On Fri, Mar 18, 2016 at 10:08:42AM -0700, Jeremy Allison wrote:> On Wed, Mar 16, 2016 at 11:13:12AM +0100, Matteo Maretto wrote: > > Hi, > > we are migrating our fileserver from an old novell netware system to > > a samba4 system. With netware all ACL were stored in a database, so > > that it was possible to quickly find which files one user or group > > had access to. > > I'm investigating the possibility of writing ntfs ACL on a database > > with samba. The module vfs_acl_tdb is able to do this, but values > > are hashed so that the db is not queryable. > > Does anyone knows of a way to achieve this? > > Hmmm. tdb is merely a key/value lookup store. Queries on non-keys > have to be done by traversing the whole db I'm afraid. > > You could always change to a sqlite backend if you needed more > indexes. > > > I've had a look at the code of the vfs_acl_tdb module and, for what > > I understood, the ACL are written both on a tdb and on the > > filesystem. > > What's the behaviour of the module then? > > When I use a software like icacls, to backup ACL, it looks like > > samba is reading from the filesystem, because it takes a long time. > > But when I try to browse a directory with thousands of files, access > > is instantaneous. This makes me suppose samba is using the tdb. > > Am I correct? > > Depends on what icacls actually does.The Novell ACL semantics iirc are vastly different from ntfs, posix or nfsv4 acls. How do you want to map those? Volker -- SerNet GmbH, Bahnhofsallee 1b, 37081 Göttingen phone: +49-551-370000-0, fax: +49-551-370000-9 AG Göttingen, HRB 2816, GF: Dr. Johannes Loxen http://www.sernet.de, mailto:kontakt at sernet.de
Il 19/03/2016 10:20, Volker Lendecke ha scritto:> On Fri, Mar 18, 2016 at 10:08:42AM -0700, Jeremy Allison wrote: >> On Wed, Mar 16, 2016 at 11:13:12AM +0100, Matteo Maretto wrote: >>> Hi, >>> we are migrating our fileserver from an old novell netware system to >>> a samba4 system. With netware all ACL were stored in a database, so >>> that it was possible to quickly find which files one user or group >>> had access to. >>> I'm investigating the possibility of writing ntfs ACL on a database >>> with samba. The module vfs_acl_tdb is able to do this, but values >>> are hashed so that the db is not queryable. >>> Does anyone knows of a way to achieve this? >> Hmmm. tdb is merely a key/value lookup store. Queries on non-keys >> have to be done by traversing the whole db I'm afraid. >> >> You could always change to a sqlite backend if you needed more >> indexes. >> >>> I've had a look at the code of the vfs_acl_tdb module and, for what >>> I understood, the ACL are written both on a tdb and on the >>> filesystem. >>> What's the behaviour of the module then? >>> When I use a software like icacls, to backup ACL, it looks like >>> samba is reading from the filesystem, because it takes a long time. >>> But when I try to browse a directory with thousands of files, access >>> is instantaneous. This makes me suppose samba is using the tdb. >>> Am I correct? >> Depends on what icacls actually does. > The Novell ACL semantics iirc are vastly different from > ntfs, posix or nfsv4 acls. How do you want to map those? > > Volker >Hi, thanks for your question. We have not investigated this matter yet, but we espect to find at least a basic correspondence between the two. This would be enough for us. On the Novell documentation we've read that the object rights are essentially four: Browse, Create, Delete, Inheritance Control, Rename, and Supervisor. It shouldn't be difficult to match them to ntfs acls. Matteo Si segnala che il presente messaggio non e' a carattere personale e le risposte allo stesso potranno essere conosciute dall'organizzazione lavorativa di appartenenza del mittente secondo le modalita' previste dal regolamento adottato in materia. Se per un disguido avete ricevuto questa e-mail senza esserne i destinatari vogliate cortesemente distruggerla e darne informazione all'indirizzo mittente.
On Mon, Mar 21, 2016 at 01:28:44PM +0100, Matteo Maretto wrote:> Hi, > thanks for your question. > We have not investigated this matter yet, but we espect to find at least a > basic correspondence between the two. This would be enough for us. > On the Novell documentation we've read that the object rights are > essentially four: Browse, Create, Delete, Inheritance Control, Rename, and > Supervisor. > It shouldn't be difficult to match them to ntfs acls.Good luck with that. Keep in mind that unless you're using zfs or gpfs Linux does not provide anything close to ntfs ACLs. With zfs or gpfs you get nfsv4 acls, which are closer to ntfs than posix acls, but as Christoph Hellwig has just pretty much killed richacls, this will take a decade or more to come to the more popular Linux file systems. Volker -- SerNet GmbH, Bahnhofsallee 1b, 37081 Göttingen phone: +49-551-370000-0, fax: +49-551-370000-9 AG Göttingen, HRB 2816, GF: Dr. Johannes Loxen http://www.sernet.de, mailto:kontakt at sernet.de