[Samba] NTFS ACL on database and vfs_acl_tdb

[Jeremy Allison]

On Wed, Mar 16, 2016 at 11:13:12AM +0100, Matteo Maretto wrote:
> Hi,
> we are migrating our fileserver from an old novell netware system to
> a samba4 system. With netware all ACL were stored in a database, so
> that it was possible to quickly find which files one user or group
> had access to.
> I'm investigating the possibility of writing ntfs ACL on a database
> with samba. The module vfs_acl_tdb is able to do this, but values
> are hashed so that the db is not queryable.
> Does anyone knows of a way to achieve this?

Hmmm. tdb is merely a key/value lookup store. Queries on non-keys
have to be done by traversing the whole db I'm afraid.

You could always change to a sqlite backend if you needed more
indexes.

> I've had a look at the code of the vfs_acl_tdb module and, for what
> I understood, the ACL are written both on a tdb and on the
> filesystem.
> What's the behaviour of the module then?
> When I use a software like icacls, to backup ACL, it looks like
> samba is reading from the filesystem, because it takes a long time.
> But when I try to browse a directory with thousands of files, access
> is instantaneous. This makes me suppose samba is using the tdb.
> Am I correct?

Depends on what icacls actually does.