>From samba 3.3.0 release notes, it seems like samba 3.3.x is at leastexperimenting using xattr to store NT ACL, which can eventually provide better NT ACL support. I tried similar features with samba 4.0.0 alpha6, which works very nice. Is there any plan to provide same level of NT ACL support with samba 3.3.x? If there is such plan, any targeted date for that? Thanks, Ying
On Wed, 2009-03-04 at 08:03 -0500, Ying Hu wrote:> >From samba 3.3.0 release notes, it seems like samba 3.3.x is at least > experimenting using xattr to store NT ACL, which can eventually provide > better NT ACL support. I tried similar features with samba 4.0.0 alpha6, > which works very nice. Is there any plan to provide same level of NT ACL > support with samba 3.3.x? If there is such plan, any targeted date for that?I *believe* this feature is part of Samba4's VFS implementation which is unique to Samab4.
On Wed, Mar 04, 2009 at 08:03:46AM -0500, Ying Hu wrote:> >From samba 3.3.0 release notes, it seems like samba 3.3.x is at least > experimenting using xattr to store NT ACL, which can eventually provide > better NT ACL support. I tried similar features with samba 4.0.0 alpha6, > which works very nice. Is there any plan to provide same level of NT ACL > support with samba 3.3.x? If there is such plan, any targeted date for that?The experimental feature in 3.3 is designed to do exactly what Samba 4 does in this area right now. If you find any deficiencies, please file bugs against it. The fact that this is a little tested and security-sensitive feature is the reason that we marked this as experimental. You can help by testing it :-) Thanks, Volker -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : http://lists.samba.org/archive/samba/attachments/20090304/fe9174b3/attachment.bin
Thanks for the reply. I just tried to use this feature, but after I created
a file, getfattr returns empty. Here is my compilation flags:
./configure --prefix=/usr \
--localstatedir=/var/lib/samba \
--sysconfdir=/etc/samba \
--with-configdir=/etc/samba \
--with-libdir=/usr/lib/samba \
--with-lockdir=/var/lib/samba \
--with-logfilebase=/var/log/samba \
--with-mandir=/usr/man \
--with-rootsbindir=/sbin \
--with-piddir=/var/run/samba \
--with-privatedir=/etc/samba \
--with-swatdir=/var/data/samba/swat \
--enable-debug \
--with-automount \
--with-acl-support \
--disable-cups \
--with-msdfs \
--with-pam \
--with-pam_smbpass \
--with-quotas \
--with-smbmount \
--with-syslog \
--with-tdbsam \
--with-utmp \
--with-vfs \
--with-winbind \
--with-shared-modules=idmap_rid,idmap_ad
\
--with-ldap \
--with-ads; \
Did I miss anything?
We are very interested in this feature for sure. Currently is this feature
used only for storing NTACL, or it is also used for authentication?
Thanks a lot!
Ying
On Wed, Mar 4, 2009 at 8:25 AM, Volker Lendecke
<Volker.Lendecke@sernet.de>wrote:
> On Wed, Mar 04, 2009 at 08:03:46AM -0500, Ying Hu wrote:
> > >From samba 3.3.0 release notes, it seems like samba 3.3.x is at
least
> > experimenting using xattr to store NT ACL, which can eventually
provide
> > better NT ACL support. I tried similar features with samba 4.0.0
alpha6,
> > which works very nice. Is there any plan to provide same level of NT
ACL
> > support with samba 3.3.x? If there is such plan, any targeted date for
> that?
>
> The experimental feature in 3.3 is designed to do exactly
> what Samba 4 does in this area right now. If you find any
> deficiencies, please file bugs against it. The fact that
> this is a little tested and security-sensitive feature is
> the reason that we marked this as experimental. You can help
> by testing it :-)
>
> Thanks,
>
> Volker
>
Compilation options are not enough to enable vfs_acl_xattr support. Does your smb.conf call the appropriate vfs module?
