samba 3.3.x and SMB RAW-ACLs

Jeremy Allison jra at samba.org
Tue Feb 24 11:33:37 MST 2009 

On Tue, Feb 24, 2009 at 12:48:17PM -0500, yaberger at ca.ibm.com wrote:
> Hi Jeremy,
> 
> 
> Thanks for your prompt answer. I'll try to asnwer to your questions the 
> best I can. Let me know if it would be easier to discuss on 
> #samba-technical and when
> 
> Is the only way to resolve that is to create a VFS module for DCE/DFS?
> I think this is quite some work and will not be easy to test since there 
> might not be many people still using this platform
> 
> John Janosik has pointed me to the parameter "acl check permissions" which 
> could be set to no and according to the doc, Think this would be a viable 
> workaround?
> 
> 
> 
> 
> > What is the module you're loading to map AIX DFS ACLs ?
> Hmmm I'm not quite sure to understand this part. I haven't specified 
> anything, it seems that the module was choosed by itself
> 
> yaberge2 at aix53tst ==> cat log.move |grep modules |awk '{print $4}' |sort 
> -u
> modules/vfs_aixacl.c:aixacl_sys_acl_get_file(41)
> modules/vfs_aixacl.c:aixacl_sys_acl_get_file(42)
> modules/vfs_aixacl.c:aixacl_sys_acl_get_file(71)
> modules/vfs_aixacl_util.c:aixacl_to_smbacl(139)
> modules/vfs_aixacl_util.c:aixacl_to_smbacl(155)
> modules/vfs_aixacl_util.c:aixacl_to_smbacl(183)
> modules/vfs_aixacl_util.c:aixacl_to_smbacl(184)
> modules/vfs_aixacl_util.c:aixacl_to_smbacl(41)
> modules/vfs_aixacl_util.c:aixacl_to_smbacl(42)
> 
> 
> in the config.log, I also have this:
> configure:79281: checking how to build vfs_aixacl
> configure:79309: result: static
> configure:79318: checking how to build vfs_aixacl2
> configure:79350: result: not
> VFS_STATIC=' $(VFS_DEFAULT_OBJ) $(VFS_AIXACL_OBJ)'
> #define static_init_vfs {  vfs_default_init();  vfs_aixacl_init();}
> #define static_decl_vfs  extern NTSTATUS vfs_default_init(void); extern 
> NTSTATUS vfs_aixacl_init(void);

So this is loading the vfs_aixacl.c module by default ?

If this is the case, and the aixacls are reporting
themselves as being POSIX ACLs, then I'm puzzled
as to why this isn't already working.

The vfs_aixacl.c module should just provide POSIX
ACL emulation to the already loaded "default" 
module, which maps a "w" bit on a directory to
the following :

#define UNIX_DIRECTORY_ACCESS_W                 (FILE_GENERIC_WRITE|FILE_DELETE_CHILD)

The question is why isn't this working in your system to allow
file delete/rename ?

I'll need a debug level 10 log of the operation failing,
and we may need to add extra debug statements to track
this down, but we shouldn't need to create a specific
VFS module just for this issue.

Jeremy.

More information about the samba-technical mailing list