[Samba] viewing, if not editing, NFSv4 ACL's from Samba shares

Jeremy Allison jra at samba.org
Tue Apr 20 15:17:03 MDT 2010

On Tue, Apr 20, 2010 at 07:45:00AM -0400, Nico Kadel-Garcia wrote:
> Good morning, folks.
> I'm involved in a project to enforce NFSv4 ACL's across a variety of
> storage platforms, in particular NetApps sharing NFS. That works fiine
> with the NetApp NFS qtrees, but we'd like to share those with CIFS
> clients as well. This works, and restricts access the way we expect
> NFSv4 ACL's to work, but the Windows clients cannot view any of the
> security settings on the directories or files.
> Cue the music, and enter Samba 3.5.2. I've reviewed various public
> notes on how to use NFSv4 ACL's on recent Samba (particularly those at
> http://www.sambaxp.org/files/SambaXP2009-DATA/Nils_Goroll.pdf), and
> installed Samba 3.5.2 on test servers. And I've set up shares with the
> following settings.
> [share]
> acl check permissions = False
> ea support = yes
> store dos attributes = yes
> map readonly = no
> map archive = no
> map system = no
> vfs objects = zfsacl
> nfs4: mode = special
> nfs4: acedup = merge
> The "map readonly" is rejected, and I'm not sure why.

What do you mean by "rejected" here ?

> The vfs objects seems to have no effect for NFSv4 access. NFSv4
> permissions do seem to be followed.
> But Windows clients still can't see any of the security settings under
> the "Security" tab of properties.

What do you see here ?

> And really, really unfortunately, the NetApp ".snapshot" directories
> are showing up by default. That's deadly: directory copy operations
> may attempt to include the .snapshot backup targets, and that would
> *really* get nutty.

Use the "veto files" parameter to hide them.


More information about the samba mailing list