NTVFS to S3FS Migration

brendan powers brendan0powers at gmail.com
Thu Jun 7 09:22:45 MDT 2012 

On Wed, Jun 6, 2012 at 10:23 PM, Andrew Bartlett <abartlet at samba.org> wrote:
> On Wed, 2012-06-06 at 12:45 -0400, brendan powers wrote:
>
>>
>> Thanks for your response, that sounds encouraging. After getting my
>> software to parse the new v3 xattr format, I was able to read and
>> write ACLs. Currently, I'm reading the v3, and writing back v1. This
>> part seems to work quite well. I can write new ACLs, and windows
>> clients see them as they did before. However, they don't seem to be
>> completely honored. These are the 2 cases in which I had problems.
>>
>> 1) Add a deny ACL for administrator on the sysvol share. The ACL
>> denied "Full Control" for the administrator user. In practice, you'd
>> never do this, but I was just testing. The end result was that the
>> administrator could still use the sysvol share as usual. If I were to
>> do the same thing with a normal user, it works as expected, and the
>> users is denied access.
>>
>> 2) Create a new share. Then create a folder owned by root. Then, add 2
>> ACLs. The first one allowing domain admins full control. The second
>> one allowing domain users modify access. This ACL is written in V1
>> format to the xattr of the share folder. If a user then logs in, and
>> tries to connect to the share, they get an access denied. This is
>> because the POSIX ACLs have not been updated. If I then go in as an
>> admin on a windows computer, and add an ACL for an unrelated user(say
>> read access for guest), it resolves the issue. Since I changed the
>> permissions through SMB, the POSIX attributes for the ACL are
>> correctly updated, and the original user can now access the share.
>>
>> It seems that I do need to ensure proper POSIX permissions for normal
>> operation. You mentioned two options. Either do it through SMB, or
>> through the VFS layer. Doing it through SMB sounds like the simplest
>> option. However, the SMB client library I am familiar with
>> (libsmbclient), does not allow you to set the security descriptor
>> directly. Instead you use the smbc_*xattr functions. Is there another
>> client library I should use?
>
> The python cifs client lib can set ACLs (we use it for GPO management).
>
>> Using the VFS layer directly sounds like the more flexible, and
>> faster, option. However, I have no idea how to go about doing this. Is
>> it just a matter of making the right API calls on a shared library?
>
> Sort of.  The VFS isn't intended to be called directly, but it can be
> made to work (like vfstest does).
>
>> Sorry, forgot to reply to the list for the last message.
>
> In any case, I think this is a bug in acl_xattr.  My understanding was
> that we should have overridden the conflicting posix permissions in this
> case.   Please file a bug.
>
> Andrew Bartlett
>
> --
> Andrew Bartlett                                http://samba.org/~abartlet/
> Authentication Developer, Samba Team           http://samba.org
>

Ok, I have filed a bug (#8987). I also filed a bug for the "The
parameter is incorrect" issue (#8986).

While I agree that this is an issue with acl_xattr, and all I really
need is the V1 xattrs to be honored, it would be nice to also make
sure the POSIX ACLs are up to date.

On a side note, what does the hash in the V2, and V3 xattrs do? I
imagine it let's Samba know when the POSIX and NT permissions do not
match. What does Samba do when the hash doesn't match the underlying
ACL?

More information about the samba-technical mailing list