[PATCH] Setting posix ACLs from provision

Andrew Bartlett abartlet at samba.org
Fri Aug 10 00:38:22 MDT 2012


On Tue, 2012-08-07 at 15:41 +1000, Andrew Bartlett wrote:
> On Thu, 2012-08-02 at 20:08 +1000, Andrew Bartlett wrote:
> > On Thu, 2012-08-02 at 09:02 +1000, Andrew Bartlett wrote:
> > > 
> > > So, what is set by provision will allow GPOs to work, because from the
> > > client the read access is all correct, and the ACLs match. 
> > > 
> > > However, for writes it only works as administrator, because I
> > > misunderstood the smbd ACL model.  In smbd, the POSIX ACL trumps all
> > > (except in very exceptional circumstances), where as in the ntvfs file
> > > server, the NT ACL trumps all, overriding an incorrect POSIX ACL. 
> > > 
> > > I know how to call the code to set the POSIX ACL, I just need to sort
> > > out some remaining details and implement it.  It remains one of my
> > > high-priority TODO items. 
> > 
> > I've finally made a start on this, and it shows in part that we need to
> > be quite careful to have good tests for the NT -> POSIX ACL layer (we
> > don't so far).  
> > 
> > I've pushed what I have so far to:
> > https://git.samba.org/?p=abartlet/samba.git/.git;a=shortlog;h=refs/heads/posix-acl-provision
> > 
> > This fails, because the POSIX ACL generated is invalid (multiple primary
> > group entries).  I'll need to fix that, and fix up a unit test to prove
> > correct behaviour here. 
> 
> I've updated my branch at posix-acl-provision.  This now sets the posix
> ACL using the VFS layer during provision.  (in turn, this also moves us
> closer to supporting other ACL backends in the AD DC). 
> 
> As this changes the base posix ACL mapping layer, it needs review.  Once
> reviewed it will allow us to properly support group policy modifications
> in smbd after a fresh provision.
> 
> I'll continue to update my branch with any tests I can manage to come up
> with.  Hopefully the motivation is clear:  Multiple things map to gid 0
> in a standard Samba4 provision (and even if we fix that, existing idmap
> databases will have such a mapping). 
> 
> As the POSIX ACL rules are enforced by the posix ID, the comparison
> should be of the posix ID. 

Jeremy,

I've updated the branch with the other patches that you punted on a
couple of months ago.  The NFSv4 patch is required if you want us to
support being an AD DC on ZFS, but is not as critical as the rest.

https://git.samba.org/?p=abartlet/samba.git/.git;a=shortlog;h=refs/heads/posix-acl-provision

These are needed so that we can write posix ACLs out during provision
(not included in this branch, as I need to set the right VFS modules and
write my tests to ensure they can be read back). 

Andrew Bartlett
-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org




More information about the samba-technical mailing list