[SCM] Samba Shared Repository - branch master updated
Jeremy Allison
jra at samba.org
Wed Nov 8 03:28:03 UTC 2017
The branch, master has been updated
via d12ba2d manpages: add vfs_nfs4acl_xattr.8
via d147698 selftest: run raw.acls test with XDR NFS41 ACLs
via e981b41 selftest: run raw.acls tests against a share with XDR NFS4 ACLs
via a167155 vfs_nfs4acl_xattr: add XDR backend
via 8b1b1cd vfs_nfs4acl_xattr: implement take-ownership as in vfs_acl_common
via 0fdbe62 vfs_nfs4acl_xattr: add POSIX mode check and reset
via b407296 vfs_nfs4acl_xattr: do xattr ops as root
via 08a6ae4 selftest: test vfs_nfs4acl_xattr with NFS 4.1 ACLs
via 60c8090 nfs4acls: update default NFS4 ACL version to 4.1
via 12f4263 selftest: add explicit default NFS4 acl version
via 0697f79 vfs_nfs4acl_xattr: add support for NFS 4.1 ACL flags in the NDR backend
via e295032 librpc/idl: add NFS 4.1 ACL flags
via f5b2c66 vfs_nfs4acl_xattr: move the meat of the implementation to a seperate file
via d4d7e38 vfs_nfs4acl_xattr: fsp->fh->fd can legally be -1
via 2fb6b0c vfs_nfs4acl_xattr: refactoring
via 383312a vfs_nfs4acl_xattr: code polish
via 7f62b16 vfs_nfs4acl_xattr: modernize ACL inheritance
via 31a8fbf vfs_nfs4acl_xattr: add a runtime configuration object
via 5890c74 librpc/idl: add versions consts to nfs4acl.idl
via df99ac2 librpc/idl: rename NFS4 ACL xattr name
via 20d3ae6 librpc/idl: rename NFS4 ACL xattr name define
via afe11cb vfs_nfs4acl_xattr: move interesting functions pointers to the top
via 914dfe6 vfs_nfs4acl_xattr: remove a layer of indirection
via dd36606 s3/posix_acls: add default ACL style "everyone"
via 33c0b0d s3/smbd: make make_default_filesystem_acl public
via c373102 vfs_acl_common: directly pass default_acl_style
via f3f119e selftest: split out failing owner related subtest from samba3.raw.acls.create_file|dir
from 5c354e1 ctdb-tests: Add sock_daemon test for stale socket handling
https://git.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit d12ba2d342c4efa26057122025f5692b075af73b
Author: Ralph Boehme <slow at samba.org>
Date: Mon Oct 23 18:56:37 2017 +0200
manpages: add vfs_nfs4acl_xattr.8
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
Autobuild-User(master): Jeremy Allison <jra at samba.org>
Autobuild-Date(master): Wed Nov 8 04:27:28 CET 2017 on sn-devel-144
commit d1476988408a676176cddbe6ffb1c42a66dd756f
Author: Ralph Boehme <slow at samba.org>
Date: Thu Oct 19 14:24:03 2017 +0200
selftest: run raw.acls test with XDR NFS41 ACLs
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit e981b41a37c78de1d7ad114921f65502a365dd66
Author: Ralph Boehme <slow at samba.org>
Date: Thu Sep 7 17:29:03 2017 +0200
selftest: run raw.acls tests against a share with XDR NFS4 ACLs
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit a1671558af014bd9303f62120e7fc3a9978be6fe
Author: Ralph Boehme <slow at samba.org>
Date: Wed Oct 18 20:48:37 2017 +0200
vfs_nfs4acl_xattr: add XDR backend
Add a NFS4 ACL backend that stores the ACL blob in an XDR encoded xattr,
by default in "security.nfs4acl_xdr".
This backend is enabled by setting "nfs4acl_xattr:encoding = xdr" in a
share definition.
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit 8b1b1cd8cc561378058b915e03996ff567355d81
Author: Ralph Boehme <slow at samba.org>
Date: Mon Oct 23 12:46:07 2017 +0200
vfs_nfs4acl_xattr: implement take-ownership as in vfs_acl_common
This allows take-ownership to work if the user has SEC_STD_WRITE_OWNER.
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit 0fdbe624fd708f372b9a1fe4176e04ebb1b040d6
Author: Ralph Boehme <slow at samba.org>
Date: Wed Oct 18 20:45:05 2017 +0200
vfs_nfs4acl_xattr: add POSIX mode check and reset
The vfs_nfs4acl_xattr VFS module is supposed to work the same as
vfs_acl_xattr|tdb with "ignore system acls" set to true. That is,
filesystem permissions should never restrict access and the actual
access checks are done by smbd in userspace.
