[Samba] Again on NT ACLs and Samba re-share of NFS or SMB mount

Gionatan Danti g.danti at assyoma.it
Thu Jul 31 01:24:58 MDT 2014

Hi all,
I spent the past days reading the mailing list archive, but still I have 
some questions to ask. Moreover, a detailed report of what I attempted 
can be useful for others.

Goal: having a remote SMB or NFS share, mount it locally and re-share it 
using SAMBA. The remote SMB/NFS share will _not_ be directly used by 
users; it will be used only through the local samba "proxy". NT ACLs 
should be preserved as close as possible.

Software version: both machine runs CentOS 6.5 X86_64, with kernel 
2.32.x and samba version 3.6.x

I evaluated the following possibilities:

1) use mount.cifs with root user to mount the remote share locally, then 
re-export it via Samba.
PRO:  use of the same protocol (SMB); support for POSIX ACLs
CONS: when creating some files using a Windows client connecting to the 
Samba server, the file's owner is not set correctly as all new files are 
owned by root and not by the Windows user.
QUESTION 1: It is possible to use a CIFS mount and correctly assing 
owners to new files? Why it does not work? I am missing something?

2) use mount.nfs4 (NFS vers. 4) to mount the remote share (via NFS of 
course), the re-export it via Samba.
PRO: NFSv4 has excellent performances; NFV4 ACLs support
CONS: no POSIX ACLs support; no USER_XATTR support
QUESTION 2: the missing POSIX ACLs support prevents to replicate NT ACLs 
and at the same time the missing USER_XATTR prevents to use the 
security.NTACL EA to store ACLs. On the mailing list I read about a 
NFSv4 VFS module. However, I can not find it anywhere. It is still 
developped? Can samba use NFSv4 ACLs?

3) use mount.nfs ver. 3 to mount the remote share (via NFS of course), 
the re-export it via Samba.
PRO: NFSv3 supports POSIX ACLs
CONS: two different protocols to use/configure, I need to disable strict 
locking in Samba configuration, NFSv3 is an old protocol nowadays.
QUESTION3: using the NFS share via Samba _only_ (even with strict 
locking=no) is a reasonable setup or I can expect data corruption? The 
NFS share will _never_ accessed directly.

4) use iSCSI (or similar protocol) to export the remote disk using a 
low-level protocol and mount it locally on the samba server.
PRO: the server directly mounts an EXT4 filesystem, with POSIX ACLs and 
USER_XATTR (enabling perfect store of Windows ACLs)
CONS: it effectively "stole" the disk from the remote server; 
potentially lower performance (?)
QUESTION 4: anyone used samba via iSCSI? Did you have good performance?

My current testing setup is using proposal n.3 - NFSv3
I both have good performance and good ACLs mapping, but I'm open to 

Thank you all.

Danti Gionatan
Supporto Tecnico
Assyoma S.r.l. - www.assyoma.it
email: g.danti at assyoma.it - info at assyoma.it
GPG public key ID: FF5F32A8

More information about the samba mailing list