[Samba] windows and nfs4 acls
steve
steve at steve-ss.com
Wed Feb 29 15:10:18 MST 2012
On 02/29/2012 10:28 PM, steve wrote:
> On 02/28/2012 06:45 PM, Jeremy Allison wrote:
>> On Tue, Feb 28, 2012 at 06:37:21PM +0100, Gémes Géza wrote:
>>> 2012-02-28 08:27 keltezéssel, steve írta:
>>>> Hi everyone
>>>>
>>>> We're really struggling with nfs4<--> windows acls.
>>>>
>>>> Scenario
>>>> Samba4 share --> cifs --> win7. No problem
>>>> Samba4 share --> nfs4 --> Linux. acls not inherited
>>>> Neither is there inheritance vica versa.
>>>>
>>>> e.g. It is not possible to create files with group rw on a umask
>>>> 0022
>>>> nfs4 share. nfs4_setfacl cannot override umask. Using POSIX or windows
>>>> acls this works fine. I've approached the nfs4 devs and they've said
>>>> that they'll look into it, but so far. Exporting nfs4 with -o noacl
>>>> (in the hope that the windows acl would take effect) has no effect.
>>>>
>>>> 1. Is it possible to get Samba to override the nfs4 acl and use
>>>> whatever I've set on windows security acl instead?
>>>> 2. Is there a way to export a single directory with a umask of my
>>>> choice?
>>>> 3. Would it be reasonable to ask my distro (openSUSE) to consider this
>>>> problem as a feature request? Perhaps as a patch over nfs4_setfacl?
>>>> Thanks,
>>>> L& S at lcb
>>>>
>>> IMHO Samba4 sets the windows (non posix) acls as extended
>>> attributes. In
>>> order to get them applied o the Linux (or NFS4) side there should be a
>>> Linux kernel security module (LSM) which would override the posix acls.
>> If RichACLs gets adopted (I'm assuming this will be the
>> same model as NFSv4) then we'll just add a Samba VFS
>> module to map incoming Windows ACLs to RichACLs.
>>
>> Jeremy.
> Hi everyone
>
> This really is a hopeless situation at the moment. The nfs devs have
> suggested I switch from the secure nfs4 to nfs3 so I can use posix
> acls. This does not work however. I use setfacl on a folder. As soon
> as it is mounted nfs3 (or4) the acl is lost. openSUSE and Ubuntu alike.
>
> The devs of the various filesystems seem to be working in isolation.
> We feel trapped and can't see a way out. I wonder if this is due to us
> asking poor questions? Could I simplify?
>
> We want a folder where files are created group rw from a base filesystem:
> ext4 (rw,noatime,commit=120,errors=remount-ro,user_xattr,commit=0)
>
> Samba4 <--> Win7 acl=OK
> The same Samba4 server internal posix acl on ext4 acl=OK
> The same folder on the same server mounted nfs acl=destroyed
>
> Have I overlooked anything here?
>
> Thanks for your time,
> Steve
>
Ironically, I've just noticed:
NTVFS backend 'xattr' registered
NTVFS backend 'nfs4acl' registered
from samba -i -d3
Does this mean anything to anyone?
Thanks
More information about the samba
mailing list