[Samba] Warning messages when provisioning an ADDC
Andrew Bartlett
abartlet at samba.org
Tue Feb 9 08:15:34 UTC 2021
On Fri, 2021-02-05 at 16:47 +0100, Ralph Boehme via samba wrote:
>
> Samba AD DC is a complex beast and bending it do will can require
> deep
> knowledge of the full stack and possibly a lot of time. :)
Never a truer word said!
So, yes, NFSv4 ACLs in principle provide a better match than POSIX ACLs
and should be able to slot in perfectly allowing Samba deployment as an
AD DC on ZFS and other systems that provide this interface.
Yes, it would be awesome if this could be made to work, particularly if
sufficient emulation was available so it can also work in our selftest.
However yes, there is a lot of assumptions built into the current
stack, some of which is a hang-over from the NTVFS file server and the
pre-merge days. Keeping the whole stack of plates spinning while
swapping to a new waiter is no mean feat, but might be possible with
enough time.
Regarding unprivileged containers, jails etc, I would warn that anyone
who stores Samba ACLs in an unprivileged namespace owns the security
result themselves. Samba assumes that these values are protected by
the kernel, if they are not then our security assumptions are revoked.
While I therefore do not endorse the goal, I do commend the effort to
use NFSv4 ACLs in provision. This is the furthest anybody has gotten
to that goal in the decade or so this stack has been in existence.
Andrew Bartlett
--
Andrew Bartlett (he/him) https://samba.org/~abartlet/
Samba Team Member (since 2001) https://samba.org
Samba Team Lead, Catalyst IT https://catalyst.net.nz/services/samba
More information about the samba
mailing list