samba - Aug 2023 - ...or howto change vfs_acl_xattr options inplace without changing access rights

Hi Ralph
> On 8/18/23 09:55, Sebastian Neustein via samba wrote:
>> With the default settings of vfs_acl_xattr samba takes posix acls 
>> into account when delivering data - how can I activate
>> "acl_xattr:ignore system acls = yes"
>> without loosing the information saved in posix acls? Background: our 
>> future file system won't be able to support acls.
>
> Sorry, but this is confusing? Why don't you want to loose POSIX ACLs 
> when the new filesystem doesn't support them anyway?
>
> I would basically rsync, preserving xattrs, and set POSIX filesystem 
> permissions to 0777/0666. vfs_acl_xattr will be serving NT ACLs from 
> the migrated xattrs, ignoring filesystem permissions given that 
> "acl_xattr:ignore system acls = yes" is set.
The storage has come a long way with various changes of the smb.conf. It 
is possible that at the time of creation of a file/directory 
vfs_acl_xattr was not active. This could mean that the directory does 
not have any extended attributes written to it and ACLs are only defined 
with POSIX ACLs. In this case I would need a trigger to write the 
information stored in POSIX ACLs into the extended attributes. Is there 
anything like this?

By the way, does vfs_acl_xattr always write the extended attribute in 
the same way, no matter if "ignore system acls" is activated or not? I
assumed that samba/vfs_acl_xattr would set the POSIX ACLs first and 
write all the _other_ information in the extended attributes. Maybe a 
silly assumption...

Thank you for your help!
Sebastian

-- 

Sebastian Neustein

Airport Research Center GmbH
Bismarckstra?e 61
52066 Aachen
Germany

Phone: +49 241 16843-23
Fax: +49 241 16843-19
e-mail: sebastian.neustein at arc-aachen.de
Website: http://www.airport-consultants.com

Register Court: Amtsgericht Aachen HRB 7313
Ust-Id-No.: DE196450052

Managing Director:
Dipl.-Ing. Tom Alexander Heuer

On 8/21/23 18:20, Sebastian Neustein wrote:
> The storage has come a long way with various changes of the smb.conf. It 
> is possible that at the time of creation of a file/directory 
> vfs_acl_xattr was not active. This could mean that the directory does 
> not have any extended attributes written to it and ACLs are only defined 
> with POSIX ACLs. In this case I would need a trigger to write the 
> information stored in POSIX ACLs into the extended attributes. Is there 
> anything like this?
ah, I see. Well, iirc there's no existing *efficient* tool to read the 
ACL and then write it again, to make sure the storage is consistent. I 
would look into expanding samba-tool ntacl ... a bit to do the work a 
guess, but I'd have to take a closer look and do some more tinkering.
> By the way, does vfs_acl_xattr always write the extended attribute in 
> the same way, no matter if "ignore system acls" is activated or
not?
Iiirc not quite. Iirc we convert the NT ACL to POSIX ACL, store it in 
the fs, convert the POSIX ACL back to an NT ACL and then store this in 
the xattr. This makes sure both ACLs are the same and use the same 
common denominator.

-slow

--
Meet us at Storage Developer Conference (SDC)
On 18th to 21st September 2023 in Fremont, CA
More information at https://samba.plus/events

Meet us at the conference storage2day 2023!
26th & 27th September, in Frankfurt am Main
Event on Storage Networks & Data Management
Find more info at https://samba.plus/events

Ralph Boehme, Samba Team                      https://samba.org/
SerNet Samba Team Lead                     https://sernet.de/en/
SAMBA+ Samba packages                        https://samba.plus/
SAMBA+ Webinar                 https://samba.plus/samba-webinars

-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 840 bytes
Desc: OpenPGP digital signature
URL:
<http://lists.samba.org/pipermail/samba/attachments/20230821/1bac22af/OpenPGP_signature.sig>