On 3/28/22 11:43, Jeremy Allison via samba wrote:>> >>> It's used as a "pristine" store of the ACL the client sent. >>> If the underlying native (usually POSIX) ACL is changed outside >>> of smbd then it is removed as it no longer represents reality. >> >> That's new information I didn't know. >> So, simply doing a chmod/chown in Linux would be enough to fully >> reset/remove all Samba (Windows set) ACL's on a file or directory, right? > > Yes. We store a hash of the existing mapping from > Windows ACL -> POSIX ACL i.e. perms also. If you > change the POSIX ACL or perms outside of smbd the > hash no longer matches so we can't trust it. >I take it that recomputing the hash on filesystem objects when accessed would create too great of a performance hit? What might be useful is a command to explicitly reset Windows ACLs based on the configured POSIX ACLs. The other direction is already handled by smbd. I'm in the process of transferring a research lab from an old Samba-3 based VM to a bare metal server running Samba 4. Previously with Samba 3 linux and Windows permissions were tightly coupled and they have been using local users and groups for everything. I'm trying to switch them over to Active Directory users and AD security groups. This means mapping local users --> AD users local groups --> Security groups for every file and directory on the server. They have lots of users and groups and quite a bit of data, 60TB. Trying to reset permissions from windows GUI would be basically impossible. So my plan is to transfer the data to the new server and then run a script that recurses through the filesystem, changing user and group ownership. I think the basic unix permissions are respected (sort of), but this means I can't attempt to use POSIX ACLs to simplify their permissions setup, because these won't be recognized on Windows, where they do a lot of their work. Having a command to set Windows ACLs from POSIX ACLs would be handy in this case.
On Mon, Mar 28, 2022 at 03:36:52PM -0500, Patrick Goetz via samba wrote:> >On 3/28/22 11:43, Jeremy Allison via samba wrote: >>> >>>>It's used as a "pristine" store of the ACL the client sent. >>>>If the underlying native (usually POSIX) ACL is changed outside >>>>of smbd then it is removed as it no longer represents reality. >>> >>>That's new information I didn't know. >>>So, simply doing a chmod/chown in Linux would be enough to fully >>>reset/remove all Samba (Windows set) ACL's on a file or directory, >>>right? >> >>Yes. We store a hash of the existing mapping from >>Windows ACL -> POSIX ACL i.e. perms also. If you >>change the POSIX ACL or perms outside of smbd the >>hash no longer matches so we can't trust it. >> > >I take it that recomputing the hash on filesystem objects when >accessed would create too great of a performance hit?No, it's just that if something changes the permissions outside of Samba we just don't know about it.
On 3/28/22 22:36, Patrick Goetz via samba wrote:> So my plan is to transfer the data to the new server and then run a > script that recurses through the filesystem, changing user and group > ownership. I think the basic unix permissions are respected (sort of), > but this means I can't attempt to use POSIX ACLs to simplify their > permissions setup, because these won't be recognized on Windows, where > they do a lot of their work.? Having a command to set Windows ACLs from > POSIX ACLs would be handy in this case.iirc Bj?rn is working on such a feature for samba-tool. But it also looks like Jeremy and you talk past each other. We *do* store a hash of the underyling permissions, including POSIX ACL, in our xattr. We *do* check whether the underyling permissions have changed by hasing the current permissions and comparing against the stored hash. We *do* discard the stored NT ACL in case both don't match and go back to building a new NT ACL based on the underlying permissions. Does that clarify things? Or evantually I missed something in the discussion that I didn't follow closely from the start, just chiming in. :) -slow -- Ralph Boehme, Samba Team https://samba.org/ SerNet Samba Team Lead https://sernet.de/en/team-samba -------------- next part -------------- A non-text attachment was scrubbed... Name: OpenPGP_signature Type: application/pgp-signature Size: 840 bytes Desc: OpenPGP digital signature URL: <http://lists.samba.org/pipermail/samba/attachments/20220329/40acef74/OpenPGP_signature.sig>