[Samba] viewing, if not editing, NFSv4 ACL's from Samba shares

Nico Kadel-Garcia nkadel at gmail.com
Tue Apr 20 15:20:47 MDT 2010

On Tue, Apr 20, 2010 at 7:50 AM, Volker Lendecke
<Volker.Lendecke at sernet.de> wrote:
> On Tue, Apr 20, 2010 at 07:45:00AM -0400, Nico Kadel-Garcia wrote:
>> I'm involved in a project to enforce NFSv4 ACL's across a variety of
>> storage platforms, in particular NetApps sharing NFS. That works fiine
>> with the NetApp NFS qtrees, but we'd like to share those with CIFS
>> clients as well. This works, and restricts access the way we expect
>> NFSv4 ACL's to work, but the Windows clients cannot view any of the
>> security settings on the directories or files.
> The NetApp CIFS server should allow that, doesn't it?

Nope. I really, really wish it did. The relevant clients are Windows
XP, if that has any role. And I've confirmed that the files and
directories generated do follow the NFSv4 ACL policies.

As a relatively ignorant user, I wonder if mapping for display might
be considered too awkward. NFSv4 ACL's are storead as
'username at domain', rather than as 'username', and Windows doesn't seem
to have the same concept of ordering of ACL's as NFSv4 has, so it
could be pretty tricky.

>> Cue the music, and enter Samba 3.5.2. I've reviewed various public
>> notes on how to use NFSv4 ACL's on recent Samba (particularly those at
>> http://www.sambaxp.org/files/SambaXP2009-DATA/Nils_Goroll.pdf), and
>> installed Samba 3.5.2 on test servers. And I've set up shares with the
>> following settings.
>> [share]
>> acl check permissions = False
>> ea support = yes
>> store dos attributes = yes
>> map readonly = no
>> map archive = no
>> map system = no
>> vfs objects = zfsacl
> What platform is your Samba server running on? Is this
> Solaris?

RHEL 5. It's why I've been writing lately about the tI've been
avoiding Solaris as file servers since I wrote one of the first Samba
ports for SunOS 4.1.2, way back in the 1990's.

More information about the samba mailing list