[Samba] Warning messages when provisioning an ADDC

Ralph Boehme slow at samba.org
Fri Feb 5 15:47:47 UTC 2021 

Am 2/5/21 um 4:30 PM schrieb Thomas Geppert:
> On 05/02/2021 14:07, Rowland penny via samba wrote:
>>> The provisioning and the nfs options given in the provisioning,
>>> thats the pain point.
>> They are the way the OP is trying to get something that shouldn't
>> work, to work.
> 
> GUILTY !  I have to confess.

:)

> However, I must say that I don't understand why it shouldn't work. 
> I'm relatively new to Samba but my understanding is that both vfs
> modules, acl_xattr and nfs4acl, are perfectly capable of storing
> NTACLs lossless. Nevertheless, using the nfs4acl vfs module does not
> provide the same functionality as using the acl_xattr vfs module.

It does provide the same functionality. There may be subtle differences,
but both basically provide a grossly Windows ACL compatible backing store.

> I did some research but without the background of 30 years of
> development that went into the product I'm a little bit lost at some
> points.
> 
> - Why are POSIX ACLs required at all during provisioning when NTACLs
> are available ?

They aren't.

> - Why does the nfs4acl module intentionally mask the POSIX ACL calls
> and doesn't pass them down the stack or implement them the same way
> as the acl_xattr module ?

By design. The POSIX ACL VFS functions only get called indirectly by the
Windows ACL VFS functions if any module implementing the latter calls
into the former. vfs_nfs4acl doesn't do this and acl_xattr only does it
to provide consistency wrt to storing the Windows ACL in an xattr and a
mapped POSIX ACL in the filesystem (though this can be disabled by
config). There are more subtleties but that is the basic logic.

Samba AD DC is a complex beast and bending it do will can require deep 
knowledge of the full stack and possibly a lot of time. :)

Cheers!
-slow

-- 
Ralph Boehme, Samba Team                https://samba.org/
Samba Developer, SerNet GmbH   https://sernet.de/en/samba/
GPG-Fingerprint   FAE2C6088A24252051C559E4AA1E9B7126399E46

-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 840 bytes
Desc: OpenPGP digital signature
URL: <http://lists.samba.org/pipermail/samba/attachments/20210205/36c2b940/OpenPGP_signature.sig>

More information about the samba mailing list