samba - Sep 2009 - ACL misbehavior moving from POSIX ACL -> acl_xattr

List,

I had Samba 3.0 running on Debian Lenny configured to use POSIX ACLs on ext3.  
They worked fine, or at least as fine as NT -> POSIX mapping ever did.  After
testing 3.3 with acl_xattr on using a different machine, I decided to give it a 
whirl on the production server.  And yes, I know it's experimental.

I defined a share thusly:
        
vfs objects = acl_xatt
acl map full control = true
inherit acls = yes
map acl inherit = yes
map read only = Permissions
nt acl support = yes
acl group control = true
dos filemode = yes
enable privileges = yes
store dos attributes = yes


This is identical to the setup on the test machine, which worked correctly.

On the production machine, trying to set ACLs via XP's Explorer interface 
fails with a permission denied.  The log:

set_canon_ace_list: sys_acl_set_file type file failed for file
TestDirectory/Test
(Operation not supported).

Having both POSIX ACL and the VFS object turned on produced some interest 
results, so last night I unmounted /samba, turned off -o acl, and remounted it.
It now has user_xattr turned on, but -o acl is *off*.  Restarted Samba, 
everything seemed to work.

In the harsh light of users' morning, it appears that Samba is still trying
to
use the POSIX ACL layer to store ACLs, although that's a best guess based on
the error message.

How can I insist that Samba use the vfs object ACL module, instead of the 
POSIX acls?

Thanks!

Wes

On Wed, Sep 16, 2009 at 11:18:58AM -0400, Wes Deviers
wrote:
> List,
> 
> I had Samba 3.0 running on Debian Lenny configured to use POSIX ACLs on
ext3.
> They worked fine, or at least as fine as NT -> POSIX mapping ever did. 
After
> testing 3.3 with acl_xattr on using a different machine, I decided to give
it a
> whirl on the production server.  And yes, I know it's experimental.
> 
> I defined a share thusly:
>         
> vfs objects = acl_xatt
> acl map full control = true
> inherit acls = yes
> map acl inherit = yes
> map read only = Permissions
> nt acl support = yes
> acl group control = true
> dos filemode = yes
> enable privileges = yes
> store dos attributes = yes
> 
> 
> This is identical to the setup on the test machine, which worked correctly.
> 
> On the production machine, trying to set ACLs via XP's Explorer
interface
> fails with a permission denied.  The log:
> 
> set_canon_ace_list: sys_acl_set_file type file failed for file
TestDirectory/Test
> (Operation not supported).
> 
> Having both POSIX ACL and the VFS object turned on produced some interest 
> results, so last night I unmounted /samba, turned off -o acl, and remounted
it.
> It now has user_xattr turned on, but -o acl is *off*.  Restarted Samba, 
> everything seemed to work.
> 
> In the harsh light of users' morning, it appears that Samba is still
trying to
> use the POSIX ACL layer to store ACLs, although that's a best guess
based on
> the error message.
> 
> How can I insist that Samba use the vfs object ACL module, instead of the 
> POSIX acls?
You can't at the moment. Samba still requires the incoming
ACL to be converted into an underlying file system ACL, as
the underlying filesystem still must have the final decision
on access decisions. The NT acl is stored as an "extra" layer
of ACL metadata on top of this, which is also consulted.

You could slot in a "null" ACL module underneath the acl_xattr
layer that always allowed acl set and returned an "allow everyone"
acl on read, but that isn't coded yet (shouldn't be too hard
though).

Currently if you want "native" NT ACLs only I suggest you
use the NFSv4 module, which is pretty close to native Windows
ACLs. 

Jeremy