[Samba] Switching between

Andrew Bartlett abartlet at samba.org
Fri Jan 11 16:24:50 MST 2013

On Fri, 2013-01-11 at 12:13 -0800, Jeremy Allison wrote:
> On Fri, Jan 11, 2013 at 07:07:26PM +0000, Steve Tice wrote:
> > My organization is in the position of having to support full
> > Windows ACLs on CIFS shares. We've been successfully utilizing
> > Samba 3.5.10-125 and vfs_acl_tdb to accomplish that. However,
> > the size of the resulting
> > /var/lib/samba/state/file_ntacls.tdb[.unique-extension] file(s)
> > has introduced some new problems for me to solve.
> > 
> > In our environment, it seems on average each stored ACL causes
> > file_ntacls.tdb to grow by almost 1000 bytes. That's what I've
> > observed with my customers - YMMV. We have to support millions
> > of files per server, and we've seen TDB files larger than 2 GB.
> > Is there any server change I can make to reduce the storage
> > demands of the acl_tdb module?
> > 
> > Separately, we're considering switching from the acl_tdb module
> > to the acl_xattr module. Do you know of any way to migrate or
> > transfer the NTFS ACL data for each file from the TDB to an
> > extended attribute? I'm trying to find a server-side solution
> > to the migration problem. A client-side solution might be to
> > rewrite each file (and resend the ACL data) after switching the
> > Samba server configuration, but that puts a lot on the customers.
> There's no code in Samba to do this unless you're doing it
> via a client.
> You could write custom code to pull the data out of the tdb
> and re-store as EA's on the files, but that's outside the scope
> of the tools we provide.

Using Samba 4.0.0, the python bindings or even samba-tool ntacl get/set
would be quite a good choice here.  We can read directly the NT ACL from
the tdb and then set it using the xattr code.

At a shell level, try something (untested) like:

samba-tool ntacl get <file>

then change the smb.conf setting and set it with
samba-tool ntacl set <file>

This should be enough, perhaps pointing at two different smb.conf files.
Some other options that you shouldn't need, but I will describe are:

--xattr-backend=tdb --use-ntvfs

This combination might be handy, allowing you to directly read the NT
ACL in the tdb, even when the smb.conf is configured to use the xattr.
(Be warned, the comparison with the posix permissions to see which was
set last will not be performed in this case). 

Also see the python API in samba.ntacls, which may allow you to
implement a 'samba-tool ntacl migrate <file>' command. 

I'm very happy to help out if you have any more questions here, as we
certainly do have a good range of tools that should be able to help you

Jeremy will need to confirm (and your testing will be important) that
the resulting database from 4.0.0 will be compatible with Samba 3.5.
That said, we haven't deliberately changed anything about the on-disk
format here, as far as I'm aware.

Andrew Bartlett

Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org

More information about the samba mailing list