[PATCH][WIP] Setting posix ACLs from provision

Andrew Bartlett abartlet at samba.org
Thu Aug 2 04:08:00 MDT 2012


On Thu, 2012-08-02 at 09:02 +1000, Andrew Bartlett wrote:
> On Wed, 2012-08-01 at 15:49 -0700, Scott Jordahl wrote:
> > I'm a little confused on this whole ACL and s3fs file system issue.
> > 
> >  >  Modifying of group policies by members of the Domain Administrators
> >  >  group is not possible with the s3fs file server, only with the ntvfs
> >  >  file server.  This is due to the underlying POSIX ACL not being set
> >  >  at provision time.
> > 
> > I have a production site that's running and now using s3fs. I elected to 
> > create a whole new, clean domain using beta4 (they had a Win2k3 domain). 
> > There's only 15 users/computers, so it wasn't too hard to re-create. The 
> > server was previously acting as a file server, running Samba3 and acting 
> > as a member server to the older Win2k3 AD domain (The samba server, 
> > BTW,  is Ubuntu 10.04 LTS x64)..
> > 
> > To enable GPOs, is there a way to use setfacl set the necessary ACL 
> > default values after the provisioning? If so, what ACLs need to be set? 
> > Do you set ACLs on all files/directories in the file shares or just the 
> > ones in SYSVOL? It's also a little confusing on how Windows ACLs map to 
> > Posix ACLs. What ACL values need to be set? I need to clean up file 
> > access as the files/folders still hold old S3 IDMAP entries.
> 
> So, what is set by provision will allow GPOs to work, because from the
> client the read access is all correct, and the ACLs match. 
> 
> However, for writes it only works as administrator, because I
> misunderstood the smbd ACL model.  In smbd, the POSIX ACL trumps all
> (except in very exceptional circumstances), where as in the ntvfs file
> server, the NT ACL trumps all, overriding an incorrect POSIX ACL. 
> 
> I know how to call the code to set the POSIX ACL, I just need to sort
> out some remaining details and implement it.  It remains one of my
> high-priority TODO items. 

I've finally made a start on this, and it shows in part that we need to
be quite careful to have good tests for the NT -> POSIX ACL layer (we
don't so far).  

I've pushed what I have so far to:
https://git.samba.org/?p=abartlet/samba.git/.git;a=shortlog;h=refs/heads/posix-acl-provision

This fails, because the POSIX ACL generated is invalid (multiple primary
group entries).  I'll need to fix that, and fix up a unit test to prove
correct behaviour here. 

Once this is done, I'll probably add a --gpo-acl and --gpo-sync option
to dbcheck, to have it compare the group policy object ACLs with the AD
ACLs (or force re-syncing them).  The former will just fix up
inconsistancies but the latter will be really important as a tool to fix
up existing installations to have a correct POSIX ACL.

Andrew Bartlett

Andrew Bartlett

-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org



More information about the samba-technical mailing list