[PATCH][WIP] Setting posix ACLs from provision

Andrew Bartlett abartlet at samba.org
Mon Aug 6 23:41:50 MDT 2012 

On Thu, 2012-08-02 at 20:08 +1000, Andrew Bartlett wrote:
> On Thu, 2012-08-02 at 09:02 +1000, Andrew Bartlett wrote:
> > 
> > So, what is set by provision will allow GPOs to work, because from the
> > client the read access is all correct, and the ACLs match. 
> > 
> > However, for writes it only works as administrator, because I
> > misunderstood the smbd ACL model.  In smbd, the POSIX ACL trumps all
> > (except in very exceptional circumstances), where as in the ntvfs file
> > server, the NT ACL trumps all, overriding an incorrect POSIX ACL. 
> > 
> > I know how to call the code to set the POSIX ACL, I just need to sort
> > out some remaining details and implement it.  It remains one of my
> > high-priority TODO items. 
> 
> I've finally made a start on this, and it shows in part that we need to
> be quite careful to have good tests for the NT -> POSIX ACL layer (we
> don't so far).  
> 
> I've pushed what I have so far to:
> https://git.samba.org/?p=abartlet/samba.git/.git;a=shortlog;h=refs/heads/posix-acl-provision
> 
> This fails, because the POSIX ACL generated is invalid (multiple primary
> group entries).  I'll need to fix that, and fix up a unit test to prove
> correct behaviour here. 

I've updated my branch at posix-acl-provision.  This now sets the posix
ACL using the VFS layer during provision.  (in turn, this also moves us
closer to supporting other ACL backends in the AD DC). 

As this changes the base posix ACL mapping layer, it needs review.  Once
reviewed it will allow us to properly support group policy modifications
in smbd after a fresh provision.

I'll continue to update my branch with any tests I can manage to come up
with.  Hopefully the motivation is clear:  Multiple things map to gid 0
in a standard Samba4 provision (and even if we fix that, existing idmap
databases will have such a mapping). 

As the POSIX ACL rules are enforced by the posix ID, the comparison
should be of the posix ID. 

Thanks,

Andrew Bartlett

-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org

More information about the samba-technical mailing list