NTVFS to S3FS Migration

brendan powers brendan0powers at gmail.com
Thu Jun 7 09:22:45 MDT 2012

On Wed, Jun 6, 2012 at 10:23 PM, Andrew Bartlett <abartlet at samba.org> wrote:
> On Wed, 2012-06-06 at 12:45 -0400, brendan powers wrote:
>> Thanks for your response, that sounds encouraging. After getting my
>> software to parse the new v3 xattr format, I was able to read and
>> write ACLs. Currently, I'm reading the v3, and writing back v1. This
>> part seems to work quite well. I can write new ACLs, and windows
>> clients see them as they did before. However, they don't seem to be
>> completely honored. These are the 2 cases in which I had problems.
>> 1) Add a deny ACL for administrator on the sysvol share. The ACL
>> denied "Full Control" for the administrator user. In practice, you'd
>> never do this, but I was just testing. The end result was that the
>> administrator could still use the sysvol share as usual. If I were to
>> do the same thing with a normal user, it works as expected, and the
>> users is denied access.
>> 2) Create a new share. Then create a folder owned by root. Then, add 2
>> ACLs. The first one allowing domain admins full control. The second
>> one allowing domain users modify access. This ACL is written in V1
>> format to the xattr of the share folder. If a user then logs in, and
>> tries to connect to the share, they get an access denied. This is
>> because the POSIX ACLs have not been updated. If I then go in as an
>> admin on a windows computer, and add an ACL for an unrelated user(say
>> read access for guest), it resolves the issue. Since I changed the
>> permissions through SMB, the POSIX attributes for the ACL are
>> correctly updated, and the original user can now access the share.
>> It seems that I do need to ensure proper POSIX permissions for normal
>> operation. You mentioned two options. Either do it through SMB, or
>> through the VFS layer. Doing it through SMB sounds like the simplest
>> option. However, the SMB client library I am familiar with
>> (libsmbclient), does not allow you to set the security descriptor
>> directly. Instead you use the smbc_*xattr functions. Is there another
>> client library I should use?
> The python cifs client lib can set ACLs (we use it for GPO management).
>> Using the VFS layer directly sounds like the more flexible, and
>> faster, option. However, I have no idea how to go about doing this. Is
>> it just a matter of making the right API calls on a shared library?
> Sort of.  The VFS isn't intended to be called directly, but it can be
> made to work (like vfstest does).
>> Sorry, forgot to reply to the list for the last message.
> In any case, I think this is a bug in acl_xattr.  My understanding was
> that we should have overridden the conflicting posix permissions in this
> case.   Please file a bug.
> Andrew Bartlett
> --
> Andrew Bartlett                                http://samba.org/~abartlet/
> Authentication Developer, Samba Team           http://samba.org

Ok, I have filed a bug (#8987). I also filed a bug for the "The
parameter is incorrect" issue (#8986).

While I agree that this is an issue with acl_xattr, and all I really
need is the V1 xattrs to be honored, it would be nice to also make
sure the POSIX ACLs are up to date.

On a side note, what does the hash in the V2, and V3 xattrs do? I
imagine it let's Samba know when the POSIX and NT permissions do not
match. What does Samba do when the hash doesn't match the underlying

More information about the samba-technical mailing list