map system.cifs_acl of cifs client to security.NTACL

Andrew Bartlett abartlet at
Mon Jun 23 19:14:29 MDT 2014

On Mon, 2014-06-23 at 10:24 -0500, Anip Patel wrote:
> Hello,
> My architecture is like this .
> NAS running windows server  export cifs ---> mount on linux via cifs kernel
> client ---> fuse file system -----> samba server export fuse mount ->
> windows
> I am using vfs objects = acl_xattr option to provide full windows like
> permission.
> so on cifs kernel client when i use *getcifsacl *i get NTACL from HP NAS.
> Problem is for *existing* file i want to push NTACL get by getcifsacl to
> windows client. bcoz for newly created file i can hack into my fuse file
> system and store security.NTACL in user.NTACL and it is working perfectly.
> For existing file my plan is as follows.
> when we use getcifsacl it uses extended attribute *system.cifs_acl. *and
> samba uses security.NTACL to store NTACL. I want to hack my fuse file
> system so when samba call get_xattr on security.NTACL for existing files, i
> will read system.cifs_acl and return it.
> But this is not working. I think there is a mismatch in format means they
> both are not binary compatible.
> Does anybody have idea how i can push ACLS from cifs kernel client to
> windows client. Or how to map this 2 extended attribute.

Ideally what we do instead is have the kernel use the name system.NTACL,
and use/emulate the Samba format.

Specifically, it should support reading (to userspace) version 1 of:

       typedef [switch_type(uint16)] union {
                [case(1)] security_descriptor *sd;
                [case(2)] security_descriptor_hash_v2 *sd_hs2;
                [case(3)] security_descriptor_hash_v3 *sd_hs3;
                [case(4)] security_descriptor_hash_v4 *sd_hs4;
        } xattr_NTACL_Info;

        typedef [public] struct {
                uint16 version;
                [switch_is(version)] xattr_NTACL_Info info;
        } xattr_NTACL;

and for write (from userspace), just use the *sd pointer in the level
2/3/4 structures.

Now, you could do that translation in FUSE in the meantime, but the
kernel should be doing this work, I think.


Andrew Bartlett
Andrew Bartlett
Authentication Developer, Samba Team
Samba Developer, Catalyst IT

More information about the samba-technical mailing list