map system.cifs_acl of cifs client to security.NTACL

Anip Patel anip.ddu at gmail.com
Tue Jun 24 08:14:41 MDT 2014 

Below is the too sample ACLs.

system.cifs_acl=0x0100048c1400000030000000000000004c0000000105000000000005150000007557a07fa0daa0d4a92b30ca7a0400000105000000000005150000007557a07fa0daa0d4a92b30ca010200000200f8000800000000032400ff011f000105000000000005150000007557a07fa0daa0d4a92b30ca7704000000032400ff011f000105000000000005150000007557a07fa0daa0d4a92b30ca7904000000032400ff011f000105000000000005150000007557a07fa0daa0d4a92b30ca8004000000102400bf011f000105000000000005150000007557a07fa0daa0d4a92b30ca7a040000001b1400bf011f0001010000000000030000000000102400a90012000105000000000005150000007557a07fa0daa0d4a92b30ca01020000001b1400a900120001010000000000030100000000131400a9001200010100000000000100000000

*security.NTACL=0x030003000000020004000200010084b5dd29881e7a3314bbc97df5bcc16c30f214f7c19949b34239feda5bbccbdb00000000000000000000000000000000000000000000000000000000000000000000*
0100048c6400000080000000000000009c0000000105000000000005150000007557a07fa0daa0d4a92b30ca7a0400000105000000000005150000007557a07fa0daa0d4a92b30ca010200000200f8000800000000032400ff011f000105000000000005150000007557a07fa0daa0d4a92b30ca7704000000032400ff011f000105000000000005150000007557a07fa0daa0d4a92b30ca7904000000032400ff011f000105000000000005150000007557a07fa0daa0d4a92b30ca8004000000102400bf011f000105000000000005150000007557a07fa0daa0d4a92b30ca7a040000001b1400bf011f0001010000000000030000000000102400a90012000105000000000005150000007557a07fa0daa0d4a92b30ca01020000001b1400a900120001010000000000030100000000131400a9001200010100000000000100000000

here also *84b5dd29881e7a3314bbc97df5bcc16c30f214f7c19949b34239feda5bbccbdb
this is changing in every NTACL if owner is different,*

The highlighted part is the one which is not part of system.cifs_acl.

I have system.cifs_acl avaliable via cifs kernel mount. I want  to generate
security.NTACL from that. I have fuse base file system over cifs kernel
client and samba server talk to fuse file system mount so i can add code to
generate that in fuse file system. Can anybody suggest me the code to
generate it?

Can i put all zero there as i need only NTACL not system ACL?




On Mon, Jun 23, 2014 at 8:14 PM, Andrew Bartlett <abartlet at samba.org> wrote:

> On Mon, 2014-06-23 at 10:24 -0500, Anip Patel wrote:
> > Hello,
> >
> > My architecture is like this .
> >
> > NAS running windows server  export cifs ---> mount on linux via cifs
> kernel
> > client ---> fuse file system -----> samba server export fuse mount ->
> > windows
> >
> > I am using vfs objects = acl_xattr option to provide full windows like
> > permission.
> >
> > so on cifs kernel client when i use *getcifsacl *i get NTACL from HP NAS.
> >
> > Problem is for *existing* file i want to push NTACL get by getcifsacl to
> > windows client. bcoz for newly created file i can hack into my fuse file
> > system and store security.NTACL in user.NTACL and it is working
> perfectly.
> >
> > For existing file my plan is as follows.
> >
> > when we use getcifsacl it uses extended attribute *system.cifs_acl. *and
> > samba uses security.NTACL to store NTACL. I want to hack my fuse file
> > system so when samba call get_xattr on security.NTACL for existing
> files, i
> > will read system.cifs_acl and return it.
> >
> > But this is not working. I think there is a mismatch in format means they
> > both are not binary compatible.
> >
> > Does anybody have idea how i can push ACLS from cifs kernel client to
> > windows client. Or how to map this 2 extended attribute.
>
> Ideally what we do instead is have the kernel use the name system.NTACL,
> and use/emulate the Samba format.
>
> Specifically, it should support reading (to userspace) version 1 of:
>
>        typedef [switch_type(uint16)] union {
>                 [case(1)] security_descriptor *sd;
>                 [case(2)] security_descriptor_hash_v2 *sd_hs2;
>                 [case(3)] security_descriptor_hash_v3 *sd_hs3;
>                 [case(4)] security_descriptor_hash_v4 *sd_hs4;
>         } xattr_NTACL_Info;
>
>         typedef [public] struct {
>                 uint16 version;
>                 [switch_is(version)] xattr_NTACL_Info info;
>         } xattr_NTACL;
>
> and for write (from userspace), just use the *sd pointer in the level
> 2/3/4 structures.
>
> Now, you could do that translation in FUSE in the meantime, but the
> kernel should be doing this work, I think.
>
> Thanks,
>
> Andrew Bartlett
> --
> Andrew Bartlett
> http://samba.org/~abartlet/
> Authentication Developer, Samba Team  http://samba.org
> Samba Developer, Catalyst IT
> http://catalyst.net.nz/services/samba
>
>
>
>
>

More information about the samba-technical mailing list