samba 3.3.x and SMB RAW-ACLs

yaberger at ca.ibm.com yaberger at ca.ibm.com
Tue Feb 24 10:48:17 MST 2009


Hi Jeremy,


Thanks for your prompt answer. I'll try to asnwer to your questions the 
best I can. Let me know if it would be easier to discuss on 
#samba-technical and when

Is the only way to resolve that is to create a VFS module for DCE/DFS?
I think this is quite some work and will not be easy to test since there 
might not be many people still using this platform

John Janosik has pointed me to the parameter "acl check permissions" which 
could be set to no and according to the doc, Think this would be a viable 
workaround?




> What is the module you're loading to map AIX DFS ACLs ?
Hmmm I'm not quite sure to understand this part. I haven't specified 
anything, it seems that the module was choosed by itself

yaberge2 at aix53tst ==> cat log.move |grep modules |awk '{print $4}' |sort 
-u
modules/vfs_aixacl.c:aixacl_sys_acl_get_file(41)
modules/vfs_aixacl.c:aixacl_sys_acl_get_file(42)
modules/vfs_aixacl.c:aixacl_sys_acl_get_file(71)
modules/vfs_aixacl_util.c:aixacl_to_smbacl(139)
modules/vfs_aixacl_util.c:aixacl_to_smbacl(155)
modules/vfs_aixacl_util.c:aixacl_to_smbacl(183)
modules/vfs_aixacl_util.c:aixacl_to_smbacl(184)
modules/vfs_aixacl_util.c:aixacl_to_smbacl(41)
modules/vfs_aixacl_util.c:aixacl_to_smbacl(42)


in the config.log, I also have this:
configure:79281: checking how to build vfs_aixacl
configure:79309: result: static
configure:79318: checking how to build vfs_aixacl2
configure:79350: result: not
VFS_STATIC=' $(VFS_DEFAULT_OBJ) $(VFS_AIXACL_OBJ)'
#define static_init_vfs {  vfs_default_init();  vfs_aixacl_init();}
#define static_decl_vfs  extern NTSTATUS vfs_default_init(void); extern 
NTSTATUS vfs_aixacl_init(void);


> I'll need to look at the mapping from the AIX DFS ACLs
> into the Windows ones to make sure the FILE_DELETE_CHILD
> is being mapped correctly on directories.

> What do AIX DFS ACLs look like ? NFSv4 or POSIX ACLs ?
As Volker mentionned, it's something similar to AFS and probably GPFS 
ACLs.

each file/directory is considered as an object.

There is three type:
object
default object (usually called "initial object" or "io")
default container (usually called "initial container" or "ic")

For each type, you have the following default ACLs
mask_obj
user_obj
group_obj
other_obj       (DCE authenticated)
any_other       (unauthenticated)

and optional:
user USERNAME           (dce user or uuid if it cannot be resolved)
and
group GROUPNAME         (dce group or uuid if it cannot be resolved)

each acl can have the following permission
rwxidc
in text:
read
write
execute
insert
delete
control

pretty much like gpfs + insert/delete

here is an example
{mask_obj rwxcid}
{user_obj rwxcid}
{user yaberger rwxcid}
{group_obj ------}
{group subsys/dce/dfs-bak-servers r-xc--}
{group subsys/dce/dfs-admin rwxcid}
{group bromont --x---}
{other_obj --x---}
{any_other ------}


a link from opengroup that seems to explain how this works
http://www.opengroup.org/onlinepubs/9668899/chap8.htm

also, one of my reference when I need to work in C with DCE/DFS. This is a 
perl module, not complete, but it gives you a good idea of the DCE/DFS API 
for ACLs
http://search.cpan.org/~phenson/DCE-Perl-0.21/



Yannick Bergeron
yaberger at ca.ibm.com
IT Specialist
AIX / Samba / Load Balancer / DCE/DFS / SCM / Apache / Security / Perl 
scripting / etc. 


More information about the samba-technical mailing list