[Samba] POSIX vs. Windows ACLs
Patrick Goetz
pgoetz at math.utexas.edu
Wed Nov 3 19:53:52 UTC 2021
Hi Marco -
On 11/3/21 11:37, Marco Gaiarin via samba wrote:
> Mandi! Patrick Goetz via samba
> In chel di` si favelave...
>
> I'm using POSIX ACL, and as Jeremy say, permission works; i've only code
> some script to 'sanitize' permissione to prevent bed behaviour (eg, in 'ugo'
> permsision 'g' is also the default mask for applying ACL, so you have to
> set explicitly the mask or set 'g' to '7').
>
> Only a note:
>
>
>> Currently the linux systems access files through NFS mounts, so no hope
>
> But consider also that NFSv3 have a limited amount of POSIX ACL that can
> manage (the protocol have a limited 'room' for ACL, so if you set very
> complex ACL on some object, you could have 'truncated' ACL n nfs mounted
> share).
>
> You can switch to NFSv4, but ACL are different things (rather still
> supported by samba).
>
I only use NFSv4, but pretty extensively use POSIX ACLs in NFS-mounted
filesystems. This has worked remarkably well. I can, for example, do
setfacl -d -m g:smith-lab-users:rX cryoimages
setfacl -R -m g:smith-lab-users:rX cryoimages
on the NFS server, where smith-lab-users is an AD Security Group, then
NFS mount cryoimages to another AD-bound linux workstation, and
permissions work exactly as expected.
Once I realized that I can use AD Security Groups just like any other
linux group (even better, because they're automatically shared with
every domain member), this made my security admin much simpler.
>
> Currently i'm using CIFS also in UNIX...
>
More information about the samba
mailing list