Suggested patch - change of namespace from security to trusted for acl_xattr module

Andrew Bartlett abartlet at samba.org
Thu Oct 10 17:28:17 MDT 2013 

On Thu, 2013-10-10 at 13:52 +0100, Hafeez Bana wrote:
> Hi All,
> 
> In order to make a fused mounted glusterfs volume with with samba modules
> acl_xattr. The following patch needs to be applied.
> 
> I don't think this will make it into the main tree considering how it will
> break backwards compatibility - but I thought I would put it out there.
> 
> Ultimately having the xattr namespace configurable but defaulting to
> security would be the way to go..

It isn't as simple as that.  First, I think this is an issue with fuse
and glusterfs, not Samba.  Why is this filesystem specifically unable to
handle the security namespace?

The reason that we use security.NTACL is that this matches other ACLs,
and we hope to have, some day, a kernel module that reads and interprets
this.  Indeed, I think a prototype even existed at one point.  I don't
think it was public, but there was a heated discussion on the merits of
trusted.* vs security.* at the time we started this, and we decided to
continue with seucrity.NTACL.  Having implementations using both would
mean and end to any hope of interoperability with other tools (imagine
Wine could read these, or the NTFS file system read/write them, for
example), because they would also need matching configuration.

The other issue raised at the time, was that the 'trusted' namespace is
meant to be read and written only by root.  If true, this would mean
that all our calls to read this would need to be wrapped in
become_root() - it wouldn't just a matter of changing the name.  

Second, you should to patch the idl, the generated output. 

But all that aside, really the only supportable way to use glusterfs is
via vfs_glusterfs (it was written for very good reason).  The security.*
namespace issue was, if I recall correctly, addressed in recent versions
of glusterfs as part of their work to enable this module. 

Andrew Bartlett

-- 
Andrew Bartlett
http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org
Samba Developer, Catalyst IT                   http://catalyst.net.nz

More information about the samba-technical mailing list