[Samba] viewing, if not editing, NFSv4 ACL's from Samba shares

Tue Apr 20 15:31:03 MDT 2010

On Tue, Apr 20, 2010 at 5:17 PM, Jeremy Allison <jra at samba.org> wrote:
> On Tue, Apr 20, 2010 at 07:45:00AM -0400, Nico Kadel-Garcia wrote:
>> Good morning, folks.
>>
>> I'm involved in a project to enforce NFSv4 ACL's across a variety of
>> storage platforms, in particular NetApps sharing NFS. That works fiine
>> with the NetApp NFS qtrees, but we'd like to share those with CIFS
>> clients as well. This works, and restricts access the way we expect
>> NFSv4 ACL's to work, but the Windows clients cannot view any of the
>> security settings on the directories or files.
>>
>> Cue the music, and enter Samba 3.5.2. I've reviewed various public
>> notes on how to use NFSv4 ACL's on recent Samba (particularly those at
>> http://www.sambaxp.org/files/SambaXP2009-DATA/Nils_Goroll.pdf), and
>> installed Samba 3.5.2 on test servers. And I've set up shares with the
>> following settings.
>>
>> [share]
>> acl check permissions = False
>> ea support = yes
>> store dos attributes = yes
>> map readonly = no
>> map archive = no
>> map system = no
>> vfs objects = zfsacl
>> nfs4: mode = special
>> nfs4: acedup = merge
>>
>> The "map readonly" is rejected, and I'm not sure why.
>
> What do you mean by "rejected" here ?

Oh, my. I fatfingered 'readonly' on the server. This is what I get for
working over a thin pipe to a VPN. That part is happy now.

>> The vfs objects seems to have no effect for NFSv4 access. NFSv4
>> permissions do seem to be followed.
>>
>> But Windows clients still can't see any of the security settings under
>> the "Security" tab of properties.
>
> What do you see here ?

For any file or directory where NFSv4 ACL's have been specifically
set, if I use a Windows XP client to look up "Properties" on the
object, I see no "Security" tab at all.

>> And really, really unfortunately, the NetApp ".snapshot" directories
>> are showing up by default. That's deadly: directory copy operations
>> may attempt to include the .snapshot backup targets, and that would
>> *really* get nutty.
>
> Use the "veto files" parameter to hide them.

Good point, thanks got that.

By the way, it's really nice to see one of the core maintainers active
on such a mailing list. It makes me feel like it's the "good old days"
on a lot of interesting projects I've wrestled with over the years. If
you or the other helpful posters in this thread are ever in Boston,
I'll buy *good* beer. There's a decent pub near the annual spam
conference at MIT that I can recommend.