[Samba] Warning messages when provisioning an ADDC
Andrew Walker
walker.aj325 at gmail.com
Tue Feb 9 14:43:36 UTC 2021
On Tue, Feb 9, 2021 at 7:19 AM Thomas via samba <samba at lists.samba.org>
wrote:
> Am 2/9/21 um 9:58 AM schrieb Ralph Boehme:
> > hm, hm, with the acl_xattr VFS module with "acl_xattr:ignore system
> acls" set to yes we're already relying on userspace
> > for security bypassing the kernel, so I wonder whether the namespace
> issue is really the one I would worry about.
> > As long as users don't have direct access to the server storing the
> xattr in the user namespace might be an option.
>
> Running the Samba ADDC in an unprivileged container is one aspect and more
> of a short term goal of enabling NFSv41 ACLs for provisioning.
>
> As Andrew wrote the other aspect would be to enable the use of filesystems
> that natively support NFSv41 ACLs.
> As far as I know GPFS already does this. Unfortunately the port of ZFS to
> Linux, now OpenZFS on Linux, did not implement the existing NFSv41 ACL
> support from Solaris ZFS.
> However, there is some work under progress to implement ZFS native NFSv41
> ACL support in OpenZFS although I'm not sure how that is currently
> progressing.
> See OpenZFS issue https://github.com/openzfs/zfs/issues/4966 and pull
> request https://github.com/openzfs/zfs/pull/9709
> So this would more a long term goal
The implementation in that PR is actually of NFS40 ACLs, not NFS41 ACLs. I
have a branch here where I switched it to using Samba-style xdr-formatted
xattrs (vfs_nfs4acl_xattr) in the system xattr namespace.
https://github.com/truenas/zfs/tree/updated_nfs4acl_xdr
I also have a tool to do basic ACL editing from CLI here (just a rough hack
at this point to allow editing the ZFS ACLs on Linux)
https://github.com/truenas/nfs4xdr-acl-tools
This is probably enough to allow experimenting on Linux with the NFS4 ACLs
on ZFS, but there are kernel changes required to get it to work right at
the end of the day (even if you offload permissions checking to the FS).
I'm working on that as I have time, and the patch for kernel should be
relatively small.
More information about the samba
mailing list