Nico Kadel-Garcia
2010-Apr-07 11:50 UTC
[Samba] Does control of NFS4 ACL's from NetApps work for RHEL Samba servers with Windows XP clients at all?
Good morning! I'm reviewing some corporate storage setups involving NetApps, where the NetApp stores what they call "UNIX Qtrees". So far, so good: those allow the setting of access to the data with NFS4 ACL's, which are fairly sophisticated and allow multiple groups or even multiple users to be granted write access.or read access, besides the normal UNIX group owner. That works fine. But we'd like Windows clients to be able to *read* this information. Not necessarily to be able to reset it, although that would be nice. But to *read* the directory and file permissions and see who owns it. The groups and users are synced between the Active Directory domain and the NetApp's with fairly sophisticated NIS middleware, but the Windows CIFS clients can't see the details of file ownership. I've noted some discussion in the mailing list logs for NFS4 ACL patches but I'm not aware of anyone reporting on this feature. My first tests with Samba 3.0.33 or the "samba3x-3.3.8" package on RHEL 5 don't seem to show any improvements. But I'm not sure if there are more recent releases, or flags I should be using, to make that security data visible to Windows users. Does anyone here have suggestions on upgrades or settings to support this? Or even know if it's feasible?
Volker Lendecke
2010-Apr-07 13:08 UTC
[Samba] Does control of NFS4 ACL's from NetApps work for RHEL Samba servers with Windows XP clients at all?
On Wed, Apr 07, 2010 at 07:50:37AM -0400, Nico Kadel-Garcia wrote:> I'm reviewing some corporate storage setups involving NetApps, where > the NetApp stores what they call "UNIX Qtrees". So far, so good: those > allow the setting of access to the data with NFS4 ACL's, which are > fairly sophisticated and allow multiple groups or even multiple users > to be granted write access.or read access, besides the normal UNIX > group owner. That works fine. > > But we'd like Windows clients to be able to *read* this information. > Not necessarily to be able to reset it, although that would be nice. > But to *read* the directory and file permissions and see who owns it. > The groups and users are synced between the Active Directory domain > and the NetApp's with fairly sophisticated NIS middleware, but the > Windows CIFS clients can't see the details of file ownership. I've > noted some discussion in the mailing list logs for NFS4 ACL patches > but I'm not aware of anyone reporting on this feature. > > My first tests with Samba 3.0.33 or the "samba3x-3.3.8" package on > RHEL 5 don't seem to show any improvements. But I'm not sure if there > are more recent releases, or flags I should be using, to make that > security data visible to Windows users. Does anyone here have > suggestions on upgrades or settings to support this? Or even know if > it's feasible?As long as the Kernel does not pass the requests through to user-space via some API, I would guess it is highly unlikely that this can be passed to the Windows clients. Maybe at some point it would be necessary to write a full NFSv 3 and 4 client as a Samba user-space VFS module, so that we are independent of the kernel and have access to the only specified NFSv4 ACL interface, the on-the-wire protocol :-) Volker -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 197 bytes Desc: Digital signature URL: <http://lists.samba.org/pipermail/samba/attachments/20100407/d9bdb9ba/attachment.pgp>