[Samba] Use ACL over NFS4

Jeremy Allison jra at samba.org
Thu Oct 27 14:27:57 MDT 2011

On Thu, Oct 27, 2011 at 03:21:51PM -0400, Paul.Nickerson at desknetinc.com wrote:
> I have an NFS4 server exporting a folder, and a Samba server importing that
> folder which it then turns around and shares over Samba. I would like
> Windows machines accessing this folder and its sub folders to be properly
> restricted according to ACLs.
> The NFS4 server is running CentOS 5.7 and is NFS exporting an EXT4 folder.
> The Samba server is running CentOS 6.0, and Samba 3.5.4-68.el6_0.2. On the
> Samba server, I am able to use chmod, chown, nfs4_setfacl, ls, and
> nfs4_getfacl to set and retrieve file and folder permissions and ACLs in
> the NFS4 mounted folder, and it all seems to be working sanely. I have both
> servers using winbind. On a Windows 7 machine, I am able to browse to
> \\test-samba-server, and see all the Samba shared folders that I've set up
> in smb.conf.
> Those folders files where I have restricted or allowed read, write, and
> execute permissions for the domain user logged onto the Windows 7 machine,
> using the standard POSIX method, work as expected. Thus, I think winbind is
> working correctly right now. However, if I try to allow access through
> nfs4_setfacl (and keep the file or folder restricted through the file
> permissions), the user on the Windows 7 machine is always denied access.
> I am seeing this in /var/log/messages when I turn on lots of logging:
> Oct 26 16:01:39 test-samba-server smbd[14979]: [2011/10/26 16:01:39.737663,
> 1] smbd/dosmode.c:255(get_ea_dos_attribute)
> Oct 26 16:01:39 test-samba-server smbd[14979]:   get_ea_dos_attributes:
> Cannot get attribute from EA on file .: Error = Operation not supported

This error isn't an ACL error, it's Samba trying to store the extra
Windows attributes into a Linux EA. If NFS doesn't support this, you'll
need to stop Samba from trying to do this by doing:

store dos attributes = no
ea support = no

Unfortunately that means that Samba will have to fall back to trying
to store the (neccessary) extra metadata info in the normal POSIX permissions,
which will mess up the NFS ACLs.

It's probably better to move the Samba server onto the same machine
that's exporting NFSv4 and ensure POSIX ACL and EA support are enabled
on that EXT4 disk.

Then Samba can export Windows ACLs correctly if you set:

store dos attributes =  yes
ea support = yes
vfs objects = acl_xattr

in the share definition. That causes Samba to store Windows EAs (not
strictly needed), Windows metadata and Windows ACLs into EXT4 EA's.


More information about the samba mailing list