File Sharing an Encrypted Dataset

All your general support questions for OpenZFS on OS X.

File Sharing an Encrypted Dataset

Postby Tsur » Sun Nov 14, 2021 6:58 pm

I've created a couple of encrypted datasets on a zpool. They mount just fine, except I can't properly share them via SMB file sharing. The main unencyrpted zpool shares just great. Users can connect, browse, write, delete, etc… but the encrypted datasets do not function correctly.

I add the mounted encrypted datasets in "Shared Folders" under "Sharing." I then add the appropriate Users and grant them "Read & Write" access. They can connect to the encrypted datasets/shares over the network by entering their credentials. But when they try and write files, the users are greeted with a circle/slash, indicating they don't have proper permissions. They are able to copy files off the shared encrypted dataset.

Strangely, even local copies to these encrypted datasets require the admin to enter their password. Local copies to the main pool require no password. Said encrypted datasets were created via:
Code: Select all
# zfs create -o encryption=on -o keylocation=prompt -o keyformat=passphrase [dataset]
I've tried creating new/different encrypted datasets using the above command, but they still behave incorrectly.

Both server and clients are 10.14.6 and the server is running ZFS 2.1.0. Previously, I was using High Sierra with 1.9.3 (I think), with Mojave clients, and sharing of encrypted datasets worked without issue. Anyone have an idea what I'm doing wrong?
Posts: 22
Joined: Thu Jan 07, 2016 2:11 pm

Re: File Sharing an Encrypted Dataset

Postby Tsur » Mon Nov 15, 2021 8:54 am

Okay, I've found a workaround.

If the path is Pool/Documents/Secrets, where "Documents" is the encrypted dataset, I'm able to share the folder "Secrets" normally. Any new directory created in the encrypted dataset "Documents" requires the admin password but, once entered, that folder then behaves as expected, including it's ability to be used in File Sharing.

When "Documents" is unencrypted, and I get info, it shows "system" as the owner with "Read & Write" privileges. Any attempts to add another user fails. Any created subdirectory shows the current user as the owner of the created folder. So, I guess the question is now, is there no way for the encrypted dataset to have permissions like a "normal" directory at its root level?

Having an extra subdirectory, that can file share correctly, isn't the end of the world - but it's kind of annoying.
Posts: 22
Joined: Thu Jan 07, 2016 2:11 pm

Re: File Sharing an Encrypted Dataset

Postby Tsur » Mon Nov 15, 2021 11:21 am

Ignore all the above.
I downgraded to 1.9.4 and the file sharing behavior of encrypted dataset works the exact same way. That, is the root level does not share correctly, but any subsequent folders in the root level do. Again, it's a fairly easy workaround.
Posts: 22
Joined: Thu Jan 07, 2016 2:11 pm

Re: File Sharing an Encrypted Dataset

Postby lundman » Mon Jan 03, 2022 5:47 pm

This sounds like a real bug, possibly related to the other NFS sharing bug
User avatar
Posts: 1337
Joined: Thu Mar 06, 2014 2:05 pm
Location: Tokyo, Japan

Re: File Sharing an Encrypted Dataset

Postby lundman » Tue Jan 25, 2022 4:34 pm

Just trying that here, with my fixed NFS code.
I have pool "BOOM" and encrypted dataset "BOOM/ccm".

Code: Select all
Server VM
# sharing -a /Volumes/BOOM -S BOOM   
# sharing -a /Volumes/BOOM/ccm -S ccm

Client VM
# df -h
//lundman@   96Gi   73Mi   96Gi     1%  148974 202018947    0%   /Volumes/BOOM
//lundman@    96Gi  4.1Mi   96Gi     1%    8379 202018947    0%   /Volumes/ccm

Mounted one each, no subdirectory traversal.
I have no issues writing to either share, but as I said I am running the NFS fixed pkg, possibly I already fixed something.
Feel free to give the NFS corrected pkg installer a go.
(16 MiB) Downloaded 210 times
User avatar
Posts: 1337
Joined: Thu Mar 06, 2014 2:05 pm
Location: Tokyo, Japan

Return to General Help

Who is online

Users browsing this forum: No registered users and 69 guests