[Samba] Samba ACLs and NFS ACLs:Differing results

Robert W. Smith rwsmith at bislink.net
Sat Feb 19 08:44:39 MST 2011 

I have two users on my network, Mary and Bob, who work together in a
shared share. They both belong to the group Accounting. Bob is a savvy
Linux user who accesses the share via NFS4. Mary toils away using
Windows accessing the share via the Samba server. Mary will create a
directory on the share and dump a number of files in which Bob and Mary
will split the load. Bob, being a LInux user, will then take ownership
of his files and run a sudo chown Bob <filelist> and keep track of his
files this way. That's the set up to the issue and here's the rub. First
some details:

Samba server is running Fedora 14, Samba 3.5.6 as PDC, OpenLDAP backend,
NFS4.
The filesystem is mounted on the service with options: acl and
user_xattr.
The Samba share is:
[Work]
        comment = Share for Work
        path = /home/work
        valid users = +domadmins, +Accounting
        write list = +domadmins, +Accounting
        inherit permissions = yes
        inherit acls = yes
        map acl inherit = yes
        acl group control = yes
        ea support = yes
        vfs object = acl_xattr recycle
        store dos attributes = yes
        map archive = no
        map hidden = no
        map system = no
        map readonly = no

Bob does a standard NFS4 mount of the directory.

The directories inherit the ACLs and group ownership from the parent
directory:

ls -l /home/work:
drwxrws--- 2 Bob       Accounting 4096 2011-02-19 09:57 /home/work

getfacl /home/work:
# file: work
# owner: Bob
# group: Accounting
# flags: -s-
user::rwx
user:Bob:rwx
user:Mary:rwx
group::rwx
group:Accounting:rwx
group:domadmins:rwx
mask::rwx
other::---
default:user::rwx
default:user:Bob:rwx
default:user:Mary:rwx
default:group::rwx
default:group:domadmins:rwx
default:group:Accounting:rwx
default:mask::rwx
default:other::---

If Bob creates any files through NFS4 his files get the ACLs as is shown
on the Samba server:
getfacl bob-file1:
# file: bob-file1
# owner: Bob
# group: Accounting
user::rw-
user:Bob:rwx		#effective:rw-
user:Mary:rwx		#effective:rw-
group::rwx			#effective:rw-
group:domadmins:rwx		#effective:rw-
group:Accounting:rwx		#effective:rw-
mask::rw-
other::---

We all know that POSIX ACls aren't perfect but this is close to what I
expect and want. When Mary creates a file from Windows the ACLs on the
server are:
getfacl mary-file2:
# file: mary-file2
# owner: Mary
# group: Accounting
user::rwx
user:Bob:rwx
group::rwx
group:domadmins:rwx
mask::rwx
other::---

While technically this may be correct as well, here's the rub and why I
am writing to the list. As I said, Mary dumps the files on the share to
be divided up between them so all of the files get the ACls shown for
the file, mary-file2. When Bob runs, sudo chown Bob <filelist> to keep
track of his files, Mary looses her user ACL and would loose all access
if the group ownership would change.

What is the correct behavior for inheriting ACLs from a parent
directory? Should the ACLs be pruned based on the file ownership (as
does Samba) or should be full ACLs be inherited as happens when using
NFS4? IMHO, I would prefer the latter as it preserves all of the
inherited permissions regardless of the actual file ownership. Was there
a rational for the approach that Samba is taking?

Thanks,
Bob Smith
--bs

More information about the samba mailing list