On Tue, Mar 06, 2012 at 04:02:54PM +0100, Filip Sneppe wrote: > Hi, > > We are running into a problem with a Samba setup and would like to > know if a current fix or workaround is at all possible. > > Our setup is a NetApp filer serving NFS v4 that is mounted by > Solaris and Linux servers. On those servers we are using Samba to > create shares of those NFSv4 mounted filesystems. We are migrating > to this NFSv4 setup from an existing Solaris NFSv3+Posix ACL setup > that also had Samba shares on top of the NFSv3+ACL mounts. > > In our setup, we are relying on NFSv4 ACL inheritance. Here's > an example of an ACL on a file (as created by a touch command): > > root@system # ls -lVd test_sneppef.txt > -rw-r--r--+ 1 root root 0 Mar 6 13:49 test_sneppef.txt > group:TRerp:r-x---a-R-c--s:------:allow > group:TRerp:-w-p---A-W-Co-:------:deny > group:TWerp:rwxp--aARWcC-s:------:allow > group:TWerp:------------o-:------:deny > user:Terp:rwxp--aARWcC-s:------:allow > user:Terp:------------o-:------:deny > owner@:rw-p--a-R-c--s:------:allow > group@:r-----a-R-c--s:------:allow > everyone@:r-----a-R-c--s:------:allow > owner@:--x-----------:------:deny > group@:-wxp----------:------:deny > everyone@:-wxp----------:------:deny > > In our Samba setup, we are making extensive use of the "force user" > and "force group" directives to force all files created under the Samba > share to get the appropriate username/usergroup. Here's an example > share definition from smb.conf: > > [testsiven] > comment = NFSv4 test > path = /NAS/trg_shr_sft_00/erp/siven > valid users = "prod\siven" "__empty__" > write list = "prod\siven" > force user = Terp > force group = Terp > > So, in summary, we are relying on NFSv4 ACL inherritance to > set the correct ACLs on all files and directories under a > given NFS mount. > > The problem we are running into is that, when CIFS users are > creating files via the Samba shares, the NFSv4 ACLs get removed. > Here's an expamle of a file the was created from a Samba share: > > root@system # ls -lVd test2-sneppef2.txt.txt > -rwxr--r-- 1 Terp Terp 0 Mar 6 13:59 test2-sneppef2.txt.txt > owner@:rwxp--aA--cC-s:------:allow > owner@:--------------:------:deny > group@:-wxp---A---C--:------:deny > group@:r-----a---c--s:------:allow > group@:-wxp---A---C--:------:deny > everyone@:r-----a---c--s:------:allow > everyone@:-wxp---A---C--:------:deny > > As you can see, there are no NFSv4 ACLs associated with the > file.
Try using the Samba NFSv4 ACL mapping module for Solaris. vfs_solarisacl. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba