Am 2/5/21 um 4:30 PM schrieb Thomas Geppert:> On 05/02/2021 14:07, Rowland penny via samba wrote: >>> The provisioning and the nfs options given in the provisioning, >>> thats the pain point. >> They are the way the OP is trying to get something that shouldn't >> work, to work. > > GUILTY ! I have to confess.:)> However, I must say that I don't understand why it shouldn't work. > I'm relatively new to Samba but my understanding is that both vfs > modules, acl_xattr and nfs4acl, are perfectly capable of storing > NTACLs lossless. Nevertheless, using the nfs4acl vfs module does not > provide the same functionality as using the acl_xattr vfs module.It does provide the same functionality. There may be subtle differences, but both basically provide a grossly Windows ACL compatible backing store.> I did some research but without the background of 30 years of > development that went into the product I'm a little bit lost at some > points. > > - Why are POSIX ACLs required at all during provisioning when NTACLs > are available ?They aren't.> - Why does the nfs4acl module intentionally mask the POSIX ACL calls > and doesn't pass them down the stack or implement them the same way > as the acl_xattr module ?By design. The POSIX ACL VFS functions only get called indirectly by the Windows ACL VFS functions if any module implementing the latter calls into the former. vfs_nfs4acl doesn't do this and acl_xattr only does it to provide consistency wrt to storing the Windows ACL in an xattr and a mapped POSIX ACL in the filesystem (though this can be disabled by config). There are more subtleties but that is the basic logic. Samba AD DC is a complex beast and bending it do will can require deep knowledge of the full stack and possibly a lot of time. :) Cheers! -slow -- Ralph Boehme, Samba Team https://samba.org/ Samba Developer, SerNet GmbH https://sernet.de/en/samba/ GPG-Fingerprint FAE2C6088A24252051C559E4AA1E9B7126399E46 -------------- next part -------------- A non-text attachment was scrubbed... Name: OpenPGP_signature Type: application/pgp-signature Size: 840 bytes Desc: OpenPGP digital signature URL: <http://lists.samba.org/pipermail/samba/attachments/20210205/36c2b940/OpenPGP_signature.sig>
On Fri, 2021-02-05 at 16:47 +0100, Ralph Boehme via samba wrote:> > Samba AD DC is a complex beast and bending it do will can require > deep > knowledge of the full stack and possibly a lot of time. :)Never a truer word said! So, yes, NFSv4 ACLs in principle provide a better match than POSIX ACLs and should be able to slot in perfectly allowing Samba deployment as an AD DC on ZFS and other systems that provide this interface. Yes, it would be awesome if this could be made to work, particularly if sufficient emulation was available so it can also work in our selftest. However yes, there is a lot of assumptions built into the current stack, some of which is a hang-over from the NTVFS file server and the pre-merge days. Keeping the whole stack of plates spinning while swapping to a new waiter is no mean feat, but might be possible with enough time. Regarding unprivileged containers, jails etc, I would warn that anyone who stores Samba ACLs in an unprivileged namespace owns the security result themselves. Samba assumes that these values are protected by the kernel, if they are not then our security assumptions are revoked. While I therefore do not endorse the goal, I do commend the effort to use NFSv4 ACLs in provision. This is the furthest anybody has gotten to that goal in the decade or so this stack has been in existence. Andrew Bartlett -- Andrew Bartlett (he/him) https://samba.org/~abartlet/ Samba Team Member (since 2001) https://samba.org Samba Team Lead, Catalyst IT https://catalyst.net.nz/services/samba