ACL wont stick when used from AFP share

[nle]

Hi, I have problem that new folders/files created from a client Mac via AFP don't inherit ACL settings.

• Running OmniOS v11 r151006 with Netatalk 3.0.4
• The clients connect too server with user "afpuser"
• aclinherit and aclmode is set too "passthrough"
• Afpuser is a local user on server
• All ownership is set too "afpuser:staff"
• If I create a folder via cli on server it inherits the ACL setting

This is the ACL setting on all folders (I did not find a way to set it recursivly through napp-it interface, so I did it via terminal):

afp settings

AFP versions: 2.2 3.0 3.1 3.2 3.3
CNID backends: dbd last tdb
Zeroconf support: mDNSResponder
TCP wrappers support: Yes
Quota support: Yes
Admin group support: Yes
Valid shell checks: Yes
cracklib support: No
EA support: ad | sys
ACL support: Yes
LDAP support: Yes
D-Bus support: No
DTrace probes: Yes

afp.conf

; Netatalk 3.x configuration file
;

[Global]
; Global server settings
mimic model = RackMac
uam list = uams_dhx.so uams_dhx2.so uams_guest.so
guest account = nobody
zeroconf = yes
afpstats = yes
aclinherit = passthrough
aclmode = passthrough

; Logfiler
log file = /var/log/netatalk.log
log level = default:info

[Lager]
path = /datapool/Lager
search db = yes

$ ls -al
drwxrwxr--+  5 afpuser   staff     6 Jun 29 03:05 Directory 1
drwxrwxr--+  2 afpuser   staff     2 Jul  3 01:25 Directory 2
drwxr-sr-x   2 afpuser   staff     2 Aug 22 21:37 new_folder_test_from_afp
drwxrwx---+  2 localuser staff     2 Aug 22 21:43 new_folder_test_local

Any help much appreciated.

 

[mrkrad]

you know I found running osx server (cheap!) as a vm is a great way to handle afp, you could even run it on a VM using iscsi next to nexenta and you'd get true features rather than emulated! That's what I'm going to do to federate mac. It just works perfectly. those old servers (mac pro 4,1) cost like $900 and I've got a $66 M5014 running in her with UDIMM ECC 4gb for 32gb of ram with esxi 5.1 and Dell intel dual 10gigabit nic for the fast speed ! I picked up an ATS transfer switch to route two ups to the single power supply and the 1000 watt power supply can even handle a big video card like a quadro 4000 for vsvga sharing of video (virtual svga).

Just have to flash it to a 5,1 and throw these L5639's in it to bring up the power. Right now it has dual E5520 in it so it's rather slow but still 8 core/16 threaded!

Just a thought. I was thinking of running windows 2012 R2 along side for true NTFS sharing and piping it all to the nexenta vm for deduplicated/compressed storage! I can fit 2 SLC drives and 2 MLC drives for nexenta caching and 4 NEARLINE SAS 4TB RE4 drives for big storage in raid-Z1

 

[nle]

Thank you. I don't have the budget or the space for another physical machine, but I was thinking about running OS X as a VM for other purposes (OmniOS is currently running on ESXi), but unfortunately the patch that makes it possible to run OS X – does not work on ESXi running from a memory stick.

Any other advice on making it work on my system without adding another OS?

 

[nle]

Update.

I have tried different settings, but still no go. As far as I can tell everything should be working.

If anyone need any more information to help me figure this out, please tell.

 

[nle]

Still having issues with this.

Anyone got this to work and would be willing to share config files?

 

[gea]

Still having issues with this.

Anyone got this to work and would be willing to share config files?

Try ACL of shared ZFS:
- everyone@=modify or full

Do not modify unix permissions, stay with ACL or ACL inheritance is lost
To reset ACL recursively, use menu
ZFS filesystems >> ACL on folders >> reset ACL (to everyone@=modify on files and folders)


and ZFS properties
- nbmand =off
- aclmode and aclinheritance=passthrough

 

[nle]

Hi, and thank you for the reply.

I did what you said, and reset all ACL. Now it actually works. I tried to create a folder, and the permissions stuck. So thank you!

What I don't get is that I did remove all ACL permissions and then set new where I gave both owner@ (all clients uses the same user to log on with afp) and group@ full ACL rights (full_set). everyone@ got just read. You can see screenshots in first post. Do you have any explanation of what could be causing this?

I guess these rights are okay for our use anyways, since we don't use any restrictions, but I would like to figure out what the issue was.

 

[gea]

Hi, and thank you for the reply.

I did what you said, and reset all ACL. Now it actually works. I tried to create a folder, and the permissions stuck. So thank you!

What I don't get is that I did remove all ACL permissions and then set new where I gave both owner@ (all clients uses the same user to log on with afp) and group@ full ACL rights (full_set). everyone@ got just read. You can see screenshots in first post. Do you have any explanation of what could be causing this?

I guess these rights are okay for our use anyways, since we don't use any restrictions, but I would like to figure out what the issue was.

You should not restrict ACL permissions to the filesystem itself but only on your created files and folders.

 

[nle]

As far as I know i did not do that.

I restricted it to the general varible user@ (full_set), group@ (full_set] and everyone@ (read_only).

Or am I misunderstanding anything?

 

[gea]

As far as I know i did not do that.

I restricted it to the general varible user@ (full_set), group@ (full_set] and everyone@ (read_only).

Or am I misunderstanding anything?

Everyone@ needs to be able to read and create files on shares.
You can restrict then based on owner@ or user.

You can restrict based on ACL inheritance like
share: everyone@, this folder only, read,create
full access: owner with inheritance to files and folders

with ZFS property: acl-inheritance=pass-through

 

[nle]

Thanks again Gea, that made it clearer.