[Samba] ACL misbehavior moving from POSIX ACL -> acl_xattr
miguelmedalha at sapo.pt
Fri Sep 18 12:06:41 MDT 2009
Please pardon me if I insist, but I am doing it with the interest of the
community in mind, not just bitching about it.
I understand that if you address the problem of full compatibility with
Windows ACLs you risk to break compatibility with other clients, such as
NFS clients. Yet, in numerous cases Samba provides services to Windows
clients only. Many people will use a Linux server to provide services to
a network of Windows clients. This is very common. Even Linux clients
can use CIFS to connect.
This is why it seems to me that an optional special behavior of samba,
maybe through a VFS module, would be highly adequate to address this
> Remember, the NTACL vfs module calls down to a lower layer
> module to set the mapped acl onto the underlying filesystem.
> Without a null ACL module you'll get the following problem:
> If you don't have posix acls on the filesystem how do you
> map an incoming ACL containing two or more users or groups ?
Please consider the following:
- The underlying file system would need no ACLs and all files would be
owned *by a special user* possessing common ugw 777/666 rights over them.
- A special VFS module would then receive all requests from clients. All
permissions and user/group rights would be taken care of by the VFS
module and stored as extended attributes (I am assuming, of course that
the storage space provided to extended attributes by the filesystem is
big enough for that purpose. If not, could another storage method be
envisioned?). Clients would never communicate directly with the
underlying filesystem, all operations would be conducted by means of the
- This VFS module would be turned on by a smb.conf entry and the options
for the VFS module would also allow a system administrator to chose a
name of his for that special user, in order to make it unique and
different from all other systems out there.
- Even if none of the current VFS modules is capable of the described
behavior, it seems to me that it would be VERY advantageous to produce a
new one for the certainly very numerous users needing the described
functionality. Only users needing it would use the proper VFS module, to
the others the current status would remain unchanged.
I really don't see why this could not be implemented. Perhaps it goes
somewhat against established thinking but it really seems possible to me.
NOTE: Perhaps we wouldn't even need a VFS module, only a smb.conf
parameter to switch the behavior of the samba daemon? Please note: all
disk operations would be done in the name of that special user, using
full permissions. Ownership and rights would then be "filtered" by the
adequate layer to be seen by clients in the appropriate way.
More information about the samba