[Samba] windows and nfs4 acls

steve steve at steve-ss.com
Wed Feb 29 15:10:18 MST 2012


On 02/29/2012 10:28 PM, steve wrote:
> On 02/28/2012 06:45 PM, Jeremy Allison wrote:
>> On Tue, Feb 28, 2012 at 06:37:21PM +0100, Gémes Géza wrote:
>>> 2012-02-28 08:27 keltezéssel, steve írta:
>>>> Hi everyone
>>>>
>>>> We're really struggling with nfs4<-->  windows acls.
>>>>
>>>> Scenario
>>>>   Samba4 share -->  cifs -->  win7. No problem
>>>>   Samba4 share -->  nfs4 -->  Linux. acls not inherited
>>>> Neither is there inheritance vica versa.
>>>>
>>>>   e.g. It is not possible to create files with group rw on a umask 
>>>> 0022
>>>> nfs4 share. nfs4_setfacl cannot override umask. Using POSIX or windows
>>>> acls this works fine. I've approached the nfs4 devs and they've said
>>>> that they'll look into it, but so far. Exporting nfs4 with -o noacl
>>>> (in the hope that the windows acl would take effect) has no effect.
>>>>
>>>> 1. Is it possible to get Samba to override the nfs4 acl and use
>>>> whatever I've set on windows security acl instead?
>>>> 2. Is there a way to export a single directory with a umask of my 
>>>> choice?
>>>> 3. Would it be reasonable to ask my distro (openSUSE) to consider this
>>>> problem as a feature request? Perhaps as a patch over nfs4_setfacl?
>>>> Thanks,
>>>> L&  S at lcb
>>>>
>>> IMHO Samba4 sets the windows (non posix) acls as extended 
>>> attributes. In
>>> order to get them applied o the Linux (or NFS4) side there should be a
>>> Linux kernel security module (LSM) which would override the posix acls.
>> If RichACLs gets adopted (I'm assuming this will be the
>> same model as NFSv4) then we'll just add a Samba VFS
>> module to map incoming Windows ACLs to RichACLs.
>>
>> Jeremy.
> Hi everyone
>
> This really is a hopeless situation at the moment. The nfs devs have 
> suggested I switch from the secure nfs4 to nfs3 so I can use posix 
> acls. This does not work however. I use setfacl on a folder. As soon 
> as it is mounted nfs3 (or4) the acl is lost. openSUSE and Ubuntu alike.
>
> The devs of the various filesystems seem to be working in isolation. 
> We feel trapped and can't see a way out. I wonder if this is due to us 
> asking poor questions? Could I simplify?
>
> We want a folder where files are created group rw from a base filesystem:
> ext4 (rw,noatime,commit=120,errors=remount-ro,user_xattr,commit=0)
>
> Samba4 <--> Win7 acl=OK
> The same Samba4 server internal posix acl on ext4 acl=OK
> The same folder on the same server mounted nfs acl=destroyed
>
> Have I overlooked anything here?
>
> Thanks for your time,
> Steve
>

Ironically, I've just noticed:
NTVFS backend 'xattr' registered
NTVFS backend 'nfs4acl' registered
from samba -i -d3

Does this mean anything to anyone?
Thanks


More information about the samba mailing list