[Samba] Samba + NFS4 + ACLs

Albert Fluegel af at muc.de
Tue Jan 29 08:41:45 MST 2013 

Hello,

with windows 7 as client there's an oddity, when navigating with the
windows 7 explorer into a directory, that is protected with ACLs on
the Unix side: Though it should be possible to access the directory
by ACLs (while the traditional basic Unix permissions deny it), the
windows 7 "explorer" says: no access rights ...

The accessed directory is an NFS4 or 3 mounted export from a Netapp
(no root export of course). The interesting point is, that access
works when doing cd in a DOS cmd window or an cygwin shell. Furthermore
it works to open files in this directory by typing the path to them
explicitely in an office or whatever application. Also the windows 2003
explorer is able to navigate into the directory.

It turns out, that this is a (possibly intended ...) feature of the
windows 7 explorer. It seems to evaluate the reply from the samba (4.0.1)
server differently than older windows. Looking into the samba code i
found, that it interprets the access permissions (function se_access_check
in libcli/security/access_check.c) and does not succeed for the
NFS4 ACLs (because this is not implemented).

So i wonder, why the samba server should try to interpret the access
permissions itself. As we do not want any windows specialties be in
effect (nor do we want to modify the ACLs on the Unix filesystem from
whatever windows dialog - the ACLs are set on Unix by the people
responsible for the data), it would be ok to let the bare Unix/Linux
access mechanisms decide, whether the client may access a file. As
far as i see, the respective daemon is running as the mapped Unix
account assigned to the user on windows. So why not let Samba ignore
or skip whatever own permission checks and only return failure to
the client, when the actual access fails ? I made a patch introducing
a configuration parameter "native os permissions", that does this.
As far as we tested, it works as expected. Accounts, that should not
have access, don't have it. It's just a different SMB call, that gets
the result "access refused". Accounts, that should be able to access,
are allowed. So does anything speak against introducing such an option,
especially as long as evaluating all the ACEs internally is not yet
implemented ?
If someone is interested, i could provide the modification (though
it's relatively simple).

Any hint (or objecting argumentation) is appreciated.
Thanks and with kind regards,

Albert Fluegel

More information about the samba mailing list