What ACL options woudl be best for s3fs?

Andrew Bartlett abartlet at samba.org
Mon Mar 12 18:23:33 MDT 2012


On Tue, 2012-03-13 at 01:08 +0100, Stefan (metze) Metzmacher wrote:
> Am 13.03.2012 00:54, schrieb Jeremy Allison:
> > On Tue, Mar 13, 2012 at 10:50:06AM +1100, Andrew Bartlett wrote:
> >> I'm not particularly failure with all the various ACL options available
> >> in smbd, so I figured it was better to ask rather than guess:
> >>
> >> What options should we use for ACLs on a AD DC, where we must have
> >> perfect AD ACL semantics?
> > 
> > You need either acl_xattr or acl_tdb, depending on whether
> > you need to store into a system xattr or a tdb.
> 
> Please note that smbd doesn't handle WBC_ID_TYPE_BOTH yet,
> it will always handle groups as uids.
> 
> This happens because we have sid2uid and sid2gid functions
> at different layers and they get called in that order.
> 
> We need to change that to do one sid2xid that returns the type.
> And fix a few other related bugs.

If you can get me as much detail on this as possible, I'll try and fix
this up. 

> >> Is there any known issues with these modules and the Samba4 ACL setting,
> >> particularly as done in provision? (I recall something about different
> >> xattr names, so wanted to check).
> > 
> > Does provision write ACLs into the filesystem ? If it does
> > can you point me at that code ?
> 
> smbd is able to read the system.NTACL attribute from the s4 provision.
> But samba4 can't read the smbd format.

OK.  Anything I should watch out for in particular when fixing this up?

> Also the s4 provision doesn't set the low level posix acl.

OK.  Can we cope with this (ie, always go into the override path), or do
we need access to the ACL conversion logic in the provision?

Andrew Bartlett

-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org



More information about the samba-technical mailing list