Samba、FreeBSD、ZFS:忽略组权限

tag-icon tag-icon freebsd zfs access-control-list samba4
Samba、FreeBSD、ZFS:忽略组权限

我在 FreeBSD 11 上运行带有 ZFS 的 Samba 4.6。每个用户都属于文件服务器组。此外,每个部门都有其他组,例如销售组

我的问题来了。服务器上有一个名为销售量。该文件由文件服务器和销售组拥有。为什么销售组成员无法通过 Windows 覆盖此文件夹内的文件。使用 shell 访问编辑工作没有任何问题。

在 Windows 下会出现消息已拒绝访问目标文件夹当我尝试覆盖文件时。可以在 sales 文件夹中创建新文件,而不会出现问题。重命名也有效

folder sales
chmod 770 sales
chown fileserver:sales

# file: sales
# owner: fileserver
# group: sales
owner@:rwxp--aARWcCos:-------:allow
group@:rwxp--a-R-c--s:-------:allow
everyone@:r-x---a-R-c--s:-------:allow

销售文件夹内有一个文件测试.txt

chmod 770 test.txt
chown fileserver:sales

# file: test.txt
# owner: fileserver
# group: sales
owner@:rwxp--aARWcCos:-------:allow
group@:rwxp--a-R-c--s:-------:allow
everyone@:------a-R-c--s:-------:allow

将文件夹权限更改为 chmod 2770 sales 也无效

只有当我授予文件与所有者相同的 ACL 权限时,保存才会成功。为什么会这样?我设置错了吗?组权限读写应该推翻 ACL 权限吗?不是吗?

smb4.conf
[global]
# Logging
log level = 3
log file = /var/log/samba4/log.%m
max log size = 50
utmp = 0

# Domain & controller & workgroups
server string = NAS Server
workgroup = COMPANY
server string = NAS
netbios name = NAS

# Network restriction
bind interfaces only = yes
interfaces = lo0 igb0

# Security model
security = user
encrypt passwords = true
map to guest = bad user

# Time server
time server = yes

map hidden = no
map system = no
map archive = no
map readonly = no

store dos attributes = yes

ea support = yes
access based share enum = yes
load printers = no

template homedir = /fileserver/users/%U
allow insecure wide links = yes

[data]
comment = Data
path = /fileserver/data
valid users = +fileserver

browsable = yes
writable = yes
read only = no
guest ok = no
public = no
follow symlinks = yes
wide links = yes

create mask = 0770
force create mode = 0760
directory mask = 2770
force directory mode = 2770

hide unreadable = yes

vfs objects = shadow_copy2 zfsacl recycle crossrename
shadow: snapdir = .zfs/snapshot
shadow: sort = desc
shadow: format = %Y-%m-%d-%H%M

recycle:directory_mode = 0750
recycle:subdir_mode = 0750
recycle:exclude = *.tmp *.temp *.swp
recycle:keeptree = yes
recycle:repository = Trash/%U
recycle:versions = yes
recycle:touch = yes
recycle:touch_mtime = yes

nfs4:mode = special
nfs4:acedup = merge
nfs4:chown = yes

crossrename:sizelimit = 50

答案1

delete那么,您认为在没有、delete_child和 的情况下,读写访问也能正常工作write_owner吗?这完全是错误的,您不在传统的 3x3 POSIX 权限系统中,而是 NFSv4 ACL。它们不是额外的到 POSIX 3x3,它们已标准化。基本上,您需要 ACL full_set,如果您需要更细粒度的控制,则需要进行实验。

并且不要忘记您还需要aclmode在这个数据集上aclinherit设置passthrough

相关内容