Web lists-archives.com

Re: [Samba] Skip ACL checks




On Fri, Mar 17, 2017 at 1:54 PM, Volker Lendecke <vl@xxxxxxxxx> wrote:

> On Thu, Mar 16, 2017 at 05:38:57PM +0100, Christoph Kleineweber wrote:
> > I am wondering if there is a way to bypass Samba's ACL checks and
> delegate
> > access control completely to the underlying file system.
> >
> > My problem arises from the following scenario: Our file system implements
> > ACLs that are to the best of my knowledge currently not readable by any
> of
> > the existing VFS modules. When trying to access a file with an ACL going
> > beyond the file's POSIX mode, access is denied by Samba. I guess this is
> > caused by an mechanism to derive an NT ACL from the mode. Is there any
> > possibility to skip Samba's permission checks?
>
> Not really anymore. What you could do is provide a vfs module that
> returns a "Everyone is allowed everything" ACL in the get_nt_acl call.
> It would of course be much better to get a proper mapping. What do
> your ACLs look like?
>

Thanks for clarifying. We use NFSv4 compliant ACLs that can be accessed via
the nfs4-acl-tools.

I found the existing NFSv4 ACL VFS module in Samba (nfs4acl_xattr), which
seems to be build on a different implementation. The referenced website (
http://www.suse.de/~agruen/nfs4acl/) does not exist anymore and the xattr
to access ACLs is different (system.nfs4acl for nfs4acl_xattr and
system.nfs4_acl for nfs4-acl-tools). Is this a known issue?

Kind regards,
Christoph



-- 
Quobyte GmbH, Berlin, AG Charlottenburg HRB 149012 B, Jan Stender, Felix
Hupfeld, Bjoern Kolbeck
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba