NTVFS to S3FS Migration

Andrew Bartlett abartlet at samba.org
Tue Jun 5 22:41:17 MDT 2012

On Tue, 2012-06-05 at 20:15 -0400, brendan powers wrote:
> Since the release of Alpha21, I've been looking into implementing S3FS
> in existing NTVFS installations. For the most part, it's fairly
> simple. Just added the needed entries to the existing smb.conf file.
> There is one sticky point however, and that is upgrading to the new
> permission format. In the past, NTVFS has simply stored the security
> descriptor in the seciry.NTACL xattr. Now, with the introduction of
> S3FS this format has changed to the security descriptor, plus a hash
> of the POSIX permissions. As I understand it, if the hash in the xattr
> does not match the actual POSIX permissions, the NT descriptor is
> thrown out, and then re-built from using the POSIX permissions as a
> starting point.
> So, at the moment, I'm trying to figure out how to upgrade to S3FS and
> preserve any existing NTVFS permissions. As well as migrating new
> installations, Resara  Server (the product I work on that's currently
> using NTVFS) edits the security attributes in security.NTACL directly.
> So I also need a way to edit permissions in S3FS on an ongoing basis.
> As I see it, here are my options.

G'day Brendan,

The 'old' security.NTACL xattr format is honoured in preference to any
other ACL.  We actually need this long-term, as we can't set the posix
ACL during the provision, so the group policy objects are still (even
with s3fs) being written in the NTVFS format.

So, there shouldn't be any short-term migration pain.  

Once we have installed and have a file server up and running, you could
of course walk the filesystem using a python script, and either over SMB
or directly read the NT ACL, and then set it via the VFS, to gain
matching posix permissions. 

I hope this clarifies things.  We really don't want to leave you in the
cold, particularly as you have been such an important early adopter of

Naturally, the above is subject to bugs and unexpected surprises.  If it
doesn't work like that, then we need to make it work like that!  :-)

Andrew Bartlett

Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org

More information about the samba-technical mailing list