viewing, if not editing, NFSv4 ACL's from Samba shares
in [Samba]
|
From: Volker Lendecke on 20 Apr 2010 08:00 On Tue, Apr 20, 2010 at 07:45:00AM -0400, Nico Kadel-Garcia wrote: > I'm involved in a project to enforce NFSv4 ACL's across a variety of > storage platforms, in particular NetApps sharing NFS. That works fiine > with the NetApp NFS qtrees, but we'd like to share those with CIFS > clients as well. This works, and restricts access the way we expect > NFSv4 ACL's to work, but the Windows clients cannot view any of the > security settings on the directories or files. The NetApp CIFS server should allow that, doesn't it? > Cue the music, and enter Samba 3.5.2. I've reviewed various public > notes on how to use NFSv4 ACL's on recent Samba (particularly those at > http://www.sambaxp.org/files/SambaXP2009-DATA/Nils_Goroll.pdf), and > installed Samba 3.5.2 on test servers. And I've set up shares with the > following settings. > > [share] > acl check permissions = False > ea support = yes > store dos attributes = yes > map readonly = no > map archive = no > map system = no > vfs objects = zfsacl What platform is your Samba server running on? Is this Solaris? Volker -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
From: Jeremy Allison on 20 Apr 2010 17:20 On Tue, Apr 20, 2010 at 07:45:00AM -0400, Nico Kadel-Garcia wrote: > Good morning, folks. > > I'm involved in a project to enforce NFSv4 ACL's across a variety of > storage platforms, in particular NetApps sharing NFS. That works fiine > with the NetApp NFS qtrees, but we'd like to share those with CIFS > clients as well. This works, and restricts access the way we expect > NFSv4 ACL's to work, but the Windows clients cannot view any of the > security settings on the directories or files. > > Cue the music, and enter Samba 3.5.2. I've reviewed various public > notes on how to use NFSv4 ACL's on recent Samba (particularly those at > http://www.sambaxp.org/files/SambaXP2009-DATA/Nils_Goroll.pdf), and > installed Samba 3.5.2 on test servers. And I've set up shares with the > following settings. > > [share] > acl check permissions = False > ea support = yes > store dos attributes = yes > map readonly = no > map archive = no > map system = no > vfs objects = zfsacl > nfs4: mode = special > nfs4: acedup = merge > > The "map readonly" is rejected, and I'm not sure why. What do you mean by "rejected" here ? > The vfs objects seems to have no effect for NFSv4 access. NFSv4 > permissions do seem to be followed. > > But Windows clients still can't see any of the security settings under > the "Security" tab of properties. What do you see here ? > And really, really unfortunately, the NetApp ".snapshot" directories > are showing up by default. That's deadly: directory copy operations > may attempt to include the .snapshot backup targets, and that would > *really* get nutty. Use the "veto files" parameter to hide them. Jeremy. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
From: Nico Kadel-Garcia on 20 Apr 2010 17:30 On Tue, Apr 20, 2010 at 7:50 AM, Volker Lendecke <Volker.Lendecke(a)sernet.de> wrote: > On Tue, Apr 20, 2010 at 07:45:00AM -0400, Nico Kadel-Garcia wrote: >> I'm involved in a project to enforce NFSv4 ACL's across a variety of >> storage platforms, in particular NetApps sharing NFS. That works fiine >> with the NetApp NFS qtrees, but we'd like to share those with CIFS >> clients as well. This works, and restricts access the way we expect >> NFSv4 ACL's to work, but the Windows clients cannot view any of the >> security settings on the directories or files. > > The NetApp CIFS server should allow that, doesn't it? Nope. I really, really wish it did. The relevant clients are Windows XP, if that has any role. And I've confirmed that the files and directories generated do follow the NFSv4 ACL policies. As a relatively ignorant user, I wonder if mapping for display might be considered too awkward. NFSv4 ACL's are storead as 'username(a)domain', rather than as 'username', and Windows doesn't seem to have the same concept of ordering of ACL's as NFSv4 has, so it could be pretty tricky. >> Cue the music, and enter Samba 3.5.2. I've reviewed various public >> notes on how to use NFSv4 ACL's on recent Samba (particularly those at >> http://www.sambaxp.org/files/SambaXP2009-DATA/Nils_Goroll.pdf), and >> installed Samba 3.5.2 on test servers. And I've set up shares with the >> following settings. >> >> [share] >> acl check permissions = False >> ea support = yes >> store dos attributes = yes >> map readonly = no >> map archive = no >> map system = no >> vfs objects = zfsacl > > What platform is your Samba server running on? Is this > Solaris? RHEL 5. It's why I've been writing lately about the tI've been avoiding Solaris as file servers since I wrote one of the first Samba ports for SunOS 4.1.2, way back in the 1990's. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
