Michael Marschall
2000-Mar-31 19:38 UTC
Samba on Linux with no ACL's is making things tough
Please for give me if this gets a bit long. I am presently in the process of moving my company's file server from Windows NT 4.0 over to Linux with SAMBA and the lack of ACL support in the ext2 filesystem is making things very difficult to design. To clarify I am NOT writing about Samba's support for NT ACL's on NTFS. I am writing to possibly get some tips for getting around the lack of ACL's in ext2. I know that ReiserFS and SGI's XFS both have support for ACL's, but these are beta file systems and that is not acceptable. Also I know there are projects for ACL support in ext2, but there are also at the most beta code. My goal is to get some suggestions or for someone to tell me that I am SOL. My problem is that I want/need to setup directories for indivual departments on the Samba server that all memeber of the department can have access to. This is easy. I can create a share giving specific rights to the department's group and or individual users. Within these directories are going to be other directories that also need to have specific access set on them (not everybody within a department should be able to see all the files within the dept folder). This is where the solution begins to fall apart. Samba can control access to a shared folder, but (at least to my knowledge) cannot control access to subdirectories of a share. The only way to control this is via ext2 filesytem security (chmod, chgrp). What has to happen to set more narrow access on the subdirectory (i.e. grant access for a subset of the users able to access the department directory) is to create a new group in Linux /etc/group and add the subset of users that need access to this folder to the group. Then I would have to set group access on this folder to the new group. But this sucks. For every subdirectory that I have within a department directory that would require restricted access to one or more member[s] of the department (say a secretary or temp employee) I would have to create a new group. Not only would this be tedious and difficult to track, but there is a limitation on how many groups a user id can be a memeber of in Linux (I think it is 16). The alternative of eliminating the department shares and just creating shares of all the subdirectories is also a poor solution. This would create hundreds of shares (my sales directory has a subdirectory representing every client we have and only specific people can access each client). I can imagine what a user is going to think when they either A) need to map 50 shares (drive letter problem) to get access to their work or B) double click on the server in network neighborhood and not only sees all the shares for their dept. but also all the shares for every other dept. (yuk!!!) Another solution would be to use a combination of the last method (create shares of the subdirectories) and use virtual servers according to department. This eliminates every user having to see every directory from every dept, but it does not solve the sub directory problem and it also does not solve my affinity for thinking that virtual servers when you have 50 employees is stupid. Am I doing something wrong here? Is or did anybody hav[ing] the same problem? Can someone describe their setup and how it works? Sorry if this is confusing. -- Michael Marschall Infrastructure Manager VoiceRite, Inc. 7725 NW 48th St. Miami, Florida 33166 Phone / Fax / Pager : 305 436 1574
[Michael Marschall]> I am presently in the process of moving my company's file server from > Windows NT 4.0 over to Linux with SAMBA and the lack of ACL support > in the ext2 filesystem is making things very difficult to design. To > clarify I am NOT writing about Samba's support for NT ACL's on > NTFS. I am writing to possibly get some tips for getting around the > lack of ACL's in ext2. I know that ReiserFS and SGI's XFS both have > support for ACL's, but these are beta file systems and that is not > acceptable. Also I know there are projects for ACL support in ext2, > but there are also at the most beta code.Samba does not directly support ACLs on any OS. That is to say, you can't manipulate them from the client. Sounds like this wouldn't be a problem for you, as you would set it all up directly on the server. I don't know much about ReiserFS -- at least not firsthand, since I haven't tried it -- but SuSE ships and supports it. Now, it is true that Al Viro (kernel VFS guru) doesn't like the shape ReiserFS is in, but (a) Al is very demanding, and (b) mostly what he doesn't like about is is that it may well have boundary conditions ripe for security holes. Shouldn't be a problem if you don't give out shell accounts to untrusted people -- we're not talking about *remote* exploits here. I would give it a try. Perhaps using SuSE, since they're the ones who are actually shipping ReiserFS standard. Peter
David Collier-Brown - Sun Canada
2000-Apr-02 21:54 UTC
Samba on Linux with no ACL's is making things tough
Well, you just described the problems that ACLs on Multics were designed to solve, and one which Unix perms didn't attempt to address. Darn! Can you put an smb server on a machine with ACLs? Solaris, HP-UX and SGI at least have POSIX ACLs, which will suffice. The team is aware of the problem, but can't do much if the underlying OS doesn't have the functionality... --dave -- David Collier-Brown in Boston Phone: (781) 442-0734, Room BUR03-3632
David Collier-Brown - Sun Canada
2000-Apr-02 22:40 UTC
Samba on Linux with no ACL's is making things tough
