Nexenta CIFS services and Netatalk 3 for sharing the same dataset
Nexenta employs a permission scheme where user permissions are completely modeled with ACLs and the UNIX mode of files is set to 0000.
When accessing such files with Netatalk, Netatalk maps the files ACL to the UARights permission struct and returns this effective permissions to the AFP client. The Finder on the client uses this permission structure for adjusting it's view on effective permission, but the UNIX mode is still 0000.
As a result, while it would be possible for the AFP client to read and write to file on the server, copying the file to the client, the ACL is lost and the file has a UNIX mode of 0000.
On the server:
$ id -a uid=100(ralph) gid=10(staff) groups=10(staff),3(sys),102(netatalk) $ ls -lV myfile.txt ----------+ 1 ralph root 33 Feb 17 09:55 myfile.txt group:netatalk:rw------RW----:-------:allow owner@:------aARWcCos:-------:allow group@:------a-R-c--s:-------:allow everyone@:------a-R-c--s:-------:allow $
On the client:
$ ls -l /Volumes/test/myfile.txt ----------@ 1 ralph staff 33 17 Feb 09:55 /Volumes/test/myfile.txt
Change global ACL option "map acl" to take the following options: "none", "rights" and "mode". The default is "rights".
none := no mapping, this resembles the previous false/no setting
rights := map ACLs to Finder UARights, this resembles the previous setting true/yes setting. This is the default.
mode := map ACLs to Finder UARights and UNIX mode
With this change and with "mac acls = mode" in afp.conf the above files is shown as follows:
$ ls -l /Volumes/test/myfile.txt -rw-------@ 1 ralph staff 33 17 Feb 09:55
The default behaviour will be slightly different for POSIX ACLs, but unchanged for ZFS ACLs: ACLs only affect the special UARights structure, but not the UNIX mode. This is effectively the same behaviour as OS X AFP server.
Otoh, in order to get usefull semantics with POSIX ACLs, we may have to modify the UNIX mode in order to reflect the POSIX ACL on the server in some way. This changeset would offer a configurable behaviour how POSIX ACLs will be mapped, by default the UNIX mode will be unaffected which may require the admin to set the "mac acls" to "mode" in order to get previous behaviour.
- clean design
- ZFS ACL and POSIX ACL code behaving identically
- completely configurable behaviour
- servers using POSIX ACLs may have to adjust config by adding "map acls = mode" to afp.conf