On Fri, Mar 17, 2017 at 1:54 PM, Volker Lendecke <vl at samba.org> wrote:> On Thu, Mar 16, 2017 at 05:38:57PM +0100, Christoph Kleineweber wrote: > > I am wondering if there is a way to bypass Samba's ACL checks and > delegate > > access control completely to the underlying file system. > > > > My problem arises from the following scenario: Our file system implements > > ACLs that are to the best of my knowledge currently not readable by any > of > > the existing VFS modules. When trying to access a file with an ACL going > > beyond the file's POSIX mode, access is denied by Samba. I guess this is > > caused by an mechanism to derive an NT ACL from the mode. Is there any > > possibility to skip Samba's permission checks? > > Not really anymore. What you could do is provide a vfs module that > returns a "Everyone is allowed everything" ACL in the get_nt_acl call. > It would of course be much better to get a proper mapping. What do > your ACLs look like? >Thanks for clarifying. We use NFSv4 compliant ACLs that can be accessed via the nfs4-acl-tools. I found the existing NFSv4 ACL VFS module in Samba (nfs4acl_xattr), which seems to be build on a different implementation. The referenced website ( http://www.suse.de/~agruen/nfs4acl/) does not exist anymore and the xattr to access ACLs is different (system.nfs4acl for nfs4acl_xattr and system.nfs4_acl for nfs4-acl-tools). Is this a known issue? Kind regards, Christoph -- Quobyte GmbH, Berlin, AG Charlottenburg HRB 149012 B, Jan Stender, Felix Hupfeld, Bjoern Kolbeck
On Mon, Mar 20, 2017 at 10:57:02AM +0100, Christoph Kleineweber wrote:> On Fri, Mar 17, 2017 at 1:54 PM, Volker Lendecke <vl at samba.org> wrote: > > > On Thu, Mar 16, 2017 at 05:38:57PM +0100, Christoph Kleineweber wrote: > > > I am wondering if there is a way to bypass Samba's ACL checks and > > delegate > > > access control completely to the underlying file system. > > > > > > My problem arises from the following scenario: Our file system implements > > > ACLs that are to the best of my knowledge currently not readable by any > > of > > > the existing VFS modules. When trying to access a file with an ACL going > > > beyond the file's POSIX mode, access is denied by Samba. I guess this is > > > caused by an mechanism to derive an NT ACL from the mode. Is there any > > > possibility to skip Samba's permission checks? > > > > Not really anymore. What you could do is provide a vfs module that > > returns a "Everyone is allowed everything" ACL in the get_nt_acl call. > > It would of course be much better to get a proper mapping. What do > > your ACLs look like? > > > > Thanks for clarifying. We use NFSv4 compliant ACLs that can be accessed via > the nfs4-acl-tools.So the only supported way to retrieve ACLs is by running a separate executable? With best regards, Volker Lendecke
On Mon, Mar 20, 2017 at 3:29 PM, Volker Lendecke <vl at samba.org> wrote:> On Mon, Mar 20, 2017 at 03:23:47PM +0100, Christoph Kleineweber wrote: > > The nfs4-acl-tools make also use of xattrs to access ACLs. The ACL itself > > is XDR encoded, so access could be done directly by a VFS module and does > > not require the executable. > > This sounds as if it would be possible to write a VFS module to access > the ACLs.Indeed. I may check if there are significant changes between the nfs4-acl-tools compliant xattr format and the existing nfs4acl_xattr module. Is there any reason to keep this module? Christoph -- Quobyte GmbH, Berlin, AG Charlottenburg HRB 149012 B, Jan Stender, Felix Hupfeld, Bjoern Kolbeck
On Mon, 2017-03-20 at 10:57 +0100, Christoph Kleineweber via samba wrote:> On Fri, Mar 17, 2017 at 1:54 PM, Volker Lendecke <vl at samba.org> > wrote: > > > On Thu, Mar 16, 2017 at 05:38:57PM +0100, Christoph Kleineweber > > wrote: > > > I am wondering if there is a way to bypass Samba's ACL checks and > > > > delegate > > > access control completely to the underlying file system. > > > > > > My problem arises from the following scenario: Our file system > > > implements > > > ACLs that are to the best of my knowledge currently not readable > > > by any > > > > of > > > the existing VFS modules. When trying to access a file with an > > > ACL going > > > beyond the file's POSIX mode, access is denied by Samba. I guess > > > this is > > > caused by an mechanism to derive an NT ACL from the mode. Is > > > there any > > > possibility to skip Samba's permission checks? > > > > Not really anymore. What you could do is provide a vfs module that > > returns a "Everyone is allowed everything" ACL in the get_nt_acl > > call. > > It would of course be much better to get a proper mapping. What do > > your ACLs look like? > > > > Thanks for clarifying. We use NFSv4 compliant ACLs that can be > accessed via > the nfs4-acl-tools. > > I found the existing NFSv4 ACL VFS module in Samba (nfs4acl_xattr), > which > seems to be build on a different implementation. The referenced > website ( > http://www.suse.de/~agruen/nfs4acl/) does not exist anymore and the > xattr > to access ACLs is different (system.nfs4acl for nfs4acl_xattr and > system.nfs4_acl for nfs4-acl-tools). Is this a known issue?Is it just an issue with the name, or is the on-disk format different as well? Thanks, Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
On Mon, Mar 20, 2017 at 9:13 PM, Andrew Bartlett <abartlet at samba.org> wrote:> > Is it just an issue with the name, or is the on-disk format different > as well? >The format is different as well. ACL specific fields are missing the the nfs4-acl-tools format (version, flags, owner_mask, group_mask and other_mask) and ACEs do not have an id field. Christoph -- Quobyte GmbH, Berlin, AG Charlottenburg HRB 149012 B, Jan Stender, Felix Hupfeld, Bjoern Kolbeck