Samba + NFS + (not visible) ACLs
Alexander Werth
werth at linux.vnet.ibm.com
Wed Feb 13 08:59:10 MST 2013
Hi Albert Fluegel,
have you considered implementing something like this as a vfs module?
It should be possible to override the vfs function that queries the
security descriptor with a function that returns a security descriptor
granting full access for everyone.
Then the any access check in the smbd/open.c would just pass.
And there should be no need to limit that functionality to a global
option. The loaded modules can also be defined per share.
With kind regards,
Alexander Werth
On Wed, 2013-02-13 at 15:14 +0100, Albert Fluegel wrote:
> Hello,
>
> recently i posted to the samba list and did not get any response, so
> please don't be angry, that i post the patch here. The details can be
> found in this mail:
> https://lists.samba.org/archive/samba/2013-January/171223.html
>
> In short: ACLs are set on an NFS-mounted filesystem, that is exported
> via Samba by an NFS client, but the ACLs are not visible for this Samba
> server (NFSv4 ACLs, but the mount is NFSv3) - however they are in effect.
> This constellation causes strange phenomenons on the windows side, because
> Samba is interpreting the permissions, that are not completely visible,
> so the reply to the client cannot be appropriate.
> The attached patch for Samba 4.0.1 introduces a new option
> "native os permissions"
> that actually disables Samba's own checks and pretends sufficient access
> to the client.
>
> My request is to check the patch and consider inclusion.
>
> Thank you very much !!!
>
> Albert Fluegel
>
> P.S.: To anticipate questions, that may arise now on your side:
> q: why don't you make NFS4 mounts ?
> a: NFSv4 mounts are not stable in the current Redhat Enterprise (6) kernel(s)
> (over time mounts get randomly unaccessible) and as far as i see, Samba up
> to 4.0.1 cannot interpret NFSv4 ACLs during it's own access control
>
> q: are you aware, that you are compromising the option to modify the ACLs from
> the windows client side and the access permissions are displayed incorrectly
> on the windows side ?
> a: yes, but this is of no relevance in our environment. The ACLs are set on
> the Unix side and should only be in effect. No need to make them visible
> or editable from windows
>
> q: why such reexporting NFS via Samba (kind of network filesystem proxy) ?
> a: all data is on Netapps. Netapp CIFS export is an option, but Samba offers
> fantastic flexibility here and performance is fully sufficient :-)
More information about the samba-technical
mailing list