[Samba] ACL misbehavior moving from POSIX ACL -> acl_xattr

Miguel Medalha miguelmedalha at sapo.pt
Fri Sep 18 12:06:41 MDT 2009

Please pardon me if I insist, but I am doing it with the interest of the 
community in mind, not just bitching about it.

I understand that if you address the problem of full compatibility with 
Windows ACLs you risk to break compatibility with other clients, such as 
NFS clients. Yet, in numerous cases Samba provides services to Windows 
clients only. Many people will use a Linux server to provide services to 
a network of Windows clients. This is very common. Even Linux clients 
can use CIFS to connect.

This is why it seems to me that an optional special behavior of samba, 
maybe through a VFS module, would be highly adequate to address this 

> Remember, the NTACL vfs module calls down to a lower layer
> module to set the mapped acl onto the underlying filesystem.
> Without a null ACL module you'll get the following problem:
> If you don't have posix acls on the filesystem how do you
> map an incoming ACL containing two or more users or groups ?

Please consider the following:

- The underlying file system would need no ACLs and all files would be 
owned *by a special user* possessing common ugw 777/666 rights over them.

- A special VFS module would then receive all requests from clients. All 
permissions and user/group rights would be taken care of by the VFS 
module and stored as extended attributes (I am assuming, of course that 
the storage space provided to extended attributes by the filesystem is 
big enough for that purpose. If not, could another storage method be 
envisioned?). Clients would never communicate directly with the 
underlying filesystem, all operations would be conducted by means of the 
VFS layer.

- This VFS module would be turned on by a smb.conf entry and the options 
for the VFS module would also allow a system administrator to chose a 
name of his for that special user, in order to make it unique and 
different from all other systems out there.

- Even if none of the current VFS modules is capable of the described 
behavior, it seems to me that it would be VERY advantageous to produce a 
new one for the certainly very numerous users needing the described 
functionality. Only users needing it would use the proper VFS module, to 
the others the current status would remain unchanged.

I really don't see why this could not be implemented. Perhaps it goes 
somewhat against established thinking but it really seems possible to me.

NOTE: Perhaps we wouldn't even need a VFS module, only a smb.conf 
parameter to switch the behavior of the samba daemon? Please note: all 
disk operations would be done in the name of that special user, using 
full permissions. Ownership and rights would then be "filtered" by the 
adequate layer to be seen by clients in the appropriate way.

Best regards

More information about the samba mailing list