🟑 Medium   ⏱ 5–30 min  Last verified: 20 May 2026
Affected versions: FreeBSD 14

πŸ“– ~1 min read

Table of contents
  1. Symptom & Impact
  2. Environment & Reproduction
  3. Root Cause Analysis
  4. Quick Triage
  5. Step-by-Step Diagnosis
  6. Solution – Primary Fix
  7. Solution – Alternative Approaches
  8. Verification & Acceptance Criteria
  9. Rollback Plan
  10. Prevention & Hardening
  11. Related Errors & Cross-Refs
  12. References & Further Reading

Symptom & Impact

Windows users receive access denied despite expected group membership and share visibility.

Environment & Reproduction

Usually introduced by dataset property changes or smb4.conf permission model mismatch.

service samba_server status
cat /usr/local/etc/smb4.conf
zfs get aclmode,aclinherit,acltype

Root Cause Analysis

ZFS ACL semantics and Samba ACL mapping diverge, denying effective write/read rights.

Quick Triage

Compare filesystem ACLs with Samba share-level masks.

getfacl  | head -n 80
testparm -s

Step-by-Step Diagnosis

Inspect effective token mapping and audit Samba logs for denied operations.

tail -n 120 /var/log/samba4/log.smbd
wbinfo -u | head
wbinfo -g | head
Illustrative mockup for freebsd-14 β€” terminal_or_console
Diagnosis commands for post 167 β€” Illustrative mockup β€” Progressive Robot

Solution – Primary Fix

Align dataset ACL properties with Samba expectations and reapply directory ACL baseline.

Still having issues? Our IT Solutions & Services team can diagnose and resolve this for you. Get in touch for a free consultation.

zfs set acltype=nfsv4 
zfs set aclmode=passthrough 
setfacl -b 
service samba_server restart
Illustrative mockup for freebsd-14 β€” log_or_dashboard
Fix validation evidence for post 167 β€” Illustrative mockup β€” Progressive Robot

Solution – Alternative Approaches

Use POSIX ACL mode for simpler environments and adjust smb masks accordingly.

zfs set acltype=posix 
vi /usr/local/etc/smb4.conf

Verification & Acceptance Criteria

Authorized users can create, modify, and delete files while unauthorized users remain blocked.

smbclient /// -U  -c 'ls'
getfacl

Rollback Plan

Restore previous dataset ACL properties and smb configuration snapshot.

zfs inherit acltype 
cp /root/backup/smb4.conf /usr/local/etc/smb4.conf
service samba_server restart

Prevention & Hardening

Document one ACL model per share class and enforce via provisioning templates.

Closely related to idmap backend mismatches and stale winbind cache state.

Related tutorial: View the step-by-step tutorial for FreeBSD 14.

View all FreeBSD 14 tutorials on the Tutorials Hub β†’

Browse all common problems & solutions on the Tutorials Hub.

References & Further Reading

Samba FreeBSD integration docs and ZFS ACL property references.

Need Expert Help?

If you cannot resolve this yourself, our team offers hands-on Server Management, Managed IT Services, and flexible Support Plans. Contact us today β€” we respond within one business day.