From: Nico Kadel-Garcia on 20 Apr 2010 17:40 On Tue, Apr 20, 2010 at 5:17 PM, Jeremy Allison <jra(a)samba.org> wrote: > On Tue, Apr 20, 2010 at 07:45:00AM -0400, Nico Kadel-Garcia wrote: >> Good morning, folks. >> >> I'm involved in a project to enforce NFSv4 ACL's across a variety of >> storage platforms, in particular NetApps sharing NFS. That works fiine >> with the NetApp NFS qtrees, but we'd like to share those with CIFS >> clients as well. This works, and restricts access the way we expect >> NFSv4 ACL's to work, but the Windows clients cannot view any of the >> security settings on the directories or files. >> >> Cue the music, and enter Samba 3.5.2. I've reviewed various public >> notes on how to use NFSv4 ACL's on recent Samba (particularly those at >> http://www.sambaxp.org/files/SambaXP2009-DATA/Nils_Goroll.pdf), and >> installed Samba 3.5.2 on test servers. And I've set up shares with the >> following settings. >> >> [share] >> acl check permissions = False >> ea support = yes >> store dos attributes = yes >> map readonly = no >> map archive = no >> map system = no >> vfs objects = zfsacl >> nfs4: mode = special >> nfs4: acedup = merge >> >> The "map readonly" is rejected, and I'm not sure why. > > What do you mean by "rejected" here ? Oh, my. I fatfingered 'readonly' on the server. This is what I get for working over a thin pipe to a VPN. That part is happy now. >> The vfs objects seems to have no effect for NFSv4 access. NFSv4 >> permissions do seem to be followed. >> >> But Windows clients still can't see any of the security settings under >> the "Security" tab of properties. > > What do you see here ? For any file or directory where NFSv4 ACL's have been specifically set, if I use a Windows XP client to look up "Properties" on the object, I see no "Security" tab at all. >> And really, really unfortunately, the NetApp ".snapshot" directories >> are showing up by default. That's deadly: directory copy operations >> may attempt to include the .snapshot backup targets, and that would >> *really* get nutty. > > Use the "veto files" parameter to hide them. Good point, thanks got that. By the way, it's really nice to see one of the core maintainers active on such a mailing list. It makes me feel like it's the "good old days" on a lot of interesting projects I've wrestled with over the years. If you or the other helpful posters in this thread are ever in Boston, I'll buy *good* beer. There's a decent pub near the annual spam conference at MIT that I can recommend. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
From: Volker Lendecke on 20 Apr 2010 17:40 On Tue, Apr 20, 2010 at 05:20:47PM -0400, Nico Kadel-Garcia wrote: > Nope. I really, really wish it did. The relevant clients are Windows > XP, if that has any role. And I've confirmed that the files and > directories generated do follow the NFSv4 ACL policies. And they don't allow to modify them? That's strange. > As a relatively ignorant user, I wonder if mapping for display might > be considered too awkward. NFSv4 ACL's are storead as > 'username(a)domain', rather than as 'username', and Windows doesn't seem > to have the same concept of ordering of ACL's as NFSv4 has, so it > could be pretty tricky. ACL ordering is one of the nastiest pieces of NFSv4/Windows ACL interop. But you can't do much about that. > > What platform is your Samba server running on? Is this > > Solaris? > > RHEL 5. It's why I've been writing lately about the tI've been > avoiding Solaris as file servers since I wrote one of the first Samba > ports for SunOS 4.1.2, way back in the 1990's. I thought it was Solaris because you've got the zfsacl module activated. I was told today that the Linux NFSv4 client file system passes the ACLs as xattrs to user space. So it should "just" be a matter of writing a VFS module to get what you want. Probably very few days of coding. If just had time... Volker -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
|
Next
|
Last
Pages: 1 2 Prev: [Samba] viewing, if not editing, NFSv4 ACL's from Samba shares Next: offline logon in 3.4.7-58 |