Make ACL headers required by default for Samba 4.0

Matthieu Patou mat at samba.org
Mon May 14 00:09:57 MDT 2012 

On 05/13/2012 04:16 PM, Andrew Bartlett wrote:
> On Sun, 2012-05-13 at 10:33 -0700, Matthieu Patou wrote:
>> On 05/12/2012 11:47 PM, Volker Lendecke wrote:
>>> On Sun, May 13, 2012 at 04:11:12PM +1000, Andrew Bartlett wrote:
>>>> A number of folks over time have hit the issue that Samba's POSIX ACL
>>>> support is optional - we work fine for most things without it, but
>>>> because of this you only notice it being missing much later, when you
>>>> start to really need it.
>>>>
>>>> To catch this issue for potential deployments of the Samba 4.0 AD DC, I
>>>> have a trap in the provision stage that checks for ACL support on the
>>>> current file system, but it seems to me that this point is too late in
>>>> the process.
>>>>
>>>> I propose that by default, we should require some form of system ACL
>>>> header to build Samba.  Then, if a user is on a system without ACL
>>>> headers or is unwilling to install them, they can specify the
>>>> --without-acl-support that would be hinted at in the error.
>>>>
>>>> This will also aid distributors, who would find at build stage (without
>>>> needing to specify options) if ACL support somehow wasn't going to be
>>>> compiled in.
>>>>
>>>> What do folks think?
>>> This is fine for the real AD domain controller build. For
>>> the pure fileserver that also is supposed to build without
>>> Kerberos necessarily this is not okay I think.
>> So what about having --with-acl-support by default if --with-kerberos
>> was specified or if we found kerberos support ?
>> This would mean that if kerberos is not found or if --without-kerberos
>> is specified then the default would be --without-acl-support.
>> This of course would be in waf because I don't think it would be very
>> easy to set in autoconf.
> Matthieu,
>
> I really don't think we should tie these two concepts together.
>
> But I do think that for ACLs and xattr support (which it requires), and
> any other major system libraries for which we have degraded operation
> (iconv?) we should require the user to manually opt out.
Well that was a proposal that could also please Volker by not being 
anoying for non kerberos fileserver only setup.

Matthieu.

-- 
Matthieu Patou
Samba Team
http://samba.org

More information about the samba-technical mailing list