To better cope with POSIX mode changes via other protocols (eg NFS) or
local filesystem access, add the following tweaks:
o validate ACL blob: if POSIX mode is not 0777/0666 discard the ACL blob
from the xattr and synthesize a default ACL based on the POSIX mode
o when setting an ACL, check and reset POSIX mode to 0777/0666
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit b4072961c691dbe7434b077147a89d927a299570
Author: Ralph Boehme <slow at samba.org>
Date: Mon Oct 23 14:15:12 2017 +0200
vfs_nfs4acl_xattr: do xattr ops as root
This ensures we can always fetch the ACL xattr blob when we wanted,
unrestricted of filesystem permissions or Linux xattr security namespace
restrictions.
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit 08a6ae44196ff747c57e75a42a946978e89a2cd9
Author: Ralph Boehme <slow at samba.org>
Date: Mon Oct 23 14:05:19 2017 +0200
selftest: test vfs_nfs4acl_xattr with NFS 4.1 ACLs
Only tests with "nfs4:mode = simple" as mode special is supposed to be
broken anyway and simple is recommended.
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit 60c8090631d46124f9c8ae750e4a5053b43ac988
Author: Ralph Boehme <slow at samba.org>
Date: Thu Nov 2 12:45:48 2017 +0100
nfs4acls: update default NFS4 ACL version to 4.1
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit 12f4263b285ca85601206905d22f06d9650e6f5d
Author: Ralph Boehme <slow at samba.org>
Date: Mon Oct 23 13:35:49 2017 +0200
selftest: add explicit default NFS4 acl version
This is the current default, just make it explicit. A subsequent commit
will bump the default to 4.1.
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit 0697f794b6851a2cd8a81b0cfd2daab9ebec7223
Author: Ralph Boehme <slow at samba.org>
Date: Thu Oct 19 15:40:52 2017 +0200
vfs_nfs4acl_xattr: add support for NFS 4.1 ACL flags in the NDR backend
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit e2950327ffbe66ec03020f6afb0bccf4c6a377ac
Author: Ralph Boehme <slow at samba.org>
Date: Thu Oct 19 22:44:38 2017 +0200
librpc/idl: add NFS 4.1 ACL flags
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit f5b2c66e44e9178ceef36630c9daabbc68ad4a57
Author: Ralph Boehme <slow at samba.org>
Date: Tue Oct 17 12:02:53 2017 +0200
vfs_nfs4acl_xattr: move the meat of the implementation to a seperate file
This is in preperation of modularizing the storage backend. Currently we
store the NFS4 ACL as an IDL/NDR encoded blob in a xattr.
Later commits will add a different backend storing the NFS4 ACL as an
XDR encoded blob in a xattr.
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit d4d7e38bf6fcde3ef1fde6c5f83c4f5e983818e1
Author: Ralph Boehme <slow at samba.org>
Date: Mon Oct 23 16:38:51 2017 +0200
vfs_nfs4acl_xattr: fsp->fh->fd can legally be -1
We only open the underlying file if the open access mode contains
FILE_READ_DATA|FILE_WRITE_DATA|FILE_APPEND_DATA|FILE_EXECUTE
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit 2fb6b0c2dafd5f59218eb11f0cc8e27b5a0432bc
Author: Ralph Boehme <slow at samba.org>
Date: Mon Oct 23 16:35:52 2017 +0200
vfs_nfs4acl_xattr: refactoring
Refactor the code in preperation of factoring out ACL blob to smb4acl
and vice versa mapping functions.
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit 383312abdc2afc6849b2dcc613c02e073806e101
Author: Ralph Boehme <slow at samba.org>
Date: Thu Oct 19 21:53:40 2017 +0200
vfs_nfs4acl_xattr: code polish
README.Coding adjustments, DEBUG macro modernisation, variable name
sanitizing. No change in behaviour.
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit 7f62b16a12980b203e44a9e95d8e96d12f479453
Author: Ralph Boehme <slow at samba.org>
Date: Mon Oct 16 18:05:51 2017 +0200
vfs_nfs4acl_xattr: modernize ACL inheritance
This changes the way ACL inheritance is achieved in this
module.
Previously the module recursed to the next parent directory until the
share root was reached or a directory with an ACL xattr. If the share
root didn't contain an ACL xattr either a default ACL would be used.
This commit removed this recursive scanning and replaces it with the
same mechanism used by vfs_acl_xattr: by setting "inherit acls = yes"
just let smbd do the heavy lefting and inheritance.
For any file without ACL xattr we still synthesize a default ACL,
leveraging the existing default ACL function used by vfs_acl_xattr.
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit 31a8fbff8d2e5bd27b44a0eb14608f8f43ce2a6b
Author: Ralph Boehme <slow at samba.org>
Date: Thu Oct 19 16:34:44 2017 +0200
vfs_nfs4acl_xattr: add a runtime configuration object
No change in behaviour, all option defaults are set to the original
behaviour.
