[Samba] Samba to share NFSv4 + ACL mounted filesystems on NetApp storage

Jeremy Allison jra at samba.org
Tue Mar 6 16:01:29 MST 2012 

On Tue, Mar 06, 2012 at 04:02:54PM +0100, Filip Sneppe wrote:
> Hi,
> 
> We are running into a problem with a Samba setup and would like to
> know if a current fix or workaround is at all possible.
> 
> Our setup is a NetApp filer serving NFS v4 that is mounted by
> Solaris and Linux servers. On those servers we are using Samba to
> create shares of those NFSv4 mounted filesystems. We are migrating
> to this NFSv4 setup from an existing Solaris NFSv3+Posix ACL setup
> that also had Samba shares on top of the NFSv3+ACL mounts.
> 
> In our setup, we are relying on NFSv4 ACL inheritance. Here's
> an example of an ACL on a file (as created by a touch command):
> 
> root at system # ls -lVd test_sneppef.txt
> -rw-r--r--+  1 root     root           0 Mar  6 13:49 test_sneppef.txt
>        group:TRerp:r-x---a-R-c--s:------:allow
>        group:TRerp:-w-p---A-W-Co-:------:deny
>        group:TWerp:rwxp--aARWcC-s:------:allow
>        group:TWerp:------------o-:------:deny
>          user:Terp:rwxp--aARWcC-s:------:allow
>          user:Terp:------------o-:------:deny
>             owner@:rw-p--a-R-c--s:------:allow
>             group@:r-----a-R-c--s:------:allow
>          everyone@:r-----a-R-c--s:------:allow
>             owner@:--x-----------:------:deny
>             group@:-wxp----------:------:deny
>          everyone@:-wxp----------:------:deny
> 
> In our Samba setup, we are making extensive use of the "force user"
> and "force group" directives to force all files created under the Samba
> share to get the appropriate username/usergroup. Here's an example
> share definition from smb.conf:
> 
> [testsiven]
>         comment = NFSv4 test
>         path = /NAS/trg_shr_sft_00/erp/siven
>         valid users =  "prod\siven" "__empty__"
>         write list = "prod\siven"
>         force user = Terp
>         force group = Terp
> 
> So, in summary, we are relying on NFSv4 ACL inherritance to
> set the correct ACLs on all files and directories under a
> given NFS mount.
> 
> The problem we are running into is that, when CIFS users are
> creating files via the Samba shares, the NFSv4 ACLs get removed.
> Here's an expamle of a file the was created from a Samba share:
> 
> root at system # ls -lVd test2-sneppef2.txt.txt
> -rwxr--r--   1 Terp     Terp           0 Mar  6 13:59 test2-sneppef2.txt.txt
>             owner@:rwxp--aA--cC-s:------:allow
>             owner@:--------------:------:deny
>             group@:-wxp---A---C--:------:deny
>             group@:r-----a---c--s:------:allow
>             group@:-wxp---A---C--:------:deny
>          everyone@:r-----a---c--s:------:allow
>          everyone@:-wxp---A---C--:------:deny
> 
> As you can see, there are no NFSv4 ACLs associated with the
> file.

Try using the Samba NFSv4 ACL mapping module for Solaris.
vfs_solarisacl.

More information about the samba mailing list