map system.cifs_acl of cifs client to security.NTACL
Andrew Bartlett
abartlet at samba.org
Mon Jun 23 19:14:29 MDT 2014
On Mon, 2014-06-23 at 10:24 -0500, Anip Patel wrote:
> Hello,
>
> My architecture is like this .
>
> NAS running windows server export cifs ---> mount on linux via cifs kernel
> client ---> fuse file system -----> samba server export fuse mount ->
> windows
>
> I am using vfs objects = acl_xattr option to provide full windows like
> permission.
>
> so on cifs kernel client when i use *getcifsacl *i get NTACL from HP NAS.
>
> Problem is for *existing* file i want to push NTACL get by getcifsacl to
> windows client. bcoz for newly created file i can hack into my fuse file
> system and store security.NTACL in user.NTACL and it is working perfectly.
>
> For existing file my plan is as follows.
>
> when we use getcifsacl it uses extended attribute *system.cifs_acl. *and
> samba uses security.NTACL to store NTACL. I want to hack my fuse file
> system so when samba call get_xattr on security.NTACL for existing files, i
> will read system.cifs_acl and return it.
>
> But this is not working. I think there is a mismatch in format means they
> both are not binary compatible.
>
> Does anybody have idea how i can push ACLS from cifs kernel client to
> windows client. Or how to map this 2 extended attribute.
Ideally what we do instead is have the kernel use the name system.NTACL,
and use/emulate the Samba format.
Specifically, it should support reading (to userspace) version 1 of:
typedef [switch_type(uint16)] union {
[case(1)] security_descriptor *sd;
[case(2)] security_descriptor_hash_v2 *sd_hs2;
[case(3)] security_descriptor_hash_v3 *sd_hs3;
[case(4)] security_descriptor_hash_v4 *sd_hs4;
} xattr_NTACL_Info;
typedef [public] struct {
uint16 version;
[switch_is(version)] xattr_NTACL_Info info;
} xattr_NTACL;
and for write (from userspace), just use the *sd pointer in the level
2/3/4 structures.
Now, you could do that translation in FUSE in the meantime, but the
kernel should be doing this work, I think.
Thanks,
Andrew Bartlett
--
Andrew Bartlett
http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
More information about the samba-technical
mailing list