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit 5890c74f824630a317f202b5299f47f611732ccf
Author: Ralph Boehme <slow at samba.org>
Date: Thu Oct 19 14:22:00 2017 +0200
librpc/idl: add versions consts to nfs4acl.idl
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit df99ac27106dededcf0a98a251e58c24b90bf6d1
Author: Ralph Boehme <slow at samba.org>
Date: Thu Nov 2 12:17:48 2017 +0100
librpc/idl: rename NFS4 ACL xattr name
The "system" xattr namespace is reserved for the kernel. Any attempt to
use xattrs in that namesspace will fail with EOPNOTSUPP, regardless of
priveleges. In autobuild we're using the xattr_tdb VFS module, so it
works there.
Using the "security" namespace instead makes this module generally
usable with Linux filesystem xattrs as storage backend.
Additionally prefix the xattr name with "_ndr". This is in preperation
of later commits that add a ACL blob marshalling format based on XDR. To
avoid xattr name collision, both format will use distinct xattr names by
default.
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit 20d3ae6a45f0ead6cefa5e47ca9b5552e4d470c0
Author: Ralph Boehme <slow at samba.org>
Date: Thu Oct 19 12:29:47 2017 +0200
librpc/idl: rename NFS4 ACL xattr name define
No change in behaviour.
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit afe11cbdfa7b8546d3315046d8f43fffdb051036
Author: Ralph Boehme <slow at samba.org>
Date: Thu Oct 19 15:50:07 2017 +0200
vfs_nfs4acl_xattr: move interesting functions pointers to the top
Move interesting functions to the top of the vfs_fn_pointers struct, no
change in behaviour.
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit 914dfe6ed48440c66692604f5b3216009a7e8f07
Author: Ralph Boehme <slow at samba.org>
Date: Mon Oct 16 17:04:01 2017 +0200
vfs_nfs4acl_xattr: remove a layer of indirection
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit dd3660631bace6d847955ebc9f410f0811dcd2d4
Author: Ralph Boehme <slow at samba.org>
Date: Tue Oct 17 15:18:52 2017 +0200
s3/posix_acls: add default ACL style "everyone"
This synthesizes an ACL with a single ACE with full permissions for
everyone. Not used for now, this comes later.
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit 33c0b0df01e21c9e031bfe79986e1cfdb993ef6f
Author: Ralph Boehme <slow at samba.org>
Date: Thu Sep 28 07:53:48 2017 +0200
s3/smbd: make make_default_filesystem_acl public
This will be used by another VFS module in a subsequent commit.
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit c373102f35a6fd6d474e419631e1718cdda4ce3a
Author: Ralph Boehme <slow at samba.org>
Date: Thu Sep 28 07:48:59 2017 +0200
vfs_acl_common: directly pass default_acl_style
This is in preperation of moving make_default_filesystem_acl() and
making it globally accessible. No change in behaviour.
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit f3f119e4568f3cfc13140c6a449bece4fc58d9f9
Author: Ralph Boehme <slow at samba.org>
Date: Thu Sep 7 17:26:58 2017 +0200
selftest: split out failing owner related subtest from samba3.raw.acls.create_file|dir
All the other subtests in samba3.raw.acls.create_file|dir pass with
nfs4acl_xattr, it's just the subtest that tries to set the owner which
fails with everything else then acl_xattr.
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
-----------------------------------------------------------------------
Summary of changes:
docs-xml/manpages/vfs_acl_tdb.8.xml | 6 +-
docs-xml/manpages/vfs_acl_xattr.8.xml | 6 +-
docs-xml/manpages/vfs_nfs4acl_xattr.8.xml | 134 +++
docs-xml/wscript_build | 1 +
librpc/idl/nfs4acl.idl | 11 +-
selftest/knownfail | 39 +-
selftest/target/Samba3.pm | 28 +-
source3/modules/nfs41acl.x | 94 +++
.../passwd_proto.h => modules/nfs4acl_xattr.h} | 26 +-
source3/modules/nfs4acl_xattr_ndr.c | 300 +++++++
source3/modules/nfs4acl_xattr_ndr.h | 42 +
source3/modules/nfs4acl_xattr_xdr.c | 421 ++++++++++
.../passwd_proto.h => modules/nfs4acl_xattr_xdr.h} | 27 +-
source3/modules/vfs_acl_common.c | 218 +----
source3/modules/vfs_acl_common.h | 2 +-
source3/modules/vfs_nfs4acl_xattr.c | 933 ++++++++++-----------
source3/modules/wscript_build | 23 +-
source3/selftest/tests.py | 7 +-
source3/smbd/posix_acls.c | 272 ++++++
source3/smbd/proto.h | 11 +
source3/wscript | 2 +
source4/ntvfs/posix/pvfs_acl_nfs4.c | 4 +-
source4/torture/raw/acls.c | 72 ++
23 files changed, 1945 insertions(+), 734 deletions(-)
create mode 100644 docs-xml/manpages/vfs_nfs4acl_xattr.8.xml
create mode 100644 source3/modules/nfs41acl.x
copy source3/{utils/passwd_proto.h => modules/nfs4acl_xattr.h} (63%)
create mode 100644 source3/modules/nfs4acl_xattr_ndr.c
create mode 100644 source3/modules/nfs4acl_xattr_ndr.h
create mode 100644 source3/modules/nfs4acl_xattr_xdr.c
copy source3/{utils/passwd_proto.h => modules/nfs4acl_xattr_xdr.h} (55%)
Changeset truncated at 500 lines:
diff --git a/docs-xml/manpages/vfs_acl_tdb.8.xml b/docs-xml/manpages/vfs_acl_tdb.8.xml
index e36ccd9..58cc091 100644
--- a/docs-xml/manpages/vfs_acl_tdb.8.xml
+++ b/docs-xml/manpages/vfs_acl_tdb.8.xml
@@ -89,7 +89,7 @@
</varlistentry>
<varlistentry>
- <term>acl_tdb:default acl style = [posix|windows]</term>
+ <term>acl_tdb:default acl style = [posix|windows|everyone]</term>
<listitem>
<para>
This parameter determines the type of ACL that is synthesized in
@@ -108,6 +108,10 @@
owner and <emphasis>NT Authority\SYSTEM</emphasis>.
