[Samba] NTFS ACL on database and vfs_acl_tdb

Volker Lendecke Volker.Lendecke at SerNet.DE
Sat Mar 19 09:20:15 UTC 2016

On Fri, Mar 18, 2016 at 10:08:42AM -0700, Jeremy Allison wrote:
> On Wed, Mar 16, 2016 at 11:13:12AM +0100, Matteo Maretto wrote:
> > Hi,
> > we are migrating our fileserver from an old novell netware system to
> > a samba4 system. With netware all ACL were stored in a database, so
> > that it was possible to quickly find which files one user or group
> > had access to.
> > I'm investigating the possibility of writing ntfs ACL on a database
> > with samba. The module vfs_acl_tdb is able to do this, but values
> > are hashed so that the db is not queryable.
> > Does anyone knows of a way to achieve this?
> Hmmm. tdb is merely a key/value lookup store. Queries on non-keys
> have to be done by traversing the whole db I'm afraid.
> You could always change to a sqlite backend if you needed more
> indexes.
> > I've had a look at the code of the vfs_acl_tdb module and, for what
> > I understood, the ACL are written both on a tdb and on the
> > filesystem.
> > What's the behaviour of the module then?
> > When I use a software like icacls, to backup ACL, it looks like
> > samba is reading from the filesystem, because it takes a long time.
> > But when I try to browse a directory with thousands of files, access
> > is instantaneous. This makes me suppose samba is using the tdb.
> > Am I correct?
> Depends on what icacls actually does.

The Novell ACL semantics iirc are vastly different from
ntfs, posix or nfsv4 acls. How do you want to map those?


SerNet GmbH, Bahnhofsallee 1b, 37081 Göttingen
phone: +49-551-370000-0, fax: +49-551-370000-9
AG Göttingen, HRB 2816, GF: Dr. Johannes Loxen
http://www.sernet.de, mailto:kontakt at sernet.de

More information about the samba mailing list