Hello In the Samba Wiki page "https://wiki.samba.org/index.php/NFS4_ACL_overview" we can read the following: "If you use the Samba vfs module acl_xattr, you can use the full Windows ACL features but you will not be able to manage the ACLs on the OS of the Samba host directly and you will not have the permissions enforced by the filesystem. Samba is doing permission management in userspace if you use acl_xattr. As a result of that you will not be able to share the files differently than via Samba because you have no (or partly) permissions on the files in the filesystem itself. (...) With the introduction of NFS4 (and later on NFSv4.1) a new ACL system was introduced and standardized, which is essentially a clone of the Windows ACL system." Samba provides the "nfs4acl_xattr" vfs module precisely for that. I am now in the process of completely upgrading the file and AD servers on my network, hardware and OS included. I thought that it would be a good opportunity to switch from "acl_xattr" to "nfs4acl_xattr" in order to " manage the ACLs on the OS of the Samba host directly", as described above. This would greatly improve server management, mainly because it would be much easier to create or modify ACLs through Bash scripting. - Does anyone here have experience in such a scenario? - What would the drawbacks, if any, be? - Since on DCs "acl_xattr" is enabled by default, would "nfs4acl_xattr" provide all the needed functionality instead? - Does anyone here have some experience with the use of NFSv4 on ZFS filesystems? Thank you.
> Samba provides the "nfs4acl_xattr" vfs module precisely for that.I am not an expert in Windows ACL, but where do you see that the nfs4acl_xattr vfs module provides the support for "manage the ACLs on the OS of the Samba host directly?" From the Wiki page, https://wiki.samba.org/index.php/NFS4_ACL_overview, it implies the following four operation modes are possible. (1) Windows SMB Server with ACL, Linux cifs vfs kernel module, probably meant mounting with -t cifs. This supports Windows ACL on mounted filesystem on Linux. (2) Windows NFSv4 Server with ACL. Linux nfsv4 client. This supports ACL on mounted filesystem on Linux. (3) Linux Samba Server with nfs4acl_xattr, Linux client with NFSv4 Client. The Windows ACL is supported via nfs4-acl-tools. This manipulates the nfs4acl_xattr. (4) Linux Samba Server with nfs4acl_xattr, Windows client. Windows ACL is of course supported on Windows. "Linux is the only one of the major Unix flavors that does not have any native NFS4 ACL support upstream in the kernel yet." This is saying you cannot use nfs4-acl-tools to manipulate non-VFS with nfs4acl_xattr, because those attributes are not recognized and not enforced by Linux kernel. Then this sounds like it does not do what you want. But, like some VFS maintainer, I do believe POSIX ACLs are adequate enough. Native file permissions are very flexible with setuid and setgid bits. With idmapping on AD integration (I would prefer sssd), this covers about 95% of the usage cases.
On 7/12/24 23:01, miguel medalha via samba wrote:> HelloHello.> With the introduction of NFS4 (and later on NFSv4.1) a new ACL system > was introduced and standardizedUnfortunately "standardized" doesn't mean "accepted and implemented by all". Linux didn't.> I thought that it would be a good > opportunity to switch from "acl_xattr" to "nfs4acl_xattr" in order to " > manage the ACLs on the OS of the Samba host directly"Notice you don't necessarily need nfs4acl_xattr in order for OS ACLs to apply.> This would greatly improve server management, mainly because it would be > much easier to create or modify ACLs through Bash scripting. > > - Does anyone here have experience in such a scenario?Yes and no. I'm using OS ACLs on a QNAP NAS: it doesn't use any specific VFS module. And I manage them through Salt (so it will work with bash scripting also).> - What would the drawbacks, if any, be?I don't think it maps 100% to Windows ACL. Make sure users are not able to change their permissions through Windows folder properties.> - Does anyone here have some experience with the use of NFSv4 on ZFS > filesystems?Yes, but on FreeBSD, which, in contrast to Linux, implements NFSv4 ACLs. bye av.