[Samba] acl_xattr vs acl_tdb

Andrew Bartlett abartlet at samba.org
Sat Jul 15 06:24:33 UTC 2017

On Fri, 2017-07-14 at 15:36 +0530, Venkat V via samba wrote:
> Hi,
> we are using Samba 4.5.11 on HP-UX. xattr library is not available on
> HP-UX, so we cant use acl_xattr.
> We are planning to use vfs_acl_tdb VFS module for mapping windows ACL's.
> Can you please let me know if there will be any issue with this

There are major issues with the fundamental design, some of which are
papered over, others of which can't be worked around.  

The core assumption is that a dev/inode combination is not re-used.

However, as we see regularly in our selftest environment, every time a
file is created or deleted outside Samba, there is a risk that the
device/inode is re-used, leaving an old and incorrect DB record.  

We work around this by checking the posix ACL and comparing it to a
hash stored with the NT acl, discarding it if need be. 

However, if you use vfs_acl_tdb you probably will also use
vfs_xattr_tdb, to get dos attributes correct.  This has the same issue,
but no workaround, and regularly causes issues in our selftest. 

Finally, all filesystem operations have to go via this database, which
is inefficient. 

If you are wedded to HP/UX, perhaps run Samba in a simpler mode of
operation, without ACLs.  Otherwise, I suggest you will have much less
pain and a much happier life in you are able to run Samba on linux,
where developers can assist and where the corner cases have been long
found, understood and fixed. 


Andrew Bartlett

> Thanks & Regards
> Venkat
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba

More information about the samba mailing list