</para>
<para>
+ When set to <emphasis>everyone</emphasis>, an ACL is synthesized
+ giving full permissions to everyone (S-1-1-0).
+ </para>
+ <para>
The default for this option is <emphasis>posix</emphasis>.
</para>
</listitem>
diff --git a/docs-xml/manpages/vfs_acl_xattr.8.xml b/docs-xml/manpages/vfs_acl_xattr.8.xml
index 43731f7..f70e17c 100644
--- a/docs-xml/manpages/vfs_acl_xattr.8.xml
+++ b/docs-xml/manpages/vfs_acl_xattr.8.xml
@@ -93,7 +93,7 @@
</varlistentry>
<varlistentry>
- <term>acl_xattr:default acl style = [posix|windows]</term>
+ <term>acl_xattr:default acl style = [posix|windows|everyone]</term>
<listitem>
<para>
This parameter determines the type of ACL that is synthesized in
@@ -112,6 +112,10 @@
owner and <emphasis>NT Authority\SYSTEM</emphasis>.
</para>
<para>
+ When set to <emphasis>everyone</emphasis>, an ACL is synthesized
+ giving full permissions to everyone (S-1-1-0).
+ </para>
+ <para>
The default for this option is <emphasis>posix</emphasis>.
</para>
</listitem>
diff --git a/docs-xml/manpages/vfs_nfs4acl_xattr.8.xml b/docs-xml/manpages/vfs_nfs4acl_xattr.8.xml
new file mode 100644
index 0000000..1673734
--- /dev/null
+++ b/docs-xml/manpages/vfs_nfs4acl_xattr.8.xml
@@ -0,0 +1,134 @@
+<?xml version="1.0" encoding="iso-8859-1"?>
+<!DOCTYPE refentry PUBLIC "-//Samba-Team//DTD DocBook V4.2-Based Variant V1.0//EN" "http://www.samba.org/samba/DTD/samba-doc">
+<refentry id="vfs_nfs4acl_xattr.8">
+
+ <refmeta>
+ <refentrytitle>vfs_nfs4acl_xattr</refentrytitle>
+ <manvolnum>8</manvolnum>
+ <refmiscinfo class="source">Samba</refmiscinfo>
+ <refmiscinfo class="manual">System Administration tools</refmiscinfo>
+ <refmiscinfo class="version">4.7</refmiscinfo>
+ </refmeta>
+
+
+ <refnamediv>
+ <refname>vfs_nfs4acl_xattr</refname>
+ <refpurpose>Save NTFS-ACLs as NFS4 encoded blobs in extended
+ attributes</refpurpose>
+ </refnamediv>
+
+ <refsynopsisdiv>
+ <cmdsynopsis>
+ <command>vfs objects = nfs4acl_xattr</command>
+ </cmdsynopsis>
+ </refsynopsisdiv>
+
+ <refsect1>
+ <title>DESCRIPTION</title>
+
+ <para>This VFS module is part of the
+ <citerefentry><refentrytitle>samba</refentrytitle>
+ <manvolnum>7</manvolnum></citerefentry> suite.</para>
+
+ <para>The <command>vfs_acl_xattr</command> VFS module stores NTFS Access
+ Control Lists (ACLs) in Extended Attributes (EAs/xattrs). This enables the
+ full mapping of Windows ACLs on Samba servers.
+ </para>
+
+ <para>This module is stackable.</para>
+ </refsect1>
+
+
+ <refsect1>
+ <title>OPTIONS</title>
+
+ <variablelist>
+
+ <varlistentry>
+ <term>nfs4acl_xattr:encoding = [ndr|xdr]</term>
+ <listitem>
+ <para>This parameter configures the marshaling format used in the ACL
+ blob and the default extended attribute name used to store the blob.
