is broken.

Did you apply the permissions change recursively?

At first I did not.

Without recursive.

NFS Works.
SMB works - but only at the top level, no access to subfolders.

With recursive.
NFS Fails
SMB works including all subfolders.

Also, appreciate you taking the time to help me out here, its an odd thing that with recursive it breaks, but without it both work, but SMB only allows access to top level folder (which is what I think you would expect) - it is just interesting that you can’t recursive into the subfolders without breaking NFS…that does seem like a bug to be honest?