[Samba] Skip ACL checks
Andrew Bartlett
abartlet at samba.org
Mon Mar 20 20:13:23 UTC 2017
On Mon, 2017-03-20 at 10:57 +0100, Christoph Kleineweber via samba
wrote:
> On Fri, Mar 17, 2017 at 1:54 PM, Volker Lendecke <vl at samba.org>
> wrote:
>
> > On Thu, Mar 16, 2017 at 05:38:57PM +0100, Christoph Kleineweber
> > wrote:
> > > I am wondering if there is a way to bypass Samba's ACL checks and
> >
> > delegate
> > > access control completely to the underlying file system.
> > >
> > > My problem arises from the following scenario: Our file system
> > > implements
> > > ACLs that are to the best of my knowledge currently not readable
> > > by any
> >
> > of
> > > the existing VFS modules. When trying to access a file with an
> > > ACL going
> > > beyond the file's POSIX mode, access is denied by Samba. I guess
> > > this is
> > > caused by an mechanism to derive an NT ACL from the mode. Is
> > > there any
> > > possibility to skip Samba's permission checks?
> >
> > Not really anymore. What you could do is provide a vfs module that
> > returns a "Everyone is allowed everything" ACL in the get_nt_acl
> > call.
> > It would of course be much better to get a proper mapping. What do
> > your ACLs look like?
> >
>
> Thanks for clarifying. We use NFSv4 compliant ACLs that can be
> accessed via
> the nfs4-acl-tools.
>
> I found the existing NFSv4 ACL VFS module in Samba (nfs4acl_xattr),
> which
> seems to be build on a different implementation. The referenced
> website (
> http://www.suse.de/~agruen/nfs4acl/) does not exist anymore and the
> xattr
> to access ACLs is different (system.nfs4acl for nfs4acl_xattr and
> system.nfs4_acl for nfs4-acl-tools). Is this a known issue?
Is it just an issue with the name, or is the on-disk format different
as well?
Thanks,
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
More information about the samba
mailing list