Provisioning an ADDC with vfs_nfs4acl_xattr

Ralph Boehme slow at
Mon Feb 22 12:23:46 UTC 2021

Am 2/20/21 um 9:44 PM schrieb Thomas via samba-technical:
The ACL retrieved from the filesystem is compared against the above ACL 
and if it doesn't match an exception is thrown by the sysvolcheck.
> The first issue is related to the fact that the first and fourth ACE in the above ACL are identical.
> The nfs4acl_xattr vfs module does merge these ACEs into one ACE in its code path (smbacl4_MergeIgnoreReject() in nfs4_acls.c) when setting the ACL and would also remove a duplicate ACE when reading the ACL (check_for_duplicate_sec_ace() in nfs4_acls.c). Therefore the ACL returned for a directory in the sysvol Policy branch by vfs_nfs4acl_xattr has one ACE less than the target ACL. It looks like the acl_xattr vfs module is not doing this.

I guess nfs4:acedup = dontcare should fix this.

> For files in the sysvol Policy branch there are additional issues. The nfs4acl_xattr vfs module removes all inheritance flags from the ACL on a file (nfs4_acl_add_sec_ace() in nfs4_acls.c).

I guess this could be bug 14631.


> It also removes the Creator/Owner ACE from the file ACL in the same function. Code comment: /* A non inheriting creator owner entry has no effect. */
> In the context of the sysvol Policy folders and files I now have the following questions.
> Is my understanding correct that for directories the following ACL is equivalent to the above ACL ?
> (A;OICI;0x001f01ff;;;DA)
> (A;OICI;0x001f01ff;;;EA)
> (A;OICIIO;0x001f01ff;;;CO)
> (A;OICI;0x001f01ff;;;SY)
> (A;OICI;0x001200a9;;;AU)
> (A;OICI;0x001200a9;;;ED)
> And for files the following ACL is equivalent ?
> (A;;0x001f01ff;;;DA)
> (A;;0x001f01ff;;;EA)
> (A;;0x001f01ff;;;SY)
> (A;;0x001200a9;;;AU)
> (A;;0x001200a9;;;ED)
> After changing the samba-tool code to expect the above ACLs for Policy folders and files the sysvolcheck does complete without errors.
> What tests can I run to check if this vfs_nfs4acl_xattr based ADDC installation is sane and working properly ?

Maybe it's easier to use vfs_acl_xattr instead and just patch it to use 
a different xattr name.


Ralph Boehme, Samba Team      
Samba Developer, SerNet GmbH
GPG-Fingerprint   FAE2C6088A24252051C559E4AA1E9B7126399E46

-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 840 bytes
Desc: OpenPGP digital signature
URL: <>

More information about the samba-technical mailing list