AW: Provisioning an ADDC with vfs_nfs4acl_xattr

Thomas tgeppert at digitx.de
Mon Feb 22 14:46:32 UTC 2021 

-----Ursprüngliche Nachricht-----
Von: Ralph Boehme <slow at samba.org> 
Gesendet: Montag, 22. Februar 2021 13:24

> I guess nfs4:acedup = dontcare should fix this.

I discovered this parameter when skimming through the code. Maybe it would help to include the nfs4 parameters in the documentation of the vfs_nfs4acl_xattr module.
It looks like they're all applicable because vfs_nfs4acl_xattr is using the nfs4 functions in the backend which were originally created for another vfs module.
Nevertheless I only found these parameters documented for the vfs_zfsacl module.

However, setting nfs4:acedup = dontcare did only help for the ACL on the subdirectories. It made the discrepancy for the ACLs on files even worse.

> I guess this could be bug 14631.
> <https://bugzilla.samba.org/show_bug.cgi?id=14631>

Hmm, not sure. As far as I understood this issue from skimming over the bug description it's related to the flag that signals that an ACL was inherited from a parent directory, right ?
The issue with the ACL on files in the Group Policy folders is that it carries the inheritance flags although a file cannot inherit anything to something else. Or do I completely misunderstand this ?
The nfs4 code removes the inheritance flags:
SMB_ACE4_FILE_INHERIT_ACE
SMB_ACE4_DIRECTORY_INHERIT_ACE
SMB_ACE4_NO_PROPAGATE_INHERIT_ACE
SMB_ACE4_INHERIT_ONLY_ACE
from the ACEs on a file while the vfs_acl_xattr module doesn't do it.

> Maybe it's easier to use vfs_acl_xattr instead and just patch it to use a different xattr name.

Maybe, but I'm not sure if it would be sufficient to just patch it in the one place where the XATTR_NTACL_NAME is defined.
Also regarding provisioning an ADDC on vfs_nfs4acl_xattr:
Am 2/9/21 um 9:15 AM schrieb Andrew Bartlett:
> Yes, it would be awesome if this could be made to work, particularly if sufficient emulation was available so it can also work in our selftest.

I got it working, with some minor code changes exclusively in the provisioning Python script, up to the point that I would like to run some tests that could give an indication if there are more hidden problems.
I would be very grateful for some hints if there are tests available that I could run to check the ADDC functionality.

  -------
Thanks
Thomas

More information about the samba-technical mailing list