NTVFS to S3FS Migration

Andrew Bartlett abartlet at samba.org
Wed Jun 6 06:59:23 MDT 2012

On Wed, 2012-06-06 at 08:18 -0400, simo wrote:
> On Wed, 2012-06-06 at 14:41 +1000, Andrew Bartlett wrote: 
> > On Tue, 2012-06-05 at 20:15 -0400, brendan powers wrote:
> > > Since the release of Alpha21, I've been looking into implementing S3FS
> > > in existing NTVFS installations. For the most part, it's fairly
> > > simple. Just added the needed entries to the existing smb.conf file.
> > > There is one sticky point however, and that is upgrading to the new
> > > permission format. In the past, NTVFS has simply stored the security
> > > descriptor in the seciry.NTACL xattr. Now, with the introduction of
> > > S3FS this format has changed to the security descriptor, plus a hash
> > > of the POSIX permissions. As I understand it, if the hash in the xattr
> > > does not match the actual POSIX permissions, the NT descriptor is
> > > thrown out, and then re-built from using the POSIX permissions as a
> > > starting point.
> > > 
> > > So, at the moment, I'm trying to figure out how to upgrade to S3FS and
> > > preserve any existing NTVFS permissions. As well as migrating new
> > > installations, Resara  Server (the product I work on that's currently
> > > using NTVFS) edits the security attributes in security.NTACL directly.
> > > So I also need a way to edit permissions in S3FS on an ongoing basis.
> > > As I see it, here are my options.
> > 
> > G'day Brendan,
> > 
> > The 'old' security.NTACL xattr format is honoured in preference to any
> > other ACL.  We actually need this long-term, as we can't set the posix
> > ACL during the provision, so the group policy objects are still (even
> > with s3fs) being written in the NTVFS format.
> Why can't you simply start smbd as part of provision and set ACLs
> through the SMB interface ?

Mostly a matter of time, resources, ordering, process control,
authentication and needing to also start winbindd. 

If we were to go down this road, we could possibly do it via direct
calls to the VFS layer.  Certainly any migration script (running on a
running server with winbindd up) could use that layer.

If you feel it is more accurate, you may regard my statement above as
'we can't currently set the posix ACL during the provision'.  

I hope this clarifies things,

Andrew Bartlett

Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org

More information about the samba-technical mailing list