[Samba] Warning messages when provisioning an ADDC

Andrew Bartlett abartlet at samba.org
Tue Feb 9 08:15:34 UTC 2021

On Fri, 2021-02-05 at 16:47 +0100, Ralph Boehme via samba wrote:
> Samba AD DC is a complex beast and bending it do will can require
> deep 
> knowledge of the full stack and possibly a lot of time. :)

Never a truer word said!

So, yes, NFSv4 ACLs in principle provide a better match than POSIX ACLs
and should be able to slot in perfectly allowing Samba deployment as an
AD DC on ZFS and other systems that provide this interface.

Yes, it would be awesome if this could be made to work, particularly if
sufficient emulation was available so it can also work in our selftest.

However yes, there is a lot of assumptions built into the current
stack, some of which is a hang-over from the NTVFS file server and the
pre-merge days.  Keeping the whole stack of plates spinning while
swapping to a new waiter is no mean feat, but might be possible with
enough time.

Regarding unprivileged containers, jails etc, I would warn that anyone
who stores Samba ACLs in an unprivileged namespace owns the security
result themselves.  Samba assumes that these values are protected by
the kernel, if they are not then our security assumptions are revoked.

While I therefore do not endorse the goal, I do commend the effort to
use NFSv4 ACLs in provision.  This is the furthest anybody has gotten
to that goal in the decade or so this stack has been in existence. 

Andrew Bartlett

Andrew Bartlett (he/him)       https://samba.org/~abartlet/
Samba Team Member (since 2001) https://samba.org
Samba Team Lead, Catalyst IT   https://catalyst.net.nz/services/samba

More information about the samba mailing list