[Samba] Samba and ACLs with XFS [WAS: Samba and RSBAC or LSM]

[David Lukastik]

> David,
> 
> (The below sounds pendantic.  I don't mean to be, but ACLs under Linux are a complex subject.)  :(
> 
> First ACLs are not part of standard UNIX permissions.  They are an extension, and there is a "withdrawn Posix standard" related to them.  
> 
> They should offer you the ability to do what you need, but NTFS does have a few specialized ACL capabilities that are beyond the withdrawn posix standard, and thus are not supported by Samba.
> 
> ACL support is available in several UNIX flavors, but is just coming out in Linux.  It is not yet in the standard Linux kernel.  (Nor is XFS as you know).  ACL support is in the 2.5 kernel series (i.e. the unstable series), and will be in the 2.6 kernel series (i.e. the next stable series).  I don't know if it will ever officially make it into the 2.4 series.  
> 
> XFS has supported ACLs in Linux from day one from what I understand, but the ACL aspect of XFS is only now becoming stable under Linux.  i.e. It was buggy as recently as March 2002.
> 
> I consider ACLs in Linux bleeding edge, but many people have them in production environments.  FYI: Mandrake supports them. SuSE calls them experimental.  RH does not support them at all.  (SGI adds the ACL support to RH after the fact.)
> 
> As to your current environment:
> 
> Native RH 7.2 does not support ACLs.
> 
> You must have the SGI supplied XFS enable RH kernel though.
> 
> I'm not 100% positive, but I'm pretty sure that does support ACLs.  (XFS has had ACL support under IRIX for sometime, so it came in the package when it was ported to Linux.)
> 
> Unfortunately, xfsdump and xfsrestore had a bug until March of this year and they don't save/restore ACLs.  Normal Linux backup/restore programs definitely don't support ACLs.  
> 
> If you are going to backup/restore via another server on the network, it is not a problem.  If you are going to use Linux Tools to do backup/restore, you will need to upgrade to at least the XFS 1.1 release with the 2.4.18 kernel.  (You may have to have the CVS version, I don't know for sure when the bug was fixed.) Hopefully they will have a XFS 1.2 release shortly after the 2.4.19 kernel is released.
> 
> Regardless:
> 
> You should have tools like chacl, getfacl, and setfacl.  (I do with SuSE.)  These allow you to set/check acls natively from Linux.
> 
> Then you should also have the libattr.so and libacl.so packages.  SGI should have put them on the ISOs.  These are required by Samba to access the ACL info. and must be on your system at Samba compile time.
> 
> Since you have an older kernel you need older libraries.  Version 2 libs will NOT work.  i.e. Version 1 libs and Version 2 libs are NOT binary compatible.  Version 2 libs were introduced by SGI with XFS 1.1
> 
> Once you have all the pieces, you add --with-acl-support to your ./configure line, and recompile Samba.  See there's nothing to this process. :)
> 
> If all of the above scares you off, I'm hoping that SuSE 8.1 (due in Sept.) will have everything setup and ready to use.  They tried in 8.0, but they ended up with the ACL backup/restore failure bug, and the problem is in the kernel unfortunately.  
> 
> Redhat has not committed to supporting ACLs to the best of my knowledge, but the SGI people are still putting out XFS enabled RH ISOs, so you can go that way as well.  (I don't know if the latest XFS enabled RH ISO's have the ACL backup/restore bug or not.)
> 
> Good Luck,
> Greg Freemyer
> Internet Engineer
> Deployment and Integration Specialist
> Compaq ASE - Tru64 v4, v5
> Compaq Master ASE - SAN Architect
> The Norcross Group
> www.NorcrossGroup.com
> .

Greg,

thanks for your answer.

I think we talk at cross purposes.

I know ACLs are extension and they are not in vanilla kernel. (I can use
http://acl.bestbits.at or I can use XFS).

I'm using XFS only for ACLs, good performance and good support in Linux
and Samba.
I have 4 servers with RH+XFS+Samba. Some of them are installed by SGI
Installer, some of them I upgraded myself (patching kernel with XFS,
compiling and installing cmds).

XFS ACLs doesn't help me with my trouble, because it's only addition to
standard permissions. (Using only rwx permissions.)

I found some projects like RSBAC or LSM, that have fine grained EAs.
They have for example: READ, WRITE, DELETE, EXECUTE, MOUNT, TRUNCATE and
others.

But the point of my original question was if Samba supports this EAs
(from RSBAC or LSM or any other similar project), or only supports POSIX
ACLs.

Maybe this question should be posted to the technical list.

But thanks for your answers.

David.