[PATCH][WIP] Setting posix ACLs from provision
Andrew Bartlett
abartlet at samba.org
Thu Aug 2 04:08:00 MDT 2012
On Thu, 2012-08-02 at 09:02 +1000, Andrew Bartlett wrote:
> On Wed, 2012-08-01 at 15:49 -0700, Scott Jordahl wrote:
> > I'm a little confused on this whole ACL and s3fs file system issue.
> >
> > > Modifying of group policies by members of the Domain Administrators
> > > group is not possible with the s3fs file server, only with the ntvfs
> > > file server. This is due to the underlying POSIX ACL not being set
> > > at provision time.
> >
> > I have a production site that's running and now using s3fs. I elected to
> > create a whole new, clean domain using beta4 (they had a Win2k3 domain).
> > There's only 15 users/computers, so it wasn't too hard to re-create. The
> > server was previously acting as a file server, running Samba3 and acting
> > as a member server to the older Win2k3 AD domain (The samba server,
> > BTW, is Ubuntu 10.04 LTS x64)..
> >
> > To enable GPOs, is there a way to use setfacl set the necessary ACL
> > default values after the provisioning? If so, what ACLs need to be set?
> > Do you set ACLs on all files/directories in the file shares or just the
> > ones in SYSVOL? It's also a little confusing on how Windows ACLs map to
> > Posix ACLs. What ACL values need to be set? I need to clean up file
> > access as the files/folders still hold old S3 IDMAP entries.
>
> So, what is set by provision will allow GPOs to work, because from the
> client the read access is all correct, and the ACLs match.
>
> However, for writes it only works as administrator, because I
> misunderstood the smbd ACL model. In smbd, the POSIX ACL trumps all
> (except in very exceptional circumstances), where as in the ntvfs file
> server, the NT ACL trumps all, overriding an incorrect POSIX ACL.
>
> I know how to call the code to set the POSIX ACL, I just need to sort
> out some remaining details and implement it. It remains one of my
> high-priority TODO items.
I've finally made a start on this, and it shows in part that we need to
be quite careful to have good tests for the NT -> POSIX ACL layer (we
don't so far).
I've pushed what I have so far to:
https://git.samba.org/?p=abartlet/samba.git/.git;a=shortlog;h=refs/heads/posix-acl-provision
This fails, because the POSIX ACL generated is invalid (multiple primary
group entries). I'll need to fix that, and fix up a unit test to prove
correct behaviour here.
Once this is done, I'll probably add a --gpo-acl and --gpo-sync option
to dbcheck, to have it compare the group policy object ACLs with the AD
ACLs (or force re-syncing them). The former will just fix up
inconsistancies but the latter will be really important as a tool to fix
up existing installations to have a correct POSIX ACL.
Andrew Bartlett
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
More information about the samba-technical
mailing list