Handle IDMAP_BOTH in posix_acls.c

Andrew Bartlett abartlet at samba.org
Thu May 3 20:17:22 MDT 2012

On Thu, 2012-05-03 at 10:25 +0200, Michael Adam wrote:
> Hi Andrew,
> thanks for sharing your patch for review. Still looking.

> Yes, the NFSv4 mapping code is uses by e.g. the vfs modules
> vfs_gpfs, vfs_zfsacl and vfs_aixacl2. These are different
> backend implementations for the set/get_nt_acl methods
> of the vfs api (different from the default posix_acl one).

There is also a distinct onfs_acl backend too.  

I've looked at this, and I have three concerns:
 - How is this code tested
 - What is the purpose of the sidmap?
 - What is the purpose of the lookup_sid() call?

On the last point, it seems we have a potentially quite inefficient
lookup_sid call in nfs4_acls.c:smbacl4_fill_ace4().  This is called for
every ACE on every ACL set.  

I'm hoping this was just added out of paranoia, but it seems to be tied
in to the sidmap.  In any case the posix ACL code doesn't do this, and
it would work best if we remove it to support IDMAP_BOTH (but, due to
doing this lookup, it also means that idmap both will simply be ignored
for nfs4 in the interim). 

Andrew Bartlett

Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org

More information about the samba-technical mailing list