FreeBSD 13 – Samba share access denied because ZFS ACL mode conflicts

📖 ~1 min read

Table of contents

1. Symptom & Impact
2. Environment & Reproduction
3. Root Cause Analysis
4. Quick Triage
5. Step-by-Step Diagnosis
6. Solution – Primary Fix
7. Solution – Alternative Approaches
8. Verification & Acceptance Criteria
9. Rollback Plan
10. Prevention & Hardening
11. Related Errors & Cross-Refs
12. References & Further Reading

Symptom & Impact

Users get access denied on Samba share despite expected group rights.

Environment & Reproduction

Often follows dataset ACL property changes or smb4.conf edits.

Root Cause Analysis

ZFS ACL semantics conflict with Samba ACL mapping assumptions.

Quick Triage

Compare filesystem ACLs and Samba masks for the same path.

Step-by-Step Diagnosis

Inspect Samba logs and identity mapping outputs for denied operations.

Solution – Primary Fix

Align dataset ACL properties and reapply baseline directory ACLs.

Solution – Alternative Approaches

Use POSIX ACL model for simpler environments where suitable.

Verification & Acceptance Criteria

Authorized users can read/write while unauthorized users are blocked.

Rollback Plan

Restore previous smb4.conf and dataset ACL properties.

Prevention & Hardening

Standardize one ACL model per share class and enforce templates.

Related Errors & Cross-Refs

Related to winbind idmap backend mismatch and stale cache.

Related tutorial: View the step-by-step tutorial for FreeBSD 13.

View all FreeBSD 13 tutorials on the Tutorials Hub →

Browse all common problems & solutions on the Tutorials Hub.

References & Further Reading

Samba on FreeBSD docs and ZFS ACL property references.