+ </para>
+
+ <para>When set to <emphasis>ndr (default)</emphasis> - store the NT
+ ACL with POSIX draft NFSv4 compatible NDR encoding. By default this
+ uses the extended attribute "security.nfs4acl_ndr".</para>
+
+ <para>When set to <emphasis>xdr</emphasis> - store the NT ACL in a
+ format similar to NFS 4.1 RFC 5661 in XDR encoding. The main
+ differences to RFC 5661 are the use of ids instead of strings as users
+ and group identifiers and an additional attribute per nfsace4. By
+ default this encoding stores the blob in the extended attribute
+ "security.nfs4acl_xdr".</para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>nfs4acl_xattr:version = [40|41]</term>
+ <listitem>
+ <para>This parameter configures the NFS4 ACL level. Only
+ <emphasis>41</emphasis> fully supports mapping NT ACLs and should be
+ used. The default is <emphasis>41</emphasis>.</para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>nfs4acl_xattr:default acl style = [posix|windows|everyone]</term>
+ <listitem>
+ <para>This parameter determines the type of ACL that is synthesized in
+ case a file or directory lacks an ACL extended attribute.</para>
+
+ <para>When set to <emphasis>posix</emphasis>, an ACL will be
+ synthesized based on the POSIX mode permissions for user, group and
+ others, with an additional ACE for <emphasis>NT
+ Authority\SYSTEM</emphasis> will full rights.</para>
+
+ <para>When set to <emphasis>windows</emphasis>, an ACL is synthesized
+ the same way Windows does it, only including permissions for the owner
+ and <emphasis>NT Authority\SYSTEM</emphasis>.</para>
+
+ <para>When set to <emphasis>everyone</emphasis>, an ACL is synthesized
+ giving full permissions to everyone (S-1-1-0).</para>
+
+ <para>The default for this option is
+ <emphasis>everyone</emphasis>.</para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>nfs4acl_xattr:xattr_name = STRING</term>
+ <listitem>
+ <para>This parameter configures the extended attribute name used to
+ store the marshaled ACL.</para>
+ <para>The default depends on the setting for
+ <emphasis>nfs4acl_xattr:encoding</emphasis>.</para>
+ </listitem>
+ </varlistentry>
+
+ </variablelist>
+ </refsect1>
+
+ <refsect1>
+ <title>EXAMPLES</title>
+
+ <para>A directory can be exported via Samba using this module as
+ follows:</para>
+
+ <programlisting>
+ <smbconfsection name="[samba_gpfs_share]"/>
+ <smbconfoption name="vfs objects">nfs4acl_xattr</smbconfoption>
+ <smbconfoption name="path">/foo/bar</smbconfoption>
+ </programlisting>
+ </refsect1>
+
+ <refsect1>
+ <title>AUTHOR</title>
+
+ <para>The original Samba software and related utilities
+ were created by Andrew Tridgell. Samba is now developed
+ by the Samba Team as an Open Source project similar
+ to the way the Linux kernel is developed.</para>
+ </refsect1>
+
+</refentry>
diff --git a/docs-xml/wscript_build b/docs-xml/wscript_build
index 5670572..afba0b9 100644
--- a/docs-xml/wscript_build
+++ b/docs-xml/wscript_build
@@ -74,6 +74,7 @@ manpages='''
manpages/vfs_linux_xfs_sgid.8
manpages/vfs_media_harmony.8
manpages/vfs_netatalk.8
+ manpages/vfs_nfs4acl_xattr.8
manpages/vfs_offline.8
manpages/vfs_prealloc.8
manpages/vfs_preopen.8
diff --git a/librpc/idl/nfs4acl.idl b/librpc/idl/nfs4acl.idl
index 5a3d026..10a60ed 100644
--- a/librpc/idl/nfs4acl.idl
+++ b/librpc/idl/nfs4acl.idl
@@ -13,12 +13,21 @@ import "misc.idl", "security.idl";
]
interface nfs4acl_interface
{
- const char *NFS4ACL_XATTR_NAME = "system.nfs4acl";
+ const char *NFS4ACL_NDR_XATTR_NAME = "security.nfs4acl_ndr";
const char *NFS4ACL_XATTR_OWNER_WHO = "OWNER@";
const char *NFS4ACL_XATTR_GROUP_WHO = "GROUP@";
const char *NFS4ACL_XATTR_EVERYONE_WHO = "EVERYONE@";
+ const uint8 ACL4_XATTR_VERSION_40 = 0x00;
+ const uint8 ACL4_XATTR_VERSION_41 = 0x01;
+ const uint8 ACL4_XATTR_VERSION_DEFAULT = ACL4_XATTR_VERSION_41;
+
+ const uint8 ACL4_AUTO_INHERIT = 0x01;
+ const uint8 ACL4_PROTECTED = 0x02;
+ const uint8 ACL4_DEFAULTED = 0x04;
+ const uint8 ACL4_WRITE_THROUGH = 0x40;
+
/* these structures use the same bit values and other constants as
in security.idl */
typedef [flag(NDR_BIG_ENDIAN)] struct {
diff --git a/selftest/knownfail b/selftest/knownfail
index 15e6b1d..3c910fb 100644
--- a/selftest/knownfail
+++ b/selftest/knownfail
@@ -21,20 +21,28 @@
^samba3.blackbox.smbclient_machine_auth.plain \(nt4_dc:local\)# the NT4 DC does not currently set up a self-join
^samba3.raw.samba3hide.samba3hide\((nt4_dc|ad_dc)\) # This test fails against an smbd environment with NT ACLs enabled
^samba3.raw.samba3closeerr.samba3closeerr\(nt4_dc\) # This test fails against an smbd environment with NT ACLs enabled
-^samba3.raw.acls nfs4acl_xattr-simple.INHERITFLAGS\(nt4_dc\) # This (and the follow nfs4acl_xattr tests fail because our NFSv4 backend isn't a complete mapping yet.
