[Samba] Samba and NFSv4 ACLs
miguel medalha
medalist at sapo.pt
Sat Jul 13 03:04:12 UTC 2024
> I am not an expert in Windows ACL, but where do you see that the
> nfs4acl_xattr vfs module provides the support for "manage the ACLs on
> the OS of the Samba host directly?"
Maybe I was overtaken by enthusiasm when I discovered about the existence of this module?
> From the Wiki page, https://wiki.samba.org/index.php/NFS4_ACL_overview,
> it implies the following four operation modes are possible.
> (...)
> (4) Linux Samba Server with nfs4acl_xattr, Windows client. Windows ACL
> is of course supported on Windows.
Doesn't this mode provide exactly what I need? I manage a network in which all servers are Linux and all clients are Windows 10/11.
Further consideration is required. In Linux, the NFSv4 ACLs are stored in the extended attribute "system.nfs4_acl".
The man page for the Samba "vfs_nfs4acl_xattr" module contains the following:
«
nfs4acl_xattr:encoding = [nfs|ndr|xdr]
This parameter configures the marshaling format used in the ACL blob and the default extended
attribute name used to store the blob.
When set to nfs − fetch and store the NT ACL in NFS 4.0 or 4.1 compatible XDR encoding. By
default this uses the extended attribute "system.nfs4_acl".
»
This gives the impression that the Samba module will be able to read and write the extended attribute with the same name (system.nfs4_acl) used by the Linux OS to store NFSv4 ACLs.
Since the extended attribute used seems to be the same, will the Linux tool "nfs4_setfacl" create ACLs readable by the Samba module and will this module write ACLs that can be read by the Linux "nfs4_getfacl" tool?
Looks like I need to do some real world testing...
> Then this sounds like it does not do what you want. But, like some VFS
> maintainer, I do believe POSIX ACLs are adequate enough. Native file
> permissions are very flexible with setuid and setgid bits. With
> idmapping on AD integration (I would prefer sssd), this covers about 95%
> of the usage cases.
Adequate enough is not the same as good. NFSv4 ACLs are already out there, they offer full compatibility with Windows ACLs.
As much as I dislike Microsoft, I am not into religious operating systems wars. In the interest of interoperability, why not make NFSv4 ACLs generally available?
As it is, the situation is more penalizing for people NOT using Windows on machines serving Windows clients than it is for Microsoft.
Why not make things easier by making ACLs fully compatible? In my view, Linux should provide full kernel support for NFSv4 ACLs.
More information about the samba
mailing list