thr3ads.net - samba - [Samba] [mount.cifs] Mapping Windows ACLs SIDs to POSIX ACL ? [Oct 2011]

If this information is useful, please help other people find it:
Share via:

Xavier Roche

2011-Oct-06 09:40 UTC

[Samba] [mount.cifs] Mapping Windows ACLs SIDs to POSIX ACL ?

Hi folks,

This may sound like a really stupid question, but I could not find any 
way to somehow map remote Windows ACLs into POSIX ACLs (mapping users 
and group SIDs to Unix mapped ids) when mounting a remote share 
(mount.cifs) on a Linux box.

Is is something not currently implemented ? The smbcacls tool can show 
the actual ACLs remotely, but this information is not exposed to the 
mounted filesystem apparently. The acl feature of the client seem to be 
an extension to CIFS allowing to handle POSIX ACLs, not something 
allowing a mapping.

Any insightful remark or documentation would be welcome!

[ Note: the only potential issue when mapping would be related to deny 
ACLs (AceType == ACCESS_DENIED_ACE_TYPE) ; something which is not 
mappable to POSIX ACL. ]

Shirish Pargaonkar

2011-Oct-06 12:54 UTC

head link

[Samba] [mount.cifs] Mapping Windows ACLs SIDs to POSIX ACL ?

On Thu, Oct 6, 2011 at 4:40 AM, Xavier Roche <roche+kml2 at exalead.com>
wrote:> Hi folks,
>
> This may sound like a really stupid question, but I could not find any way
> to somehow map remote Windows ACLs into POSIX ACLs (mapping users and group
> SIDs to Unix mapped ids) when mounting a remote share (mount.cifs) on a
> Linux box.
>
> Is is something not currently implemented ? The smbcacls tool can show the
> actual ACLs remotely, but this information is not exposed to the mounted
> filesystem apparently. The acl feature of the client seem to be an
extension
> to CIFS allowing to handle POSIX ACLs, not something allowing a mapping.
>
> Any insightful remark or documentation would be welcome!
>
> [ Note: the only potential issue when mapping would be related to deny ACLs
> (AceType == ACCESS_DENIED_ACE_TYPE) ; something which is not mappable to
> POSIX ACL. ]
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: ?https://lists.samba.org/mailman/options/samba
>,
Currently cifs client maps DACL to Linux permission model
but not to POSIX ACL model.

You will need a kernel built with cifs_cifsacl config option
(because it is still maexperimental) and current cifs-utils package.
The manpages in that cifs-utils package will have info on how
to use mount option cifsacl and how to setup id mapping
(using winbind).

The current cifs-utils package has two binaries, getcifsacl
and setcifsacl, modeled after smbcacls.

Hope that helps. You may direct any further questions/concerns
to linux-cifs at vger.kernel.org mailing list.

Regards,

Shirish

samba - Oct 2011 - [mount.cifs] Mapping Windows ACLs SIDs to POSIX ACL ?

[Samba] [mount.cifs] Mapping Windows ACLs SIDs to POSIX ACL ?

[Samba] [mount.cifs] Mapping Windows ACLs SIDs to POSIX ACL ?