[Samba] Does control of NFS4 ACL's from NetApps work for RHEL Samba servers with Windows XP clients at all?

Volker Lendecke Volker.Lendecke at SerNet.DE
Wed Apr 7 07:08:29 MDT 2010


On Wed, Apr 07, 2010 at 07:50:37AM -0400, Nico Kadel-Garcia wrote:
> I'm reviewing some corporate storage setups involving NetApps, where
> the NetApp stores what they call "UNIX Qtrees". So far, so good: those
> allow the setting of access to the data with NFS4 ACL's, which are
> fairly sophisticated and allow multiple groups or even multiple users
> to be granted write access.or read access, besides the normal UNIX
> group owner. That works fine.
> 
> But we'd like Windows clients to be able to *read* this information.
> Not necessarily to be able to reset it, although that would be nice.
> But to *read* the directory and file permissions and see who owns it.
> The groups and users are synced between the Active Directory domain
> and the NetApp's with fairly sophisticated NIS middleware, but the
> Windows CIFS clients can't see the details of file ownership. I've
> noted some discussion in the mailing list logs for NFS4 ACL patches
> but I'm not aware of anyone reporting on this feature.
> 
> My first tests with Samba 3.0.33 or the "samba3x-3.3.8" package on
> RHEL 5 don't seem to show any improvements. But I'm not sure if there
> are more recent releases, or flags I should be using, to make that
> security data visible to Windows users. Does anyone here have
> suggestions on upgrades or settings to support this? Or even know if
> it's feasible?

As long as the Kernel does not pass the requests through to
user-space via some API, I would guess it is highly unlikely
that this can be passed to the Windows clients. Maybe at
some point it would be necessary to write a full NFSv 3 and 4
client as a Samba user-space VFS module, so that we are
independent of the kernel and have access to the only
specified NFSv4 ACL interface, the on-the-wire protocol :-)

Volker
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: Digital signature
URL: <http://lists.samba.org/pipermail/samba/attachments/20100407/d9bdb9ba/attachment.pgp>


More information about the samba mailing list