What ACL options woudl be best for s3fs?

[Andrew Bartlett]

On Mon, 2012-03-12 at 16:54 -0700, Jeremy Allison wrote:
> On Tue, Mar 13, 2012 at 10:50:06AM +1100, Andrew Bartlett wrote:
> > I'm not particularly failure with all the various ACL options available
> > in smbd, so I figured it was better to ask rather than guess:
> > 
> > What options should we use for ACLs on a AD DC, where we must have
> > perfect AD ACL semantics?
> 
> You need either acl_xattr or acl_tdb, depending on whether
> you need to store into a system xattr or a tdb.

OK.

> > Is there any known issues with these modules and the Samba4 ACL setting,
> > particularly as done in provision? (I recall something about different
> > xattr names, so wanted to check).
> 
> Does provision write ACLs into the filesystem ? If it does
> can you point me at that code ?

source4/scripting/python/samba/provision/__init__.py

We write the ACL directly to disk (using the NT ACL in the xattr or
tdb).  I would like to keep the same method, but if we cannot, one
alternative could be to wrap the vfs modules in python modules, in a way
similar to vfstest (but it would be a lot of work). 

> > What options are available for hosts that do not support extended
> > attributes?  Samba4 sets an option to store everything into a TDB in
> > this case, and this is used a lot in make test.  What option should I
> > set for smbd, other than:
> 
> If there are no xattrs you can either use acl_tdb
> directly, or stack vfs_acl_xattr on top of xattr_tdb.

Do either of these use the same tdb format as Samba4?

> > vfs objects = $vfs_modulesdir_abs/xattr_tdb.so
> > $vfs_modulesdir_abs/streams_depot.so
> > 
> > Eventually I want to make these hard-coded defaults, so I would like to
> > get them right.
> 
> Hope this helps !

Thanks.

Andrew Bartlett

-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org