[Samba] Trying to understand vfs_fruit's nfs_aces option

Ralph Böhme rb at sernet.de
Tue Oct 6 09:44:57 UTC 2015 

On Mon, Sep 28, 2015 at 06:34:31PM -0400, John Mulligan wrote:
> Hello List,
> 
> My team and I have started testing out vfs_fruit to see if it helps us improve 
> the directory browsing performance of Mac clients. After enabling it some of 
> our tests began failing due to an "The permissions on x are incorrectly 
> ordered" error on Windows.

Which tests?

> I chased it down to a behavior in vfs_fruit that is enabled by the
> fruit:nfs_aces config option. The manpage section for this option
> says:
> 
> > Whether support for querying and modifying the UNIX mode of 
> > directory entries via NFS ACEs is enabled, default yes.
> 
> I took a brief look at the module's source and sure enough it looks to be 
> appending 3 deny aces after the expected allow ace(s).

Those ACEs are special in that they encode POSIX uid, gid and mode
bits in a special way.

> While I write this message we're retesting with fruit:nfs_aces set to no. 
> Before we make any long-term decisions I was hoping someone with more 
> knowledge about vfs_fruit could answer a few questions:
> 
> * How are Mac clients expected to interact with these additional aces?

Used for querying and modifying POSIX uid, gid and mode. It's
perfectly safe to disable this feature.

> * What downsides are there to simply setting fruit:nfs_aces to no all the 
> time? 
> 
> * Since this seems pretty disruptive to the Windows clients, but yet is the 
> default for fruit, is the expected use case for the fruit module to be used on 
> different share from that of the Windows clients?

Iirc Windows clients should actually see those ACEs, as those are only
returned to clients that negotiate this capability via AAPL create
context on "." after tree connect.

> * The fruit module is listed before acl_xattr in my vfs objects line, this 
> seems like the correct ordering to me but I figure since I'm writing this 
> message, I'll double check.

That's correct.

-Ralph

-- 
SerNet GmbH, Bahnhofsallee 1b, 37081 Göttingen
phone: +49-551-370000-0, fax: +49-551-370000-9
AG Göttingen, HRB 2816, GF: Dr. Johannes Loxen
http://www.sernet.de,mailto:kontakt@sernet.de

More information about the samba mailing list