Samba + NFS + (not visible) ACLs

Alexander Werth werth at linux.vnet.ibm.com
Wed Feb 13 08:59:10 MST 2013


Hi Albert Fluegel,

have you considered implementing something like this as a vfs module?
It should be possible to override the vfs function that queries the
security descriptor with a function that returns a security descriptor
granting full access for everyone.
Then the any access check in the smbd/open.c would just pass.

And there should be no need to limit that functionality to a global
option. The loaded modules can also be defined per share.

With kind regards,
Alexander Werth



On Wed, 2013-02-13 at 15:14 +0100, Albert Fluegel wrote:
> Hello,
> 
> recently i posted to the samba list and did not get any response, so
> please don't be angry, that i post the patch here. The details can be
> found in this mail:
> https://lists.samba.org/archive/samba/2013-January/171223.html
> 
> In short: ACLs are set on an NFS-mounted filesystem, that is exported
> via Samba by an NFS client, but the ACLs are not visible for this Samba
> server (NFSv4 ACLs, but the mount is NFSv3) - however they are in effect.
> This constellation causes strange phenomenons on the windows side, because
> Samba is interpreting the permissions, that are not completely visible,
> so the reply to the client cannot be appropriate.
> The attached patch for Samba 4.0.1 introduces a new option
> "native os permissions"
> that actually disables Samba's own checks and pretends sufficient access
> to the client.
> 
> My request is to check the patch and consider inclusion.
> 
> Thank you very much !!!
> 
>  Albert Fluegel
> 
> P.S.: To anticipate questions, that may arise now on your side:
>  q: why don't you make NFS4 mounts ?
>  a: NFSv4 mounts are not stable in the current Redhat Enterprise (6) kernel(s)
>     (over time mounts get randomly unaccessible) and as far as i see, Samba up
>     to 4.0.1 cannot interpret NFSv4 ACLs during it's own access control
> 
>  q: are you aware, that you are compromising the option to modify the ACLs from
>     the windows client side and the access permissions are displayed incorrectly
>     on the windows side ?
>  a: yes, but this is of no relevance in our environment. The ACLs are set on
>     the Unix side and should only be in effect. No need to make them visible
>     or editable from windows
> 
>  q: why such reexporting NFS via Samba (kind of network filesystem proxy) ?
>  a: all data is on Netapps. Netapp CIFS export is an option, but Samba offers
>     fantastic flexibility here and performance is fully sufficient :-)




More information about the samba-technical mailing list