No, could you tell me what flags i need to set in smb.conf? In the future, how do I figure out what flags should be used by reading the source code? Is there any document about vfs module? Thanks, Ying On Sat, Mar 7, 2009 at 5:34 PM, Miguel Medalha <miguelmedalha@sapo.pt>wrote:> Compilation options are not enough to enable vfs_acl_xattr support. > > Does your smb.conf call the appropriate vfs module? >
> No, could you tell me what flags i need to set in smb.conf? In the > future, how do I figure out what flags should be used by reading the > source code? Is there any document about vfs module? >vfs objects = acl_xattr Document? man smb.conf Did you read the samba docs at all?
> Starting with version 3.3.1, the source code package now contains a man page > for vfs_acl_xattr: >This is what I have on 3.3.1. To me this documentation seriously needs expanded. NAME vfs_acl_xattr - Save NTFS-ACLs in Extended Attributes (EAs) SYNOPSIS vfs objects = acl_xattr DESCRIPTION This VFS module is part of the samba(7) suite. The vfs_acl_xattr VFS module stores NTFS Access Control Lists (ACLs) in Extended Attributes (EAs). This enables the full mapping of Windows ACLs on Samba servers. The ACLs are stored in the Extended Attribute security.NTACL of a file or directory. This Attribute is not listed by getfattr -d filename. To show the current value, the name of the EA must be specified (e.g. getfattr -n security.NTACL filename ). Please note that this module is experimental! This module is stackable. OPTIONS There are no options for vfs_acl_xattr. AUTHOR The original Samba software and related utilities were created by Andrew Tridgell. Samba is now developed by the Samba Team as an Open Source project similar to the way the Linux kernel is developed.
Am Montag, 9. M?rz 2009 03:12 schrieb John Drescher:> > Starting with version 3.3.1, the source code package now contains a > > man page for vfs_acl_xattr: > > This is what I have on 3.3.1. To me this documentation seriously > needs expanded.It should be enough to add a "SEE ALSO" section.> NAME > vfs_acl_xattr - Save NTFS-ACLs in Extended Attributes (EAs) > > SYNOPSIS > vfs objects = acl_xattr > > DESCRIPTION > This VFS module is part of the samba(7) suite. > > The vfs_acl_xattr VFS module stores NTFS Access Control Lists > (ACLs) in Extended Attributes (EAs). This enables the full > mapping of Windows ACLs on Samba servers. > > The ACLs are stored in the Extended Attribute security.NTACL > of a file or directory. This Attribute is not listed by getfattr -d > filename. To show the current value, the name of the EA must be > specified (e.g. getfattr -n security.NTACL filename ). > > Please note that this module is experimental! > > This module is stackable. > > OPTIONS > There are no options for vfs_acl_xattr.SEE ALSO getfattr(1), setfattr(1), attr_get(3), attr_set(3), attr_multi(3), attr_remove(3), attr(5), and xfsdump(8).> AUTHOR > The original Samba software and related utilities were created > by Andrew Tridgell. Samba is now developed by the Samba Team as an > Open Source project similar to the way the Linux kernel is developed.-- Gruss Harry Jede
Hi John, On Sun, Mar 08, 2009 at 10:12:14PM -0400, John Drescher wrote:> > Starting with version 3.3.1, the source code package now contains a man page > > for vfs_acl_xattr: > > > This is what I have on 3.3.1. To me this documentation seriously needs expanded.please feel free to submit a patch. What is missing in your opinion? Karolin -- SerNet GmbH, Bahnhofsallee 1b, 37081 G?ttingen phone: +49-551-370000-0, fax: +49-551-370000-9 AG G?ttingen, HRB 2816, GF: Dr. Johannes Loxen http://www.SerNet.DE, mailto: Info @ SerNet.DE -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 197 bytes Desc: not available Url : http://lists.samba.org/archive/samba/attachments/20090309/cb1c1db9/attachment.bin
Reasonably Related Threads
- Fetching ACL data from extended attributes
- static vs shared modules build
- static vs shared modules build
- [SOLVED] Samba 4: 'Access denied' error when accessing user profile during logon
- vfs_acl_xattr doesn't work unless all the inherit and map inherit acl parameters are set to yes, but want to set inherit owner = no