vfs objects = zfsacl
•NFSv4 ACL Interfaces with configurable options for ZFS
Controls substitution of special IDs (OWNER@ and GROUP@) on ZFS. The use of mode simple is recommended. In this mode only non inheriting ACL entries for the file owner and group are mapped to special IDs. The following MODEs are understood by the module:nfs4:acedup = [dontcare|reject|ignore|merge]
•simple(default) - use OWNER@ and GROUP@ special IDs for non inheriting ACEs only.
•special(deprecated) - use OWNER@ and GROUP@ special IDs in ACEs for all file owner and group ACEs.
This parameter configures how Samba handles duplicate ACEs encountered in ZFS ACLs. ZFS allows/creates duplicate ACE for different bits for same ID. Following is the behaviour of Samba for different values :nfs4:chown = [yes|no]
•dontcare (default) - copy the ACEs as they come
•reject - stop operation and exit with error on ACL set op
•ignore - don't include the second matching ACE
•merge - bitwise OR the 2 ace.flag fields and 2 ace.mask fields of the 2 duplicate ACEs into 1 ACE
This parameter allows enabling or disabling the chown supported by the underlying filesystem. This parameter should be enabled with care as it might leave your system insecure. Some filesystems allow chown as a) giving b) stealing. It is the latter that is considered a risk. Following is the behaviour of Samba for different values :
•yes - Enable chown if as supported by the under filesystem
•no (default) - Disable chown
[samba_zfs_share] vfs objects = zfsacl path = /test/zfs_mount nfs4: mode = special nfs4: acedup = merge