[Samba] Samba to share NFSv4 + ACL mounted filesystems on NetApp storage
Jeremy Allison
jra at samba.org
Tue Mar 6 16:01:29 MST 2012
On Tue, Mar 06, 2012 at 04:02:54PM +0100, Filip Sneppe wrote:
> Hi,
>
> We are running into a problem with a Samba setup and would like to
> know if a current fix or workaround is at all possible.
>
> Our setup is a NetApp filer serving NFS v4 that is mounted by
> Solaris and Linux servers. On those servers we are using Samba to
> create shares of those NFSv4 mounted filesystems. We are migrating
> to this NFSv4 setup from an existing Solaris NFSv3+Posix ACL setup
> that also had Samba shares on top of the NFSv3+ACL mounts.
>
> In our setup, we are relying on NFSv4 ACL inheritance. Here's
> an example of an ACL on a file (as created by a touch command):
>
> root at system # ls -lVd test_sneppef.txt
> -rw-r--r--+ 1 root root 0 Mar 6 13:49 test_sneppef.txt
> group:TRerp:r-x---a-R-c--s:------:allow
> group:TRerp:-w-p---A-W-Co-:------:deny
> group:TWerp:rwxp--aARWcC-s:------:allow
> group:TWerp:------------o-:------:deny
> user:Terp:rwxp--aARWcC-s:------:allow
> user:Terp:------------o-:------:deny
> owner@:rw-p--a-R-c--s:------:allow
> group@:r-----a-R-c--s:------:allow
> everyone@:r-----a-R-c--s:------:allow
> owner@:--x-----------:------:deny
> group@:-wxp----------:------:deny
> everyone@:-wxp----------:------:deny
>
> In our Samba setup, we are making extensive use of the "force user"
> and "force group" directives to force all files created under the Samba
> share to get the appropriate username/usergroup. Here's an example
> share definition from smb.conf:
>
> [testsiven]
> comment = NFSv4 test
> path = /NAS/trg_shr_sft_00/erp/siven
> valid users = "prod\siven" "__empty__"
> write list = "prod\siven"
> force user = Terp
> force group = Terp
>
> So, in summary, we are relying on NFSv4 ACL inherritance to
> set the correct ACLs on all files and directories under a
> given NFS mount.
>
> The problem we are running into is that, when CIFS users are
> creating files via the Samba shares, the NFSv4 ACLs get removed.
> Here's an expamle of a file the was created from a Samba share:
>
> root at system # ls -lVd test2-sneppef2.txt.txt
> -rwxr--r-- 1 Terp Terp 0 Mar 6 13:59 test2-sneppef2.txt.txt
> owner@:rwxp--aA--cC-s:------:allow
> owner@:--------------:------:deny
> group@:-wxp---A---C--:------:deny
> group@:r-----a---c--s:------:allow
> group@:-wxp---A---C--:------:deny
> everyone@:r-----a---c--s:------:allow
> everyone@:-wxp---A---C--:------:deny
>
> As you can see, there are no NFSv4 ACLs associated with the
> file.
Try using the Samba NFSv4 ACL mapping module for Solaris.
vfs_solarisacl.
More information about the samba
mailing list