Samba + NFS + (not visible) ACLs

Albert Fluegel af at
Wed Feb 13 07:14:59 MST 2013


recently i posted to the samba list and did not get any response, so
please don't be angry, that i post the patch here. The details can be
found in this mail:

In short: ACLs are set on an NFS-mounted filesystem, that is exported
via Samba by an NFS client, but the ACLs are not visible for this Samba
server (NFSv4 ACLs, but the mount is NFSv3) - however they are in effect.
This constellation causes strange phenomenons on the windows side, because
Samba is interpreting the permissions, that are not completely visible,
so the reply to the client cannot be appropriate.
The attached patch for Samba 4.0.1 introduces a new option
"native os permissions"
that actually disables Samba's own checks and pretends sufficient access
to the client.

My request is to check the patch and consider inclusion.

Thank you very much !!!

 Albert Fluegel

P.S.: To anticipate questions, that may arise now on your side:
 q: why don't you make NFS4 mounts ?
 a: NFSv4 mounts are not stable in the current Redhat Enterprise (6) kernel(s)
    (over time mounts get randomly unaccessible) and as far as i see, Samba up
    to 4.0.1 cannot interpret NFSv4 ACLs during it's own access control

 q: are you aware, that you are compromising the option to modify the ACLs from
    the windows client side and the access permissions are displayed incorrectly
    on the windows side ?
 a: yes, but this is of no relevance in our environment. The ACLs are set on
    the Unix side and should only be in effect. No need to make them visible
    or editable from windows

 q: why such reexporting NFS via Samba (kind of network filesystem proxy) ?
 a: all data is on Netapps. Netapp CIFS export is an option, but Samba offers
    fantastic flexibility here and performance is fully sufficient :-)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: samba-4.0.1.native_access.patch
Type: text/x-diff
Size: 3820 bytes
Desc: not available
URL: <>

More information about the samba-technical mailing list