2011/2/3 Robert W. Smith <[email protected]>: > This might be more inclusive if I said, Linux Permissions vs POSIX ACLs > vs vfs_xattr. (snip) > 1) Does Samba maintain the consistency between all of the stored NTFS > attributes and POSIX ACLs when using vfs_xattr?
Only one way, from NTFS attributes to POSIX ACLs. > 2) When might the POSIX ACL not be in sync with the vfs_xattr EA stored > in security.NTACL when using Samba? As far as I examined at Samba 3.5.6, the consistency is almost kept. But in prior version, is not. And ACL inherit flag can not work well. https://bugzilla.samba.org/show_bug.cgi?id=6841 > 4) With 'inherit acls = yes' what does 'default acl' imply? All ACLs on > the file/directory or just those preceded with the tag 'default'? 'inheit acls = yes' only affects the *permissions* (not any ACLs) for child files or directories. Read smb.conf(5). But if "inherit permissions = yes", "inherit acls" is always ignored. > 7) Currently, if a users comes to me and says, 'I need the lawyer to > have access to file XYZ', I would grant the POSIX ACL using the Linux > CLI with, # setfacl -m g:mud-suckers:rw, without regard to the users OS > platform. With vfs_xattr, do I now need to somehow 'sync' the POSIX ACL > with the security.NTACL EA? If yes, how? Under acl_xattr enabled, you should not set POSIX ACLs manually. You have no way to sync. > 5) For the astute reader, since this is a Samba share, I force the group > to be 'domusers' (DOMAIN\Domain Users in Win) for new files/directories. > Will this always be the Linux permission group? Will this overwrite the > Linux group 'users' of existing files or new files where permissions and > ACLs are inherited? "force group" only affects the permission group for new files/directories. > 6) I want to always ensure both the Linux only group 'users' and the > 'domusers' (which include both Linux and Windows users and Win only > users) are enabled on all files/directories on this share. Hey, I'll > give my silver dollar to the person who can come up with a configuration > that will solve this with both NFS and Samba! I recommend: 1) to set owner and group to root, 2) add g:users:rwx and g:domusers:rwx to the default ACL > 3) If both POSIX ACL and security.NTACL exist on a file/directory, which > does smbcacls show? What does Win* Properties-->Security show? What does > smbclient show? Maybe NTACL is shown. Remember, POSIX ACL is used to determine if access is allowed or not. NTACL is not referred. --- TAKAHASHI Motonobu <[email protected]> -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
