[Samba] Samba and ACLs with XFS [WAS: Samba and RSBAC or LSM]
Greg Freemyer
freemyer at NorcrossGroup.com
Thu Aug 1 09:34:02 GMT 2002
>> Hi,
>> sorry I forget to specify OS.
>> I'm using:
>> RH 7.2 kernel 2.4.9
>> FS - XFS 1.0.2=20
>> Samba 2.2.3a
>> I'm using XFS ACL, but I need set EA(ACL) to Change (read - yes, write -
>> yes, delete - no, execute - no).
>> I don't know how to set this with standard UNIX permissions (rwx).=20
>> AFAIK XFS didn't help me with this trouble, maybe I'm wrong.
>> Applications what we use are made for use in single user (DOS). These
>> applications must have RW access to all files. I don't want users to be
>> able to delete any of these files.
>> Thanks,
>> David.
>> P.S. - English is not my native language.
David,
(The below sounds pendantic. I don't mean to be, but ACLs under Linux are a =
complex subject.) :(
First ACLs are not part of standard UNIX permissions. They are an extension, =
and there is a "withdrawn Posix standard" related to them. =20
They should offer you the ability to do what you need, but NTFS does have a few =
specialized ACL capabilities that are beyond the withdrawn posix standard, and =
thus are not supported by Samba.
ACL support is available in several UNIX flavors, but is just coming out in =
Linux. It is not yet in the standard Linux kernel. (Nor is XFS as you know). =
ACL support is in the 2.5 kernel series (i.e. the unstable series), and will be =
in the 2.6 kernel series (i.e. the next stable series). I don't know if it =
will ever officially make it into the 2.4 series. =20
XFS has supported ACLs in Linux from day one from what I understand, but the =
ACL aspect of XFS is only now becoming stable under Linux. i.e. It was buggy =
as recently as March 2002.
I consider ACLs in Linux bleeding edge, but many people have them in production =
environments. FYI: Mandrake supports them. SuSE calls them experimental. RH =
does not support them at all. (SGI adds the ACL support to RH after the fact.)
As to your current environment:
Native RH 7.2 does not support ACLs.
You must have the SGI supplied XFS enable RH kernel though.
I'm not 100% positive, but I'm pretty sure that does support ACLs. (XFS has =
had ACL support under IRIX for sometime, so it came in the package when it was =
ported to Linux.)
Unfortunately, xfsdump and xfsrestore had a bug until March of this year and =
they don't save/restore ACLs. Normal Linux backup/restore programs definitely =
don't support ACLs. =20
If you are going to backup/restore via another server on the network, it is not =
a problem. If you are going to use Linux Tools to do backup/restore, you will =
need to upgrade to at least the XFS 1.1 release with the 2.4.18 kernel. (You =
may have to have the CVS version, I don't know for sure when the bug was =
fixed.) Hopefully they will have a XFS 1.2 release shortly after the 2.4.19 =
kernel is released.
Regardless:
You should have tools like chacl, getfacl, and setfacl. (I do with SuSE.) =
These allow you to set/check acls natively from Linux.
Then you should also have the libattr.so and libacl.so packages. SGI should =
have put them on the ISOs. These are required by Samba to access the ACL info. =
and must be on your system at Samba compile time.
Since you have an older kernel you need older libraries. Version 2 libs will =
NOT work. i.e. Version 1 libs and Version 2 libs are NOT binary compatible. =
Version 2 libs were introduced by SGI with XFS 1.1
Once you have all the pieces, you add --with-acl-support to your ./configure =
line, and recompile Samba. See there's nothing to this process. :)
If all of the above scares you off, I'm hoping that SuSE 8.1 (due in Sept.) =
will have everything setup and ready to use. They tried in 8.0, but they ended =
up with the ACL backup/restore failure bug, and the problem is in the kernel =
unfortunately. =20
Redhat has not committed to supporting ACLs to the best of my knowledge, but =
the SGI people are still putting out XFS enabled RH ISOs, so you can go that =
way as well. (I don't know if the latest XFS enabled RH ISO's have the ACL =
backup/restore bug or not.)
Good Luck,
Greg Freemyer
Internet Engineer
Deployment and Integration Specialist
Compaq ASE - Tru64 v4, v5
Compaq Master ASE - SAN Architect
The Norcross Group
www.NorcrossGroup.com
More information about the samba
mailing list