On Tue, Apr 20, 2010 at 5:17 PM, Jeremy Allison <[email protected]> wrote: > On Tue, Apr 20, 2010 at 07:45:00AM -0400, Nico Kadel-Garcia wrote: >> Good morning, folks. >> >> I'm involved in a project to enforce NFSv4 ACL's across a variety of >> storage platforms, in particular NetApps sharing NFS. That works fiine >> with the NetApp NFS qtrees, but we'd like to share those with CIFS >> clients as well. This works, and restricts access the way we expect >> NFSv4 ACL's to work, but the Windows clients cannot view any of the >> security settings on the directories or files. >> >> Cue the music, and enter Samba 3.5.2. I've reviewed various public >> notes on how to use NFSv4 ACL's on recent Samba (particularly those at >> http://www.sambaxp.org/files/SambaXP2009-DATA/Nils_Goroll.pdf), and >> installed Samba 3.5.2 on test servers. And I've set up shares with the >> following settings. >> >> [share] >> acl check permissions = False >> ea support = yes >> store dos attributes = yes >> map readonly = no >> map archive = no >> map system = no >> vfs objects = zfsacl >> nfs4: mode = special >> nfs4: acedup = merge >> >> The "map readonly" is rejected, and I'm not sure why. > > What do you mean by "rejected" here ?
Oh, my. I fatfingered 'readonly' on the server. This is what I get for working over a thin pipe to a VPN. That part is happy now. >> The vfs objects seems to have no effect for NFSv4 access. NFSv4 >> permissions do seem to be followed. >> >> But Windows clients still can't see any of the security settings under >> the "Security" tab of properties. > > What do you see here ? For any file or directory where NFSv4 ACL's have been specifically set, if I use a Windows XP client to look up "Properties" on the object, I see no "Security" tab at all. >> And really, really unfortunately, the NetApp ".snapshot" directories >> are showing up by default. That's deadly: directory copy operations >> may attempt to include the .snapshot backup targets, and that would >> *really* get nutty. > > Use the "veto files" parameter to hide them. Good point, thanks got that. By the way, it's really nice to see one of the core maintainers active on such a mailing list. It makes me feel like it's the "good old days" on a lot of interesting projects I've wrestled with over the years. If you or the other helpful posters in this thread are ever in Boston, I'll buy *good* beer. There's a decent pub near the annual spam conference at MIT that I can recommend. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
