I'm using a folder on a dataset as an SMB SharePoint via OS X Server.app. This works and performance is fine. I do run into permission problems though since new files created by users end up not writeable for the group which is required for users to collaborate. My problem is that I can't find a working way to always have new files and folders created with group-write permissions like it is commonly used in a simple office scenario.
Technical details:
Mac mini
OS X Yosemite 10.10.5
Server.app 5.0.4
OpenZFS 1.3.1-r2 and 1.4.2
External Thunderbolt connected RAIDZ2 zpool.
The zpool has been created like this:
- Code: Select all
# zpool create -o ashift=12 -O compression=lz4 -O casesensitivity=insensitive -O atime=off -O normalization=formD rzeppelin raidz2 <devices>
There are more datasets on this pool, but I'll use this on in my example.
- Code: Select all
$ zfs list rzeppelin/SharePoints/IT-Crowd
NAME USED AVAIL REFER MOUNTPOINT
rzeppelin/SharePoints/IT-Crowd 62.9G 8.80T 62.9G /Volumes/IT-Crowd
I've set this dataset to inherit acls via passthrough.
- Code: Select all
$ zfs get aclmode rzeppelin/SharePoints/IT-Crowd
NAME PROPERTY VALUE SOURCE
rzeppelin/SharePoints/IT-Crowd aclmode passthrough inherited from rzeppelin/SharePoints
$ zfs get aclinherit rzeppelin/SharePoints/IT-Crowd
NAME PROPERTY VALUE SOURCE
rzeppelin/SharePoints/IT-Crowd aclinherit passthrough inherited from rzeppelin/SharePoints
POSIX permissions and ACLs are set like this:
- Code: Select all
$ ls -laed ./IT-Crowd
drwxrwx---+ 18 radmin itcrowd 18 Oct 1 15:06 ./IT-Crowd
0: user:_spotlight allow list,search,file_inherit,directory_inherit
1: group:owner allow list,add_file,search,add_subdirectory,delete_child,readattr,writeattr,readextattr,writeextattr,readsecurity,writesecurity,chown,file_inherit,directory_inherit
2: group:group allow list,add_file,search,add_subdirectory,delete_child,readattr,writeattr,readextattr,writeextattr,readsecurity,writesecurity,chown,file_inherit,directory_inherit
The shared folder itself has a path of /Volumes/IT-Crowd/IT-Crowd and when I try to add an ACL for the group itcrowd like this
- Code: Select all
# chmod +a "group:itcrowd allow list,add_file,search,add_subdirectory,delete_child,readattr,writeattr,readextattr,writeextattr,readsecurity,writesecurity,chown,file_inherit,directory_inherit" IT-Crowd
chmod has a return value of 0 indicating success.
When I look at the ACLs immediately after that, there is no ACL for group itcrowd added but for a totally different user. This is pretty surprising as I don't seem to be able to add an ACL for a group at all. (Other than the autogenerated ZFS simple ACLs for owner/group)
- Code: Select all
$ ls -laed ./IT-Crowd
drwxrwx---+ 19 radmin itcrowd 19 Oct 1 15:07 ./IT-Crowd
0: user:claudia allow list,add_file,search,add_subdirectory,delete_child,readattr,writeattr,readextattr,writeextattr,readsecurity,writesecurity,chown,file_inherit,directory_inherit
1: user:_spotlight allow list,search,file_inherit,directory_inherit
2: group:owner allow list,add_file,search,add_subdirectory,delete_child,readattr,writeattr,readextattr,writeextattr,readsecurity,writesecurity,chown,file_inherit,directory_inherit
3: group:group allow list,add_file,search,add_subdirectory,delete_child,readattr,writeattr,readextattr,writeextattr,readsecurity,writesecurity,chown,file_inherit,directory_inherit
No matter what I try, I can't add an ACL for a group, let alone get it to inherit.
From my understanding OpenZFS does ignore Darwin ACLs by design and implements ZFS ACLs which should allow inheritance just fine.
Now, when creating a new folder via SMB, the permissions end up like this, preventing other users to write.
- Code: Select all
$ ls -laed ./IT-Crowd/TEST
drwxr-xr-x+ 2 maclemon itcrowd 2 Oct 1 15:07 ./IT-Crowd/TEST
0: group:owner allow list,add_file,search,add_subdirectory,readattr,writeattr,readextattr,writeextattr,readsecurity,writesecurity,chown
1: group:group allow list,search,readattr,readextattr,readsecurity
2: group:everyone allow list,search,readattr,readextattr,readsecurity
Should it be possible to correctly set OpenZFS ACLs via chmod(1) on OS X?
If yes, what settings must I use for aclmode and aclinherit if not passthrough?
If no, which tools should I use to do so to achieve inherited write permissions on new files/folders for everyone in the group? (If those tools aren't part of the O3X installation, where can I get them?)
If you have any questions for further details of the setup I'm happy to provide them.
Thanks!
Best regards
MacLemon