-^samba3.raw.acls nfs4acl_xattr-simple.create_file\(nt4_dc\)
-^samba3.raw.acls nfs4acl_xattr-simple.create_dir\(nt4_dc\)
-^samba3.raw.acls nfs4acl_xattr-simple.nulldacl\(nt4_dc\)
-^samba3.raw.acls nfs4acl_xattr-simple.generic\(nt4_dc\)
-^samba3.raw.acls nfs4acl_xattr-simple.inheritance\(nt4_dc\)
-^samba3.raw.acls nfs4acl_xattr-special.INHERITFLAGS\(nt4_dc\)
-^samba3.raw.acls nfs4acl_xattr-special.create_file\(nt4_dc\)
-^samba3.raw.acls nfs4acl_xattr-special.create_dir\(nt4_dc\)
-^samba3.raw.acls nfs4acl_xattr-special.nulldacl\(nt4_dc\)
-^samba3.raw.acls nfs4acl_xattr-special.generic\(nt4_dc\)
-^samba3.raw.acls nfs4acl_xattr-special.inheritance\(nt4_dc\)
-^samba3.raw.acls nfs4acl_xattr-special.inherit_creator_owner\(nt4_dc\)
-^samba3.raw.acls nfs4acl_xattr-special.inherit_creator_group\(nt4_dc\)
+^samba3.raw.acls nfs4acl_xattr-simple-40.INHERITFLAGS\(nt4_dc\) # This (and the follow nfs4acl_xattr tests fail because our NFSv4 backend isn't a complete mapping yet.
+^samba3.raw.acls nfs4acl_xattr-simple-40.create_owner_file\(nt4_dc\)
+^samba3.raw.acls nfs4acl_xattr-simple-40.create_owner_dir\(nt4_dc\)
+^samba3.raw.acls nfs4acl_xattr-simple-40.nulldacl\(nt4_dc\)
+^samba3.raw.acls nfs4acl_xattr-simple-41.create_owner_file\(nt4_dc\)
+^samba3.raw.acls nfs4acl_xattr-simple-41.create_owner_dir\(nt4_dc\)
+^samba3.raw.acls nfs4acl_xattr-simple-41.nulldacl\(nt4_dc\)
+^samba3.raw.acls nfs4acl_xattr-special-40.INHERITFLAGS\(nt4_dc\)
+^samba3.raw.acls nfs4acl_xattr-special-40.create_owner_file\(nt4_dc\)
+^samba3.raw.acls nfs4acl_xattr-special-40.create_owner_dir\(nt4_dc\)
+^samba3.raw.acls nfs4acl_xattr-special-40.nulldacl\(nt4_dc\)
+^samba3.raw.acls nfs4acl_xattr-special-40.inherit_creator_owner\(nt4_dc\)
+^samba3.raw.acls nfs4acl_xattr-special-40.inherit_creator_group\(nt4_dc\)
+^samba3.raw.acls nfs4acl_xattr-xdr-40.INHERITFLAGS\(nt4_dc\)
+^samba3.raw.acls nfs4acl_xattr-xdr-40.create_owner_file\(nt4_dc\)
+^samba3.raw.acls nfs4acl_xattr-xdr-40.create_owner_dir\(nt4_dc\)
+^samba3.raw.acls nfs4acl_xattr-xdr-40.nulldacl\(nt4_dc\)
+^samba3.raw.acls nfs4acl_xattr-xdr-40.inherit_creator_owner\(nt4_dc\)
+^samba3.raw.acls nfs4acl_xattr-xdr-40.inherit_creator_group\(nt4_dc\)
+^samba3.raw.acls nfs4acl_xattr-xdr-41.create_owner_file\(nt4_dc\)
+^samba3.raw.acls nfs4acl_xattr-xdr-41.create_owner_dir\(nt4_dc\)
+^samba3.raw.acls nfs4acl_xattr-xdr-41.nulldacl\(nt4_dc\)
^samba3.base.delete.deltest16a
^samba3.base.delete.deltest17a
^samba3.unix.whoami anonymous connection.whoami\(ad_dc\) # We need to resolve if we should be including SID_NT_WORLD and SID_NT_NETWORK in this token
@@ -106,7 +114,8 @@
^samba4.raw.streams.*.perms
^samba4.raw.acls.INHERITFLAGS
^samba4.raw.acls.*.create_dir
