I have two users on my network, Mary and Bob, who work together in a
shared share. They both belong to the group Accounting. Bob is a savvy
Linux user who accesses the share via NFS4. Mary toils away using
Windows accessing the share via the Samba server. Mary will create a
directory on the share and dump a number of files in which Bob and Mary
will split the load. Bob, being a LInux user, will then take ownership
of his files and run a sudo chown Bob <filelist> and keep track of his
files this way. That's the set up to the issue and here's the rub. First
some details:
Samba server is running Fedora 14, Samba 3.5.6 as PDC, OpenLDAP backend,
NFS4.
The filesystem is mounted on the service with options: acl and
user_xattr.
The Samba share is:
[Work]
comment = Share for Work
path = /home/work
valid users = +domadmins, +Accounting
write list = +domadmins, +Accounting
inherit permissions = yes
inherit acls = yes
map acl inherit = yes
acl group control = yes
ea support = yes
vfs object = acl_xattr recycle
store dos attributes = yes
map archive = no
map hidden = no
map system = no
map readonly = no
Bob does a standard NFS4 mount of the directory.
The directories inherit the ACLs and group ownership from the parent
directory:
ls -l /home/work:
drwxrws--- 2 Bob Accounting 4096 2011-02-19 09:57 /home/work
getfacl /home/work:
# file: work
# owner: Bob
# group: Accounting
# flags: -s-
user::rwx
user:Bob:rwx
user:Mary:rwx
group::rwx
group:Accounting:rwx
group:domadmins:rwx
mask::rwx
other::---
default:user::rwx
default:user:Bob:rwx
default:user:Mary:rwx
default:group::rwx
default:group:domadmins:rwx
default:group:Accounting:rwx
default:mask::rwx
default:other::---
If Bob creates any files through NFS4 his files get the ACLs as is shown
on the Samba server:
getfacl bob-file1:
# file: bob-file1
# owner: Bob
# group: Accounting
user::rw-
user:Bob:rwx #effective:rw-
user:Mary:rwx #effective:rw-
group::rwx #effective:rw-
group:domadmins:rwx #effective:rw-
group:Accounting:rwx #effective:rw-
mask::rw-
other::---
We all know that POSIX ACls aren't perfect but this is close to what I
expect and want. When Mary creates a file from Windows the ACLs on the
server are:
getfacl mary-file2:
# file: mary-file2
# owner: Mary
# group: Accounting
user::rwx
user:Bob:rwx
group::rwx
group:domadmins:rwx
mask::rwx
other::---
While technically this may be correct as well, here's the rub and why I
am writing to the list. As I said, Mary dumps the files on the share to
be divided up between them so all of the files get the ACls shown for
the file, mary-file2. When Bob runs, sudo chown Bob <filelist> to keep
track of his files, Mary looses her user ACL and would loose all access
if the group ownership would change.
What is the correct behavior for inheriting ACLs from a parent
directory? Should the ACLs be pruned based on the file ownership (as
does Samba) or should be full ACLs be inherited as happens when using
NFS4? IMHO, I would prefer the latter as it preserves all of the
inherited permissions regardless of the actual file ownership. Was there
a rational for the approach that Samba is taking?
Thanks,
Bob Smith
--bs