Michael Marschall wrote: | Actually putting SAMBA on a Solaris, HP-UX or SGI box defeats the purpose | of me using SAMBA in the first place (lower cost). Fair enough: I had hoped you had one around somewhere. [Semi-serious suggestion from my employer: run Solaris x86, for the cost of media, see http://www.sun.com/developers/tools/solaris/solarispromo.html] | I just cannot believe that nobody has | found a way to function in a complex sharing environment with Linux and | Samba. It leads me to think that Samba is only good for two situations, 1) | When you have a UNIX OS with ACLs in the underlying file system or 2) if | you have very unsophisticated file storage setup. In fact, you have an unusual case, one which Thompson and Ritchie consciously left out. Their replacement (groups) was insufficient. They really didn't want to get into "security aware" OSs, ones in which the users were expected to want to blow away each other. Unix can be adapted to this case, but it's hard. For years, the only "B2 Secure" OS was Multics, which ran on $1 Million hardware... I've been actively following the ACL discussion on samba-technical, and the Samba folks are coding for ACLS as we speak, but you have to have "something there" to code to. They really have to add them on top of an acl-aware filesystem. Please note: this includes Linux NTFS, as well as other more experimental FSs. This, however, will not appear in time to be a decent approach for your current problem. So you're probably stuck with NT for this particular filesystem tree. If you want to introduce Samba to the mix, consider using it to export your binaries tree(s). --dave -- David Collier-Brown in Boston Phone: (781) 442-0734, Room BUR03-3632
Michael Marschall
2000-Apr-04 16:12 UTC
Samba on Linux with no ACL's is making things tough
I am not sure who suggested it, but I have checked out the Linux Trustee Project and the ACL support seems to work very well. It gives you quite a bit of granularity and there is no noticeable performance hit. If you are replacing an NT box with Linux/Samba and need to have shares with advanced permission sets then something like this is a must. All you have to do is patch/compile the kernel, compile the settrustee executable and setup your ACL's in a config file. Run the executable to set the acl's and you are in business. I will be testing it thoroughly over the next few weeks to make sure it will not break on me. If anybody has any questions on setup you can email me personally and I will help where I can. Here is a link to the site: http://www.braysystems.com/linux/trustees.html The developer's first language is not English so please disregard the spelling and grammar mistakes. I have offered to help him with documentation and editing. -- Michael Marschall Infrastructure Manager VoiceRite, Inc. 7725 NW 48th St. Miami, Florida 33166 Phone / Fax / Pager : 305 436 1574
Sander Striker wrote:> Ahh. Oops, sorry. Is it possible to interface the api to > the trustee patch? Or am I talking stupid now? :-)Depends on the exported kernel API. The code donated to Samba by HP wraps the API somewhat making it possible to support different underlying API's, so maybe. Does anyone know what the "trustee" Linux kernel API looks like ? Jeremy. -- -------------------------------------------------------- Buying an operating system without source is like buying a self-assembly Space Shuttle with no instructions. --------------------------------------------------------
So 2.0.8 WILL have ACLs? Or only IF you have some sort of POSIX ACL support in your OS (Linux 2.2.x) ? Can you clarify this please? I'm actually thinking of *gasp* dumping Samba since it can't give me the granularity I need. (stupid unix group issues) Jeremy Allison wrote:> > Sander Striker wrote: > > > > I forwarded this to samba-technical and samba-ntdom because this > > issue is something someone is working on. I only can't remember > > who... Luke? > > This looks very promising. > > This is something I'm working on at the moment in 2.0.x > and HEAD. The Linux trustee patch seems ok for the particular > problem, but doesn't allow Windows clients access to modify > ACLS for files that they own. To do that you need POSIX > ACL support - that's the API we'll be adding into Samba > 2.0.8 and HEAD (and TNG with the merge going on). > > Jeremy. > > -- > -------------------------------------------------------- > Buying an operating system without source is like buying > a self-assembly Space Shuttle with no instructions. > --------------------------------------------------------
Paul Rogers wrote:> > > -----Original Message----- > > From: Jeremy Allison [mailto:jeremy@valinux.com] > > > > A mapping *may* be done for one of > > the experimental Linux ACL implementations (the one > > at http://acl.bestbits.at/ is probably the one we'll > > use) but this code is not currently in any stable or > > developement kernel so it will definately be a configure > > option on Linux. > > So, are you saying that with Linux, you might and might not implement ACLs > for Linux? If you don't, I think there will be a number of people dropping > Samba servers on Linux boxes in favour of NT - a great shame. I for one have > been hoping this would be implemented for a long time.Well we can only implement ACLs for Samba on systems that have them in the underlying filesystem. If Linux *doesn't*, then it isn't the fault of Samba ! You could of course still use Samba on UNIXs that *do* have ACLs, such as IRIX, Solaris, HPUX, AIX etc. Or you could integrate the ACL patch that has not yet been integrated into the mainline kernel - found as mentioned above at : http://acl.bestbits.at/. We cannot single-handedly fix the ACL problem in the Linux kernel, it takes enough time maintaining an SMB server as it is :-). I'm CC:ing Ted Tso on this reply, in the hope he can give us an "official" response as to the status of ACL support in the Linux kernel. Cheers, Jeremy Allison, Samba Team. -- -------------------------------------------------------- Buying an operating system without source is like buying a self-assembly Space Shuttle with no instructions. --------------------------------------------------------