-^samba4.raw.acls.*.create_file
+^samba4.raw.acls.*.create_owner_dir
+^samba4.raw.acls.*.create_owner_file
^samba4.smb2.create.*.acldir
^samba4.smb2.create.*.impersonation
^samba4.smb2.acls.*.generic
diff --git a/selftest/target/Samba3.pm b/selftest/target/Samba3.pm
index f4d033d..6880455 100755
--- a/selftest/target/Samba3.pm
+++ b/selftest/target/Samba3.pm
@@ -1862,18 +1862,42 @@ sub provision($$$$$$$$$)
[lp]
copy = print1
-[nfs4acl_simple]
+[nfs4acl_simple_40]
path = $shrdir
comment = smb username is [%U]
nfs4:mode = simple
+ nfs4acl_xattr:version = 40
vfs objects = nfs4acl_xattr xattr_tdb
-[nfs4acl_special]
+[nfs4acl_special_40]
path = $shrdir
comment = smb username is [%U]
nfs4:mode = special
+ nfs4acl_xattr:version = 40
vfs objects = nfs4acl_xattr xattr_tdb
+[nfs4acl_simple_41]
+ path = $shrdir
+ comment = smb username is [%U]
+ nfs4:mode = simple
+ vfs objects = nfs4acl_xattr xattr_tdb
+
+[nfs4acl_xdr_40]
+ path = $shrdir
+ comment = smb username is [%U]
+ vfs objects = nfs4acl_xattr xattr_tdb
+ nfs4:mode = simple
+ nfs4acl_xattr:encoding = xdr
+ nfs4acl_xattr:version = 40
+
+[nfs4acl_xdr_41]
+ path = $shrdir
+ comment = smb username is [%U]
+ vfs objects = nfs4acl_xattr xattr_tdb
+ nfs4:mode = simple
+ nfs4acl_xattr:encoding = xdr
+ nfs4acl_xattr:version = 41
+
[xcopy_share]
path = $shrdir
comment = smb username is [%U]
diff --git a/source3/modules/nfs41acl.x b/source3/modules/nfs41acl.x
new file mode 100644
index 0000000..9cfbd9f
--- /dev/null
+++ b/source3/modules/nfs41acl.x
@@ -0,0 +1,94 @@
+typedef opaque utf8string<>;
+typedef utf8string utf8str_mixed;
+
+const ACE4_ACCESS_ALLOWED_ACE_TYPE = 0x00000000;
+const ACE4_ACCESS_DENIED_ACE_TYPE = 0x00000001;
+const ACE4_SYSTEM_AUDIT_ACE_TYPE = 0x00000002;
+const ACE4_SYSTEM_ALARM_ACE_TYPE = 0x00000003;
+
+typedef u_int acetype4;
+
+const ACE4_FILE_INHERIT_ACE = 0x00000001;
+const ACE4_DIRECTORY_INHERIT_ACE = 0x00000002;
+const ACE4_NO_PROPAGATE_INHERIT_ACE = 0x00000004;
+const ACE4_INHERIT_ONLY_ACE = 0x00000008;
+const ACE4_SUCCESSFUL_ACCESS_ACE_FLAG = 0x00000010;
+const ACE4_FAILED_ACCESS_ACE_FLAG = 0x00000020;
+const ACE4_IDENTIFIER_GROUP = 0x00000040;
+const ACE4_INHERITED_ACE = 0x00000080;
+
+typedef u_int aceflag4;
+
+/*
+ * The following aceiflag4 is extensions for RFC 5661 that deals with storing
+ * identifiers as numerical ids instead UTF8 strings in order to avoid wasting
+ * CPU cycles for the costly conversion.
+ *
+ * Placed in a seperate field to avoid ever running into conflicts with newly
+ * defined NFSv4 flags.
+ */
+
+const ACEI4_SPECIAL_WHO = 0x00000001;
+
+typedef u_int aceiflag4;
+
+/*
+ * Numerical representation of special identifiers from 6.2.1.5.
+ * ACEI4_SPECIAL_WHO MUST be set in nfsace4.aceiflag4.
