I am using vfs shadow_copy2 and zfsacl to have acl and previous versions of files and didrectories. but when i try to check previous version of file or directory I'm getting this error: CUL+user1 closed file somefolder/New Microsoft Access Database.accdb (numopen=3) NT_STATUS_OK [2017/01/18 11:31:04.969851, 0] ../source3/modules/vfs_shadow_copy2.c:1220(check_access_snapdir) user does not have list permission on snapdir /dataPool/test/.zfs/snapshot [2017/01/18 11:31:04.970005, 0] ../source3/modules/vfs_shadow_copy2.c:1389(shadow_copy2_get_shadow_copy_data) access denied on listing snapdir /dataPool/test/.zfs/snapshot [2017/01/18 11:31:04.970083, 0] ../source3/modules/vfs_default.c:1197(vfswrap_fsctl) FSCTL_GET_SHADOW_COPY_DATA: connectpath /dataPool/test, failed - NT_STATUS_ACCESS_DENIED. [2017/01/18 11:31:04.970177, 3] ../source3/smbd/smb2_server.c:3098(smbd_smb2_request_error_ex) smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1] status[NT_STATUS_ACCESS_DENIED] || at ../source3/smbd/smb2_ioctl.c:309 more verbose: ../source3/modules/vfs_shadow_copy2.c:245: enter path '/dataPool/test/.zfs/snapshot' [2017/01/18 11:55:33.012508, 9, pid=33244, effective(12576, 10513), real(0, 0), class=vfs] ../source3/modules/vfs_zfsacl.c:56(zfs_get_nt_acl_common) acl(ACE_GETACLCNT, /dataPool/test/.zfs/snapshot): Operation is not supported on the filesystem where the file reside [2017/01/18 11:55:33.012546, 10, pid=33244, effective(12576, 10513), real(0, 0)] ../source3/smbd/open.c:131(smbd_check_access_rights) smbd_check_access_rights: Could not get acl on /dataPool/test/.zfs/snapshot: NT_STATUS_NOT_SUPPORTED [2017/01/18 11:55:33.012589, 0, pid=33244, effective(12576, 10513), real(0, 0)] ../source3/modules/vfs_shadow_copy2.c:1221(check_access_snapdir) user does not have list permission on snapdir /dataPool/test/.zfs/snapshot [2017/01/18 11:55:33.012651, 0, pid=33244, effective(12576, 10513), real(0, 0)] ../source3/modules/vfs_shadow_copy2.c:1390(shadow_copy2_get_shadow_copy_data) access denied on listing snapdir /dataPool/test/.zfs/snapshot [2017/01/18 11:55:33.012702, 0, pid=33244, effective(12576, 10513), real(0, 0), class=vfs] ../source3/modules/vfs_default.c:1189(vfswrap_fsctl) FSCTL_GET_SHADOW_COPY_DATA: connectpath /dataPool/test, failed - NT_STATUS_ACCESS_DENIED. [2017/01/18 11:55:33.012773, 10, pid=33244, effective(12576, 10513), real(0, 0)] ../source3/smbd/smb2_ioctl.c:291(smbd_smb2_request_ioctl_done) smbd_smb2_request_ioctl_done: smbd_smb2_ioctl_recv returned 0 status NT_STATUS_ACCESS_DENIED [2017/01/18 11:55:33.012818, 10, pid=33244, effective(12576, 10513), real(0, 0)] ../source3/smbd/smb2_server.c:2789(smbd_smb2_request_error_ex) smbd_smb2_request_error_ex: idx[1] status[NT_STATUS_ACCESS_DENIED] || at ../source3/smbd/smb2_ioctl.c:309 [2017/01/18 11:55:33.012863, 10, pid=33244, effective(12576, 10513), real(0, 0)] ../source3/smbd/smb2_server.c:2680(smbd_smb2_request_done_ex) smbd_smb2_request_done_ex: idx[1] status[NT_STATUS_ACCESS_DENIED] body[8] dyn[yes:1] at ../source3/smbd/smb2_server.c:2837 [2017/01/18 11:55:33.012910, 10, pid=33244, effective(12576, 10513), real(0, 0)] ../source3/smbd/smb2_server.c:906(smb2_set_operation_credit) smb2_set_operation_credit: requested 1, charge 1, granted 1, current possible/max 386/512, total granted/max/low/range 127/8192/46/127 I using using samba44: 4.4.8_1 installed with pkg. I have checked samba43 and samba42 and these verion also have this problem. # SHARE conf [test] comment = Test share path = /dataPool/test browseable = yes read only = no valid users = user1, user2, user3 guest ok = no create mask = 0664 directory mask = 0775 vfs objects = shadow_copy2 zfsacl shadow: snapdir = .zfs/snapshot shadow: sort = desc shadow: localtime = yes shadow: format = zfs-auto-snap_%Y-%m-%d-%H%M nfs4:mode = simple nfs4:acedup = merge nfs4:chown = yes map acl inherit = Yes store dos attributes = Yes
I think that this is this bug in samba: https://bugzilla.samba.org/show_bug.cgi?id=11658
Created attachment 179067 [details] patch
To which version of samba does this patch apply?
I applied it on : samba -V Version 4.4.8 from the samba bug looks like .zfs and .zfs/snapshot doesn't support acl. Zfs creates .zfs directory with permissions like: root@stor-win:/dataPool/test # ls -lad .zfs/ dr-xr-xr-x 4 root wheel 4 Jan 18 10:21 .zfs/ root@stor-win:/dataPool/test # ls -la .zfs/ total 1 dr-xr-xr-x 4 root wheel 4 Jan 18 10:21 . drwxr-xr-x 4 user1 wheel 3 Jan 18 10:36 .. dr-xr-xr-x 2 root wheel 2 Jan 18 10:21 shares dr-xr-xr-x 11 root wheel 11 Jan 20 15:39 snapshot so it looks like acl checking can be safely, at least on zfs, ignored.
(In reply to Wojciech Giel from comment #0) Hi, Wojciech! Thanks a lot for the report and the patch. This is known for quite a while problem and numerous solutions were developed in last couple of months. I'd suggest to move the discussion to the https://bugzilla.samba.org/show_bug.cgi?id=13175, I'll answer there and we'll try to come up to the usable solution.
This is fixed in both upstreams, by workaround in Samba code(for legacy systems) and by making polulating standard ACLs for .zfs/snapshot/ in the 11.2+ ZFS code.