Provisioning an ADDC with vfs_nfs4acl_xattr
slow at samba.org
Mon Feb 22 12:23:46 UTC 2021
Am 2/20/21 um 9:44 PM schrieb Thomas via samba-technical:
The ACL retrieved from the filesystem is compared against the above ACL
and if it doesn't match an exception is thrown by the sysvolcheck.
> The first issue is related to the fact that the first and fourth ACE in the above ACL are identical.
> The nfs4acl_xattr vfs module does merge these ACEs into one ACE in its code path (smbacl4_MergeIgnoreReject() in nfs4_acls.c) when setting the ACL and would also remove a duplicate ACE when reading the ACL (check_for_duplicate_sec_ace() in nfs4_acls.c). Therefore the ACL returned for a directory in the sysvol Policy branch by vfs_nfs4acl_xattr has one ACE less than the target ACL. It looks like the acl_xattr vfs module is not doing this.
I guess nfs4:acedup = dontcare should fix this.
> For files in the sysvol Policy branch there are additional issues. The nfs4acl_xattr vfs module removes all inheritance flags from the ACL on a file (nfs4_acl_add_sec_ace() in nfs4_acls.c).
I guess this could be bug 14631.
> It also removes the Creator/Owner ACE from the file ACL in the same function. Code comment: /* A non inheriting creator owner entry has no effect. */
> In the context of the sysvol Policy folders and files I now have the following questions.
> Is my understanding correct that for directories the following ACL is equivalent to the above ACL ?
> O:DA G:DA D:P
> And for files the following ACL is equivalent ?
> O:DA G:DA D:P
> After changing the samba-tool code to expect the above ACLs for Policy folders and files the sysvolcheck does complete without errors.
> What tests can I run to check if this vfs_nfs4acl_xattr based ADDC installation is sane and working properly ?
Maybe it's easier to use vfs_acl_xattr instead and just patch it to use
a different xattr name.
Ralph Boehme, Samba Team https://samba.org/
Samba Developer, SerNet GmbH https://sernet.de/en/samba/
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 840 bytes
Desc: OpenPGP digital signature
More information about the samba-technical