[Samba] Samba and ACLs with XFS [WAS: Samba and RSBAC or LSM]

Greg Freemyer freemyer at NorcrossGroup.com
Thu Aug 1 09:34:02 GMT 2002

 >>  Hi,

 >>  sorry I forget to specify OS.

 >>  I'm using:

 >>  RH 7.2 kernel 2.4.9
 >>  FS - XFS 1.0.2=20
 >>  Samba 2.2.3a

 >>  I'm using XFS ACL, but I need set EA(ACL) to Change (read - yes, write -
 >>  yes, delete - no, execute - no).
 >>  I don't know how to set this with standard UNIX permissions (rwx).=20
 >>  AFAIK XFS didn't help me with this trouble, maybe I'm wrong.

 >>  Applications what we use are made for use in single user (DOS). These
 >>  applications must have RW access to all files. I don't want users to be
 >>  able to delete any of these files.

 >>  Thanks,

 >>  David.

 >>  P.S. - English is not my native language.


(The below sounds pendantic.  I don't mean to be, but ACLs under Linux are a =
complex subject.)  :(

First ACLs are not part of standard UNIX permissions.  They are an extension, =
and there is a "withdrawn Posix standard" related to them. =20

They should offer you the ability to do what you need, but NTFS does have a few =
specialized ACL capabilities that are beyond the withdrawn posix standard, and =
thus are not supported by Samba.

ACL support is available in several UNIX flavors, but is just coming out in =
Linux.  It is not yet in the standard Linux kernel.  (Nor is XFS as you know).  =
ACL support is in the 2.5 kernel series (i.e. the unstable series), and will be =
in the 2.6 kernel series (i.e. the next stable series).  I don't know if it =
will ever officially make it into the 2.4 series. =20

XFS has supported ACLs in Linux from day one from what I understand, but the =
ACL aspect of XFS is only now becoming stable under Linux.  i.e. It was buggy =
as recently as March 2002.

I consider ACLs in Linux bleeding edge, but many people have them in production =
environments.  FYI: Mandrake supports them. SuSE calls them experimental.  RH =
does not support them at all.  (SGI adds the ACL support to RH after the fact.)

As to your current environment:

Native RH 7.2 does not support ACLs.

You must have the SGI supplied XFS enable RH kernel though.

I'm not 100% positive, but I'm pretty sure that does support ACLs.  (XFS has =
had ACL support under IRIX for sometime, so it came in the package when it was =
ported to Linux.)

Unfortunately, xfsdump and xfsrestore had a bug until March of this year and =
they don't save/restore ACLs.  Normal Linux backup/restore programs definitely =
don't support ACLs. =20

If you are going to backup/restore via another server on the network, it is not =
a problem.  If you are going to use Linux Tools to do backup/restore, you will =
need to upgrade to at least the XFS 1.1 release with the 2.4.18 kernel.  (You =
may have to have the CVS version, I don't know for sure when the bug was =
fixed.) Hopefully they will have a XFS 1.2 release shortly after the 2.4.19 =
kernel is released.


You should have tools like chacl, getfacl, and setfacl.  (I do with SuSE.)  =
These allow you to set/check acls natively from Linux.

Then you should also have the libattr.so and libacl.so packages.  SGI should =
have put them on the ISOs.  These are required by Samba to access the ACL info. =
and must be on your system at Samba compile time.

Since you have an older kernel you need older libraries.  Version 2 libs will =
NOT work.  i.e. Version 1 libs and Version 2 libs are NOT binary compatible.  =
Version 2 libs were introduced by SGI with XFS 1.1

Once you have all the pieces, you add --with-acl-support to your ./configure =
line, and recompile Samba.  See there's nothing to this process. :)

If all of the above scares you off, I'm hoping that SuSE 8.1 (due in Sept.) =
will have everything setup and ready to use.  They tried in 8.0, but they ended =
up with the ACL backup/restore failure bug, and the problem is in the kernel =
unfortunately. =20

Redhat has not committed to supporting ACLs to the best of my knowledge, but =
the SGI people are still putting out XFS enabled RH ISOs, so you can go that =
way as well.  (I don't know if the latest XFS enabled RH ISO's have the ACL =
backup/restore bug or not.)

Good Luck,
Greg Freemyer
Internet Engineer
Deployment and Integration Specialist
Compaq ASE - Tru64 v4, v5
Compaq Master ASE - SAN Architect
The Norcross Group

More information about the samba mailing list