samba 3.3.x and SMB RAW-ACLs
yaberger at ca.ibm.com
yaberger at ca.ibm.com
Tue Feb 24 10:48:17 MST 2009
Hi Jeremy,
Thanks for your prompt answer. I'll try to asnwer to your questions the
best I can. Let me know if it would be easier to discuss on
#samba-technical and when
Is the only way to resolve that is to create a VFS module for DCE/DFS?
I think this is quite some work and will not be easy to test since there
might not be many people still using this platform
John Janosik has pointed me to the parameter "acl check permissions" which
could be set to no and according to the doc, Think this would be a viable
workaround?
> What is the module you're loading to map AIX DFS ACLs ?
Hmmm I'm not quite sure to understand this part. I haven't specified
anything, it seems that the module was choosed by itself
yaberge2 at aix53tst ==> cat log.move |grep modules |awk '{print $4}' |sort
-u
modules/vfs_aixacl.c:aixacl_sys_acl_get_file(41)
modules/vfs_aixacl.c:aixacl_sys_acl_get_file(42)
modules/vfs_aixacl.c:aixacl_sys_acl_get_file(71)
modules/vfs_aixacl_util.c:aixacl_to_smbacl(139)
modules/vfs_aixacl_util.c:aixacl_to_smbacl(155)
modules/vfs_aixacl_util.c:aixacl_to_smbacl(183)
modules/vfs_aixacl_util.c:aixacl_to_smbacl(184)
modules/vfs_aixacl_util.c:aixacl_to_smbacl(41)
modules/vfs_aixacl_util.c:aixacl_to_smbacl(42)
in the config.log, I also have this:
configure:79281: checking how to build vfs_aixacl
configure:79309: result: static
configure:79318: checking how to build vfs_aixacl2
configure:79350: result: not
VFS_STATIC=' $(VFS_DEFAULT_OBJ) $(VFS_AIXACL_OBJ)'
#define static_init_vfs { vfs_default_init(); vfs_aixacl_init();}
#define static_decl_vfs extern NTSTATUS vfs_default_init(void); extern
NTSTATUS vfs_aixacl_init(void);
> I'll need to look at the mapping from the AIX DFS ACLs
> into the Windows ones to make sure the FILE_DELETE_CHILD
> is being mapped correctly on directories.
> What do AIX DFS ACLs look like ? NFSv4 or POSIX ACLs ?
As Volker mentionned, it's something similar to AFS and probably GPFS
ACLs.
each file/directory is considered as an object.
There is three type:
object
default object (usually called "initial object" or "io")
default container (usually called "initial container" or "ic")
For each type, you have the following default ACLs
mask_obj
user_obj
group_obj
other_obj (DCE authenticated)
any_other (unauthenticated)
and optional:
user USERNAME (dce user or uuid if it cannot be resolved)
and
group GROUPNAME (dce group or uuid if it cannot be resolved)
each acl can have the following permission
rwxidc
in text:
read
write
execute
insert
delete
control
pretty much like gpfs + insert/delete
here is an example
{mask_obj rwxcid}
{user_obj rwxcid}
{user yaberger rwxcid}
{group_obj ------}
{group subsys/dce/dfs-bak-servers r-xc--}
{group subsys/dce/dfs-admin rwxcid}
{group bromont --x---}
{other_obj --x---}
{any_other ------}
a link from opengroup that seems to explain how this works
http://www.opengroup.org/onlinepubs/9668899/chap8.htm
also, one of my reference when I need to work in C with DCE/DFS. This is a
perl module, not complete, but it gives you a good idea of the DCE/DFS API
for ACLs
http://search.cpan.org/~phenson/DCE-Perl-0.21/
Yannick Bergeron
yaberger at ca.ibm.com
IT Specialist
AIX / Samba / Load Balancer / DCE/DFS / SCM / Apache / Security / Perl
scripting / etc.
More information about the samba-technical
mailing list