Hi all, I am wondering if there is a way to bypass Samba's ACL checks and delegate access control completely to the underlying file system. My problem arises from the following scenario: Our file system implements ACLs that are to the best of my knowledge currently not readable by any of the existing VFS modules. When trying to access a file with an ACL going beyond the file's POSIX mode, access is denied by Samba. I guess this is caused by an mechanism to derive an NT ACL from the mode. Is there any possibility to skip Samba's permission checks? Thank you in advance, Christoph -- Quobyte GmbH, Berlin, AG Charlottenburg HRB 149012 B, Jan Stender, Felix Hupfeld, Bjoern Kolbeck
On Thu, Mar 16, 2017 at 05:38:57PM +0100, Christoph Kleineweber wrote:> I am wondering if there is a way to bypass Samba's ACL checks and delegate > access control completely to the underlying file system. > > My problem arises from the following scenario: Our file system implements > ACLs that are to the best of my knowledge currently not readable by any of > the existing VFS modules. When trying to access a file with an ACL going > beyond the file's POSIX mode, access is denied by Samba. I guess this is > caused by an mechanism to derive an NT ACL from the mode. Is there any > possibility to skip Samba's permission checks?Not really anymore. What you could do is provide a vfs module that returns a "Everyone is allowed everything" ACL in the get_nt_acl call. It would of course be much better to get a proper mapping. What do your ACLs look like? With best regards, Volker Lendecke
On Fri, Mar 17, 2017 at 1:54 PM, Volker Lendecke <vl at samba.org> wrote:> On Thu, Mar 16, 2017 at 05:38:57PM +0100, Christoph Kleineweber wrote: > > I am wondering if there is a way to bypass Samba's ACL checks and > delegate > > access control completely to the underlying file system. > > > > My problem arises from the following scenario: Our file system implements > > ACLs that are to the best of my knowledge currently not readable by any > of > > the existing VFS modules. When trying to access a file with an ACL going > > beyond the file's POSIX mode, access is denied by Samba. I guess this is > > caused by an mechanism to derive an NT ACL from the mode. Is there any > > possibility to skip Samba's permission checks? > > Not really anymore. What you could do is provide a vfs module that > returns a "Everyone is allowed everything" ACL in the get_nt_acl call. > It would of course be much better to get a proper mapping. What do > your ACLs look like? >Thanks for clarifying. We use NFSv4 compliant ACLs that can be accessed via the nfs4-acl-tools. I found the existing NFSv4 ACL VFS module in Samba (nfs4acl_xattr), which seems to be build on a different implementation. The referenced website ( http://www.suse.de/~agruen/nfs4acl/) does not exist anymore and the xattr to access ACLs is different (system.nfs4acl for nfs4acl_xattr and system.nfs4_acl for nfs4-acl-tools). Is this a known issue? Kind regards, Christoph -- Quobyte GmbH, Berlin, AG Charlottenburg HRB 149012 B, Jan Stender, Felix Hupfeld, Bjoern Kolbeck