[Samba] Is it possible to clone an NT ACL from one file or dir to a totally different file or dir ?
Ken McDonald
ken at generation.tech
Sun Mar 25 00:20:10 UTC 2018
Can I use a command like this to clone an NT ACL?
getfattr -n security.NTACL templateFile | sed -e
's/templateFile/realFile/' | sudo setfattr --restore=-
I can see that the attribute gets copied over but when I view the ACL in
Windows security tab it's not the same ACL, it's much bigger and
includes all kinds of default-like stuff. I'm trying to find a way to
update permissions on a mass amount of files without using the existing
Windows/Samba tools which take days to complete on large datasets.
Right now, I have this process, but it's not working and I don't
understand why.
1) Setup template example file or directory with the desired permission
structure (call it templateFile here)
2) Create or use an existing destination/target file or directory (call
it realFile here)
3) Remove all existing perms on realFile:
setfacl -b realFile
setfattr -x user.DOSATTRIB realFile
sudo setfattr -x security.NTACL realFile
4) Clone the extended ACL:
getfacl templateFile | sudo setfacl -bnM - realFile
5) Clone the DOS attributes
getfattr -d templateFile | sed -e 's/templateFile\/realFile/' | setfattr
--restore=-
6) Clone the NTACL
getfattr -n security.NTACL templateFile | sed -e
's/templateFile/realFile/' | sudo setfattr --restore=-
By default, step 4 takes forever to run on large datasets because it
uses named entities. My ultimate plan was to use the numeric user/group
id's in that step instead of named ones so the Winbind cost is not
incurred. Seems for the whole process, the calls to Winbind to resolve
the named entity to it's numeric ID are the reason for the slowdown.
That's why, even when using the normal Windows security tab or
samba-tool, it takes days to update large datasets. I'm exploring
options around that issue.
More information about the samba
mailing list