>
> > > > I am wondering if there is a way to bypass Samba's ACL
checks and
> > > delegate
> > > > access control completely to the underlying file system.
> > > >
> > > > My problem arises from the following scenario: Our file
system
> implements
> > > > ACLs that are to the best of my knowledge currently not
readable by
> any
> > > of
> > > > the existing VFS modules. When trying to access a file with
an ACL
> going
> > > > beyond the file's POSIX mode, access is denied by Samba.
I guess
> this is
> > > > caused by an mechanism to derive an NT ACL from the mode. Is
there
> any
> > > > possibility to skip Samba's permission checks?
> > >
> > > Not really anymore. What you could do is provide a vfs module
that
> > > returns a "Everyone is allowed everything" ACL in the
get_nt_acl call.
> > > It would of course be much better to get a proper mapping. What
do
> > > your ACLs look like?
> > >
> >
> > Thanks for clarifying. We use NFSv4 compliant ACLs that can be
accessed
> via
> > the nfs4-acl-tools.
>
> So the only supported way to retrieve ACLs is by running a separate
> executable?
The nfs4-acl-tools make also use of xattrs to access ACLs. The ACL itself
is XDR encoded, so access could be done directly by a VFS module and does
not require the executable.
Christoph
--
Quobyte GmbH, Berlin, AG Charlottenburg HRB 149012 B, Jan Stender, Felix
Hupfeld, Bjoern Kolbeck