+ */
+const ACE4_SPECIAL_OWNER = 1;
+const ACE4_SPECIAL_GROUP = 2;
+const ACE4_SPECIAL_EVERYONE = 3;
+const ACE4_SPECIAL_INTERACTIVE = 4;
+const ACE4_SPECIAL_NETWORK = 5;
+const ACE4_SPECIAL_DIALUP = 6;
+const ACE4_SPECIAL_BATCH = 7;
+const ACE4_SPECIAL_ANONYMOUS = 8;
+const ACE4_SPECIAL_AUTHENTICATED = 9;
+const ACE4_SPECIAL_SERVICE = 10;
+
+const ACE4_READ_DATA = 0x00000001;
+const ACE4_LIST_DIRECTORY = 0x00000001;
+const ACE4_WRITE_DATA = 0x00000002;
+const ACE4_ADD_FILE = 0x00000002;
+const ACE4_APPEND_DATA = 0x00000004;
+const ACE4_ADD_SUBDIRECTORY = 0x00000004;
+const ACE4_READ_NAMED_ATTRS = 0x00000008;
+const ACE4_WRITE_NAMED_ATTRS = 0x00000010;
+const ACE4_EXECUTE = 0x00000020;
+const ACE4_DELETE_CHILD = 0x00000040;
+const ACE4_READ_ATTRIBUTES = 0x00000080;
+const ACE4_WRITE_ATTRIBUTES = 0x00000100;
+const ACE4_WRITE_RETENTION = 0x00000200;
+const ACE4_WRITE_RETENTION_HOLD = 0x00000400;
+
+const ACE4_DELETE = 0x00010000;
+const ACE4_READ_ACL = 0x00020000;
+const ACE4_WRITE_ACL = 0x00040000;
+const ACE4_WRITE_OWNER = 0x00080000;
+const ACE4_SYNCHRONIZE = 0x00100000;
+
+typedef u_int acemask4;
+
+struct nfsace4 {
+ acetype4 type;
+ aceflag4 flag;
+ aceiflag4 iflag;
+ acemask4 access_mask;
+ u_int who;
+};
+
+const ACL4_XATTR_VERSION_40 = 0;
+const ACL4_XATTR_VERSION_41 = 1;
+const ACL4_XATTR_VERSION_DEFAULT = ACL4_XATTR_VERSION_40;
+
+const ACL4_AUTO_INHERIT = 0x00000001;
+const ACL4_PROTECTED = 0x00000002;
+const ACL4_DEFAULTED = 0x00000004;
+
+typedef u_int aclflag4;
+
+struct nfsacl41 {
+ aclflag4 na41_flag;
+ nfsace4 na41_aces<>;
+};
diff --git a/source3/utils/passwd_proto.h b/source3/modules/nfs4acl_xattr.h
similarity index 63%
copy from source3/utils/passwd_proto.h
copy to source3/modules/nfs4acl_xattr.h
index 104e00a..3eeb470 100644
--- a/source3/utils/passwd_proto.h
+++ b/source3/modules/nfs4acl_xattr.h
@@ -1,10 +1,5 @@
/*
- * Unix SMB/CIFS implementation.
- * collected prototypes header
- *
- * frozen from "make proto" in May 2008
- *
- * Copyright (C) Michael Adam 2008
+ * Copyright (C) Ralph Boehme 2017
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
@@ -18,15 +13,20 @@
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, see <http://www.gnu.org/licenses/>.
+ *
*/
-#ifndef _PASSWD_PROTO_H_
-#define _PASSWD_PROTO_H_
-
+#ifndef __NFS4ACL_XATTR_H__
+#define __NFS4ACL_XATTR_H__
-/* The following definitions come from utils/passwd_util.c */
+enum nfs4acl_encoding {NFS4ACL_ENCODING_NDR, NFS4ACL_ENCODING_XDR};
-char *stdin_new_passwd( void);
-char *get_pass( const char *prompt, bool stdin_get);
+struct nfs4acl_config {
+ unsigned nfs_version;
+ enum nfs4acl_encoding encoding;
+ char *xattr_name;
+ struct smbacl4_vfs_params nfs4_params;
+ enum default_acl_style default_acl_style;
+};
-#endif /* _PASSWD_PROTO_H_ */
+#endif /* __NFS4ACL_XATTR_H__ */
diff --git a/source3/modules/nfs4acl_xattr_ndr.c b/source3/modules/nfs4acl_xattr_ndr.c
new file mode 100644
index 0000000..ffa3e69
--- /dev/null
+++ b/source3/modules/nfs4acl_xattr_ndr.c
@@ -0,0 +1,300 @@
+/*
+ * Convert NFSv4 acls stored per http://www.suse.de/~agruen/nfs4acl/ to NT acls and vice versa.
+ *
+ * Copyright (C) Jiri Sasek, 2007
+ * based on the foobar.c module which is copyrighted by Volker Lendecke
+ * based on pvfs_acl_nfs4.c Copyright (C) Andrew Tridgell 2006
+ *
+ * based on vfs_fake_acls:
+ * Copyright (C) Tim Potter, 1999-2000
+ * Copyright (C) Alexander Bokovoy, 2002
+ * Copyright (C) Andrew Bartlett, 2002,2012
+ * Copyright (C) Ralph Boehme 2017
+ *
+ * This program is free software; you can redistribute it and/or modify
--
Samba Shared Repository
More information about the samba-cvs
mailing list