Hi, we are migrating our fileserver from an old novell netware system to a samba4 system. With netware all ACL were stored in a database, so that it was possible to quickly find which files one user or group had access to. I'm investigating the possibility of writing ntfs ACL on a database with samba. The module vfs_acl_tdb is able to do this, but values are hashed so that the db is not queryable. Does anyone knows of a way to achieve this? I've had a look at the code of the vfs_acl_tdb module and, for what I understood, the ACL are written both on a tdb and on the filesystem. What's the behaviour of the module then? When I use a software like icacls, to backup ACL, it looks like samba is reading from the filesystem, because it takes a long time. But when I try to browse a directory with thousands of files, access is instantaneous. This makes me suppose samba is using the tdb. Am I correct? Thanks in advance for any help. Si segnala che il presente messaggio non e' a carattere personale e le risposte allo stesso potranno essere conosciute dall'organizzazione lavorativa di appartenenza del mittente secondo le modalita' previste dal regolamento adottato in materia. Se per un disguido avete ricevuto questa e-mail senza esserne i destinatari vogliate cortesemente distruggerla e darne informazione all'indirizzo mittente.
On Wed, Mar 16, 2016 at 11:13:12AM +0100, Matteo Maretto wrote:> Hi, > we are migrating our fileserver from an old novell netware system to > a samba4 system. With netware all ACL were stored in a database, so > that it was possible to quickly find which files one user or group > had access to. > I'm investigating the possibility of writing ntfs ACL on a database > with samba. The module vfs_acl_tdb is able to do this, but values > are hashed so that the db is not queryable. > Does anyone knows of a way to achieve this?Hmmm. tdb is merely a key/value lookup store. Queries on non-keys have to be done by traversing the whole db I'm afraid. You could always change to a sqlite backend if you needed more indexes.> I've had a look at the code of the vfs_acl_tdb module and, for what > I understood, the ACL are written both on a tdb and on the > filesystem. > What's the behaviour of the module then? > When I use a software like icacls, to backup ACL, it looks like > samba is reading from the filesystem, because it takes a long time. > But when I try to browse a directory with thousands of files, access > is instantaneous. This makes me suppose samba is using the tdb. > Am I correct?Depends on what icacls actually does.
On Fri, Mar 18, 2016 at 10:08:42AM -0700, Jeremy Allison wrote:> On Wed, Mar 16, 2016 at 11:13:12AM +0100, Matteo Maretto wrote: > > Hi, > > we are migrating our fileserver from an old novell netware system to > > a samba4 system. With netware all ACL were stored in a database, so > > that it was possible to quickly find which files one user or group > > had access to. > > I'm investigating the possibility of writing ntfs ACL on a database > > with samba. The module vfs_acl_tdb is able to do this, but values > > are hashed so that the db is not queryable. > > Does anyone knows of a way to achieve this? > > Hmmm. tdb is merely a key/value lookup store. Queries on non-keys > have to be done by traversing the whole db I'm afraid. > > You could always change to a sqlite backend if you needed more > indexes. > > > I've had a look at the code of the vfs_acl_tdb module and, for what > > I understood, the ACL are written both on a tdb and on the > > filesystem. > > What's the behaviour of the module then? > > When I use a software like icacls, to backup ACL, it looks like > > samba is reading from the filesystem, because it takes a long time. > > But when I try to browse a directory with thousands of files, access > > is instantaneous. This makes me suppose samba is using the tdb. > > Am I correct? > > Depends on what icacls actually does.The Novell ACL semantics iirc are vastly different from ntfs, posix or nfsv4 acls. How do you want to map those? Volker -- SerNet GmbH, Bahnhofsallee 1b, 37081 Göttingen phone: +49-551-370000-0, fax: +49-551-370000-9 AG Göttingen, HRB 2816, GF: Dr. Johannes Loxen http://www.sernet.de, mailto:kontakt at sernet.de