[PATCH] Re: s3fs and group policy acls

[Andrew Bartlett]

On Wed, 2012-08-22 at 13:37 +1000, Andrew Bartlett wrote:
> On Mon, 2012-08-13 at 10:36 +0200, Gémes Géza wrote:
> > Hi Ricky,
> > > Geza, make sure you have the right mount options in fstab and also the 
> > > right headers for ACL's I had a similar problem initially, but once I 
> > > got those fixed up, all went well. See the samba4 howto wiki for more 
> > > info on this.
> > >
> > > Good luck,
> > > Ricky
> > >
> > Thanks for the answer, but I'm afraid that doesn't help me (I'we chose 
> > xfs as the file system for the partition holding /usr/local/samba 
> > especially to avoid acl related problems on sysvol) and I'm able to set 
> > some ACLs from windows, but if I try to make some policies applicable to 
> > Domain Admins as well it complains about inability to set access rights 
> > (a device connected doesn't work) on the folder containing the policy 
> > ({...}).
> > 
> > BTW. my attempt to use ntvfs wasn't successful either, it seems that it 
> > doesn't understand at all the acls set by s3fs.
> 
> That is correct.
> 
> An implementation of provision with (I hope) correct setting of group
> policy acls is in my posix-acl-provision-wip branch.
> 
> https://git.samba.org/abartlet/samba.git/?p=abartlet/samba.git/.git;a=shortlog;h=refs/heads/posix-acl-provision-wip
> 
> Please test it out (requires a fresh provision run) and let me know if
> you can now modify ACLs as non-administrator, using s3fs. 
> 
> I'll write a tool to fix existing installations shortly. 

With that branch, you can now call:
samba-tool ntacl sysvolreset 

To fix your sysvol ACLs.  I still plan on having a generic conversion
utility if there is demand (for file shares on the ntvfs server), but in
the meantime you can do a backup/restore from a windows client using an
ACL-preserving tool. 

Andrew Bartlett

-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org