[Samba] Samba and NFSv4 ACLs

[Cang Household]

 > Samba provides the "nfs4acl_xattr" vfs module precisely for that.

I am not an expert in Windows ACL, but where do you see that the 
nfs4acl_xattr vfs module provides the support for "manage the ACLs on 
the OS of the Samba host directly?"


 From the Wiki page, https://wiki.samba.org/index.php/NFS4_ACL_overview, 
it implies the following four operation modes are possible.

(1) Windows SMB Server with ACL, Linux cifs vfs kernel module, probably 
meant mounting with -t cifs. This supports Windows ACL on mounted 
filesystem on Linux.

(2) Windows NFSv4 Server with ACL. Linux nfsv4 client. This supports ACL 
on mounted filesystem on Linux.

(3) Linux Samba Server with nfs4acl_xattr, Linux client with NFSv4 
Client. The Windows ACL is supported via nfs4-acl-tools. This 
manipulates the nfs4acl_xattr.

(4) Linux Samba Server with nfs4acl_xattr, Windows client. Windows ACL 
is of course supported on Windows.


"Linux is the only one of the major Unix flavors that does not have any 
native NFS4 ACL support upstream in the kernel yet." This is saying you 
cannot use nfs4-acl-tools to manipulate non-VFS with nfs4acl_xattr, 
because those attributes are not recognized and not enforced by Linux 
kernel.


Then this sounds like it does not do what you want. But, like some VFS 
maintainer, I do believe POSIX ACLs are adequate enough. Native file 
permissions are very flexible with setuid and setgid bits. With 
idmapping on AD integration (I would prefer sssd), this covers about 95% 
of the usage cases.