Make ACL headers required by default for Samba 4.0

Andrew Bartlett abartlet at
Sun May 13 17:16:26 MDT 2012

On Sun, 2012-05-13 at 10:33 -0700, Matthieu Patou wrote:
> On 05/12/2012 11:47 PM, Volker Lendecke wrote:
> > On Sun, May 13, 2012 at 04:11:12PM +1000, Andrew Bartlett wrote:
> >> A number of folks over time have hit the issue that Samba's POSIX ACL
> >> support is optional - we work fine for most things without it, but
> >> because of this you only notice it being missing much later, when you
> >> start to really need it.
> >>
> >> To catch this issue for potential deployments of the Samba 4.0 AD DC, I
> >> have a trap in the provision stage that checks for ACL support on the
> >> current file system, but it seems to me that this point is too late in
> >> the process.
> >>
> >> I propose that by default, we should require some form of system ACL
> >> header to build Samba.  Then, if a user is on a system without ACL
> >> headers or is unwilling to install them, they can specify the
> >> --without-acl-support that would be hinted at in the error.
> >>
> >> This will also aid distributors, who would find at build stage (without
> >> needing to specify options) if ACL support somehow wasn't going to be
> >> compiled in.
> >>
> >> What do folks think?
> > This is fine for the real AD domain controller build. For
> > the pure fileserver that also is supposed to build without
> > Kerberos necessarily this is not okay I think.
> So what about having --with-acl-support by default if --with-kerberos 
> was specified or if we found kerberos support ?
> This would mean that if kerberos is not found or if --without-kerberos 
> is specified then the default would be --without-acl-support.
> This of course would be in waf because I don't think it would be very 
> easy to set in autoconf.


I really don't think we should tie these two concepts together. 

But I do think that for ACLs and xattr support (which it requires), and
any other major system libraries for which we have degraded operation
(iconv?) we should require the user to manually opt out. 

Andrew Bartlett

Andrew Bartlett                      
Authentication Developer, Samba Team 

More information about the samba-technical mailing list