samba - Feb 2019 - Using Access Control Lists with SMB2/SMB3 Mounts on Linux Clients

On Tue, Feb 26, 2019 at 09:03:41AM -0800, Jeremy Allison via samba
wrote:
> 
> Check out the latest cifsfs code. I think Steve
> and Aurelian and Ronnie added an ioctl for this.
> 
> I'm here at Vault in Boston with Steve, I'll ask
> him :-).
Steve says there are two utilities in Linux,
getcifsacl and setcifsacl that use a custom
ioctl inside the Linux cifsfs kernel client
to get/set SMB acls.

Dear Jeremy,
thanks for your instant reply. :-)
Along with Linux native getfacl/fetfacl, I also tested getcifsacl/setcifsacl
(for sure thoroughly ;-)).
Unfortunately, these CIFS client tools seem to have been designed as part of the
"old" CIFS
Unix Extensions, working only for SMB/CIFS mounts, and are not supposed to work
with
SMB2/SMB3 mounts, as I guess.
During my tests, the getcifsacl utility fails on SMB2/SMB3 mounts always with an
xattr error:

xxx:~# getcifsacl /media/testmount/yyy 
getxattr error: 95
REVISION:0x0
CONTROL:0x0

I am working on Debian stable boxes. I also tested with Debian testing and an
actual Fedora Kernel,
but whithout any noticable change regarding the behaviour of
getcifsacl/setcifsacl on SMB2/SMB3
mounts. The most striking difference between SMB/CIFS and SMB2/SMB3 mounts
consists in the
fact that the client and the server seem to agree on the mount flag
"nounix" or the Kernel cifs client
sets this flag automatically. On the other hand, SMB/CIFS mounts do not set this
flag and CIFS ACL
are usable with SMB/CIFS mounts in the same sense.


Thanks for all your hints and best
Sebastian


Sebastian Kraus
Team IT am Institut für Chemie
Gebäude C, Straße des 17. Juni 115, Raum C7

Technische Universität Berlin
Fakultät II
Institut für Chemie
Sekretariat C3
Straße des 17. Juni 135
10623 Berlin


Tel.: +49 30 314 22263
Fax: +49 30 314 29309
Email: sebastian.kraus at tu-berlin.de


________________________________________
From: Jeremy Allison <jra at samba.org>
Sent: Wednesday, February 27, 2019 01:18
To: Kraus, Sebastian; samba at lists.samba.org
Subject: Re: [Samba] Using Access Control Lists with SMB2/SMB3 Mounts on Linux
Clients

On Tue, Feb 26, 2019 at 09:03:41AM -0800, Jeremy Allison via samba
wrote:
>
> Check out the latest cifsfs code. I think Steve
> and Aurelian and Ronnie added an ioctl for this.
>
> I'm here at Vault in Boston with Steve, I'll ask
> him :-).
Steve says there are two utilities in Linux,
getcifsacl and setcifsacl that use a custom
ioctl inside the Linux cifsfs kernel client
to get/set SMB acls.

On Wed, Feb 27, 2019 at 01:26:10AM +0000, Kraus, Sebastian
wrote:
> Dear Jeremy,
> thanks for your instant reply. :-)
> Along with Linux native getfacl/fetfacl, I also tested
getcifsacl/setcifsacl (for sure thoroughly ;-)).
> Unfortunately, these CIFS client tools seem to have been designed as part
of the "old" CIFS
> Unix Extensions, working only for SMB/CIFS mounts, and are not supposed to
work with
> SMB2/SMB3 mounts, as I guess.
> During my tests, the getcifsacl utility fails on SMB2/SMB3 mounts always
with an xattr error:
> 
> xxx:~# getcifsacl /media/testmount/yyy 
> getxattr error: 95
> REVISION:0x0
Ah, that's a cifsfs client bug. Need to raise that with
Steve and Team.

Thanks !

Jeremy.