[Samba] NTFS ACL on database and vfs_acl_tdb

Mon Mar 21 12:28:44 UTC 2016

Il 19/03/2016 10:20, Volker Lendecke ha scritto:
> On Fri, Mar 18, 2016 at 10:08:42AM -0700, Jeremy Allison wrote:
>> On Wed, Mar 16, 2016 at 11:13:12AM +0100, Matteo Maretto wrote:
>>> Hi,
>>> we are migrating our fileserver from an old novell netware system to
>>> a samba4 system. With netware all ACL were stored in a database, so
>>> that it was possible to quickly find which files one user or group
>>> had access to.
>>> I'm investigating the possibility of writing ntfs ACL on a database
>>> with samba. The module vfs_acl_tdb is able to do this, but values
>>> are hashed so that the db is not queryable.
>>> Does anyone knows of a way to achieve this?
>> Hmmm. tdb is merely a key/value lookup store. Queries on non-keys
>> have to be done by traversing the whole db I'm afraid.
>>
>> You could always change to a sqlite backend if you needed more
>> indexes.
>>
>>> I've had a look at the code of the vfs_acl_tdb module and, for what
>>> I understood, the ACL are written both on a tdb and on the
>>> filesystem.
>>> What's the behaviour of the module then?
>>> When I use a software like icacls, to backup ACL, it looks like
>>> samba is reading from the filesystem, because it takes a long time.
>>> But when I try to browse a directory with thousands of files, access
>>> is instantaneous. This makes me suppose samba is using the tdb.
>>> Am I correct?
>> Depends on what icacls actually does.
> The Novell ACL semantics iirc are vastly different from
> ntfs, posix or nfsv4 acls. How do you want to map those?
>
> Volker
>

Hi,
thanks for your question.
We have not investigated this matter yet, but we espect to find at least 
a basic correspondence between the two. This would be enough for us.
On the Novell documentation we've read that the object rights are 
essentially four: Browse, Create, Delete, Inheritance Control, Rename, 
and Supervisor.
It shouldn't be difficult to match them to ntfs acls.

Matteo

Si segnala che il presente messaggio non e' a carattere personale e le risposte allo stesso potranno essere conosciute dall'organizzazione lavorativa di appartenenza del mittente secondo le modalita' previste dal regolamento adottato in materia. Se per un disguido avete ricevuto questa e-mail senza esserne i destinatari vogliate cortesemente distruggerla e darne informazione all'indirizzo mittente.