samba - Aug 2023 - ...or howto change vfs_acl_xattr options inplace without changing access rights

On 8/18/23 09:55, Sebastian Neustein via samba wrote:
> With the default settings of vfs_acl_xattr samba takes posix acls into 
> account when delivering data - how can I activate
> "acl_xattr:ignore system acls = yes"
> without loosing the information saved in posix acls? Background: our 
> future file system won't be able to support acls.
Sorry, but this is confusing? Why don't you want to loose POSIX ACLs 
when the new filesystem doesn't support them anyway?

I would basically rsync, preserving xattrs, and set POSIX filesystem 
permissions to 0777/0666. vfs_acl_xattr will be serving NT ACLs from the 
migrated xattrs, ignoring filesystem permissions given that 
"acl_xattr:ignore system acls = yes" is set.

-slow

-- 
Meet us at Storage Developer Conference (SDC)
On 18th to 21st September 2023 in Fremont, CA
More information at https://samba.plus/events

Meet us at the conference storage2day 2023!
26th & 27th September, in Frankfurt am Main
Event on Storage Networks & Data Management
Find more info at https://samba.plus/events

Ralph Boehme, Samba Team                      https://samba.org/
SerNet Samba Team Lead                     https://sernet.de/en/
SAMBA+ Samba packages                        https://samba.plus/
SAMBA+ Webinar                 https://samba.plus/samba-webinars

-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 840 bytes
Desc: OpenPGP digital signature
URL:
<http://lists.samba.org/pipermail/samba/attachments/20230821/28bd3d06/OpenPGP_signature.sig>

Hi Ralph
> On 8/18/23 09:55, Sebastian Neustein via samba wrote:
>> With the default settings of vfs_acl_xattr samba takes posix acls 
>> into account when delivering data - how can I activate
>> "acl_xattr:ignore system acls = yes"
>> without loosing the information saved in posix acls? Background: our 
>> future file system won't be able to support acls.
>
> Sorry, but this is confusing? Why don't you want to loose POSIX ACLs 
> when the new filesystem doesn't support them anyway?
>
> I would basically rsync, preserving xattrs, and set POSIX filesystem 
> permissions to 0777/0666. vfs_acl_xattr will be serving NT ACLs from 
> the migrated xattrs, ignoring filesystem permissions given that 
> "acl_xattr:ignore system acls = yes" is set.
The storage has come a long way with various changes of the smb.conf. It 
is possible that at the time of creation of a file/directory 
vfs_acl_xattr was not active. This could mean that the directory does 
not have any extended attributes written to it and ACLs are only defined 
with POSIX ACLs. In this case I would need a trigger to write the 
information stored in POSIX ACLs into the extended attributes. Is there 
anything like this?

By the way, does vfs_acl_xattr always write the extended attribute in 
the same way, no matter if "ignore system acls" is activated or not? I
assumed that samba/vfs_acl_xattr would set the POSIX ACLs first and 
write all the _other_ information in the extended attributes. Maybe a 
silly assumption...

Thank you for your help!
Sebastian

-- 

Sebastian Neustein

Airport Research Center GmbH
Bismarckstra?e 61
52066 Aachen
Germany

Phone: +49 241 16843-23
Fax: +49 241 16843-19
e-mail: sebastian.neustein at arc-aachen.de
Website: http://www.airport-consultants.com

Register Court: Amtsgericht Aachen HRB 7313
Ust-Id-No.: DE196450052

Managing Director:
Dipl.-Ing. Tom Alexander Heuer