[Samba] Use ACL over NFS4

Paul.Nickerson at desknetinc.com Paul.Nickerson at desknetinc.com
Thu Oct 27 13:21:51 MDT 2011 

I have an NFS4 server exporting a folder, and a Samba server importing that
folder which it then turns around and shares over Samba. I would like
Windows machines accessing this folder and its sub folders to be properly
restricted according to ACLs.

The NFS4 server is running CentOS 5.7 and is NFS exporting an EXT4 folder.
The Samba server is running CentOS 6.0, and Samba 3.5.4-68.el6_0.2. On the
Samba server, I am able to use chmod, chown, nfs4_setfacl, ls, and
nfs4_getfacl to set and retrieve file and folder permissions and ACLs in
the NFS4 mounted folder, and it all seems to be working sanely. I have both
servers using winbind. On a Windows 7 machine, I am able to browse to
\\test-samba-server, and see all the Samba shared folders that I've set up
in smb.conf.

Those folders files where I have restricted or allowed read, write, and
execute permissions for the domain user logged onto the Windows 7 machine,
using the standard POSIX method, work as expected. Thus, I think winbind is
working correctly right now. However, if I try to allow access through
nfs4_setfacl (and keep the file or folder restricted through the file
permissions), the user on the Windows 7 machine is always denied access.

I am seeing this in /var/log/messages when I turn on lots of logging:
Oct 26 16:01:39 test-samba-server smbd[14979]: [2011/10/26 16:01:39.737663,
1] smbd/dosmode.c:255(get_ea_dos_attribute)
Oct 26 16:01:39 test-samba-server smbd[14979]:   get_ea_dos_attributes:
Cannot get attribute from EA on file .: Error = Operation not supported

If I share a local EXT4 folder that's been bind mounted with the user_xattr
option, then I don't get the problem there. ACLs restrict and allow the
Windows 7 user as I would expect (I can create them on CentOS using
setfacl), and the logged error does not show up. On the NFS server, I am
specifying the user_xattr option in the bind mount of the folder that I'm
exporting.

NFS4 doesn't have a user_xattr option that I can use when mounting. Does
anyone have any ideas for what I could do to get Samba to use ACLs over
NFS4? If you need more configuration details, or if I could be more clear
on any part, let me know.

Paul Nickerson
IT Systems Administrator & Support
DeskNet Inc.
Portland, Maine

More information about the samba mailing list