Web lists-archives.com

Re: [Samba] Skip ACL checks

On Fri, Mar 17, 2017 at 1:54 PM, Volker Lendecke <vl@xxxxxxxxx> wrote:

> On Thu, Mar 16, 2017 at 05:38:57PM +0100, Christoph Kleineweber wrote:
> > I am wondering if there is a way to bypass Samba's ACL checks and
> delegate
> > access control completely to the underlying file system.
> >
> > My problem arises from the following scenario: Our file system implements
> > ACLs that are to the best of my knowledge currently not readable by any
> of
> > the existing VFS modules. When trying to access a file with an ACL going
> > beyond the file's POSIX mode, access is denied by Samba. I guess this is
> > caused by an mechanism to derive an NT ACL from the mode. Is there any
> > possibility to skip Samba's permission checks?
> Not really anymore. What you could do is provide a vfs module that
> returns a "Everyone is allowed everything" ACL in the get_nt_acl call.
> It would of course be much better to get a proper mapping. What do
> your ACLs look like?

Thanks for clarifying. We use NFSv4 compliant ACLs that can be accessed via
the nfs4-acl-tools.

I found the existing NFSv4 ACL VFS module in Samba (nfs4acl_xattr), which
seems to be build on a different implementation. The referenced website (
http://www.suse.de/~agruen/nfs4acl/) does not exist anymore and the xattr
to access ACLs is different (system.nfs4acl for nfs4acl_xattr and
system.nfs4_acl for nfs4-acl-tools). Is this a known issue?

Kind regards,

Quobyte GmbH, Berlin, AG Charlottenburg HRB 149012 B, Jan Stender, Felix
Hupfeld, Bjoern Kolbeck
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba