README-gpfs-acl.txt
1This patch has been taken against SAMBA_3_0 Release 20028.
2
3The patch basically moves the GPFS-ACL functionalities into the new GPFS VFS module( vfs_gpfs ).
4
5Please read SAMBA_3_0/source/modules/README.nfs4acls.txt - generalised README file on Samba support for NFS4-ACLS.
6This README file is specific for GPFS only.
7
8Configuring GPFS ACL support
9===============================
10
11Binary: (default install path is [samba]/lib/vfs/)
12- gpfs.so
13
14Its compiled by default, no additional configure option needed.
15
16To enable/use/load this module, include "vfs objects = gpfs" in the smb.conf file under concerned share-name.
17
18Example of smb.conf:
19
20[smbtest]
21path = /gpfs-test
22vfs objects = gpfs
23nfs4: mode = special
24nfs4: chown = yes
25nfs4: acedup = merge
26
27Adding "vfs objects = gpfs" to a share should be done only in case when NFS4 is really supported by the filesystem.
28(Otherwise you may get performance loss.)
29
30==================================================
31Below are some limitations listed for this module:
32==================================================
331. When a child file or child directory is created, the results are a bit different from windows as specified below:
34
35Eg: Prent directory is set to have 2 ACES - full access for owner and everyone
36
37Default ACL for Windows: 2 aces: allow ACE for owner and everyone
38Default ACL for GPFS: 6 aces: allow and deny ACEs for owner, group and everyone
39
40The below mentioned inheritance flags and its combinations are applied only to the owner ACE and not to everyone ACE
41
42"fi"------>File Inherit
43"di"------>Directory Inherit
44"oi"------>Inherit Only
45
46
47Parent dir: no inheritance flag set
48 Windows: index=0: GPFS(special mode): index=0: GPFS(simple mode): index=0:
49child File: default acl: 2 aces child file: default acl: 6 aces child file: default acl: 6 aces
50child dir: default acl: 2 aces child dir: default acl: 6 aces child dir: default acl: 6 aces
51
52
53Parent dir: "fi" flag set
54 Windows: index=1: GPFS(special mode): index=1: GPFS(simple mode): index=1:
55child file: no flag set child file: "fi" flag set child file: default acl: 6 aces
56child dir: "fioi" flag set child dir: "fi" flag set child dir: "fi" flag set
57
58
59Parent dir: "di" flag set
60 Windows: index=2: GPFS(special mode): index=2: GPFS(simple mode): index=2:
61child file: default acl: 2 aces child file: default acl: 6 aces child file: default acl: 6 aces
62
63
64Parent dir: "fidi" flag set
65 Windows: index=3: GPFS(special mode): index=3: GPFS(simple mode): index=3:
66child file: no flag set child file: "fidi" flag set child file: default acl: 6 aces
67
68
69Parent dir: "fioi" flag set
70 Windows: index=4: GPFS(special mode): index=4: GPFS(simple mode): index=4:
71child file: no flag set child file: "fi" flag set child file: default acl: 6 aces
72child dir: "fioi" flag set child dir: "fi" flag set child dir: "fi" flag set
73
74
75Parent dir: "dioi" flag set
76 Windows: index=5: GPFS(special mode): index=5: GPFS(simple mode): index=5:
77child file: default acl: 2 aces child file: default acl: 6 aces child file: default acl: 6 aces
78
79
80Parent dir: "fidioi" flag set
81 Windows: index=6: GPFS(special mode): index=6: GPFS(simple mode): index=6:
82child file: no flag set child file: "fidi" flag set child file: default acl: 6 aces
83
README.nfs4acls.txt
1Configuring NFS4 ACLs in Samba3
2===============================
3Created: Peter Somogyi, 2006-JUN-06
4Last modified: Peter Somogyi, 2006-JUL-20
5Revision no.: 4
6-------------------------------
7
8
9Parameters in smb.conf:
10=======================
11
12Each parameter must have a prefix "nfs4:".
13Each one affects the behaviour only when _setting_ an acl on a file/dir:
14
15mode = [simple|special]
16- simple: don't use OWNER@ and GROUP@ special IDs in ACEs. - default
17- special: use OWNER@ and GROUP@ special IDs in ACEs instead of simple user&group ids.
18Note: EVERYONE@ is always processed (if found such an ACE).
19Note2: special mode will have side effect when _only_ chown is performed. Later this may be worked out.
20
21Use "simple" mode when the share is used mainly by windows users and unix side is not significant. You will loose unix bits in this case.
22It's strongly advised setting "store dos attributes = yes" in smb.conf.
23
24chown = [true|false]
25- true => enable changing owner and group - default.
26- false => disable support for changing owner or group
27
28acedup = [dontcare|reject|ignore|merge]
29- dontcare: copy ACEs as they come, don't care with "duplicate" records. Default.
30- reject: stop operation, exit acl setter operation with an error
31- ignore: don't include the second matching ACE
32- merge: OR 2 ace.flag fields and 2 ace.mask fields of the 2 duplicate ACEs into 1 ACE
33
34Two ACEs are considered here "duplicate" when their type and id fields are matching.
35
36Example:
37
38[smbtest]
39path = /tests/psomogyi/smbtest
40writable = yes
41vfs objects = aixacl2
42nfs4: mode = special
43nfs4: chown = yes
44nfs4: acedup = merge
45
46Configuring AIX ACL support
47==============================
48
49Binaries: (default install path is [samba]/lib/vfs/)
50- aixacl.so: provides AIXC ACL support only, can be compiled and works on all AIX platforms
51- aixacl2.so: provides AIXC and JFS2-NFS4 ACL support, can be compiled and works only under AIX 5.3 and newer.
52NFS4 acl currently has support only under JFS2 (ext. attr. format must be set to v2).
53aixacl2.so always detects support for NFS4 acls and redirects to POSIX ACL handling automatically when NFS4 is not supported for a path.
54
55Adding "vfs objects = aixacl2" to a share should be done only in case when NFS4 is really supported by the filesystem.
56(Otherwise you may get performance loss.)
57
58For configuration see also the example above.
59
60General notes
61=============
62
63NFS4 handling logic is separated from AIX/jfs2 ACL parsing.
64
65Samba and its VFS modules dosn't reorder ACEs. Windows clients do that (and the smbcacl tool). MSDN also says deny ACEs must come first.
66NFS4 ACL's validity is checked by the system API, not by Samba.
67NFS4 ACL rights are enforced by the OS or filesystem, not by Samba.
68
69The flag INHERITED_ACE is never set (not required, as doesn't do WinNT/98/me, only since Win2k).
70Win2k GUI behaves strangely when detecting inheritance (sometimes it doesn't detect,
71but after adding an ace it shows that - it's some GUI error).
72
73Unknown (unmappable) SIDs are not accepted.
74
75TODOs
76=====
77- Creator Owner & Group SID handling (same way as posix)
78- the 4 generic rights bits support (GENERIC_RIGHT_READ_ACCESS, WRITE, EXEC, ALL)
79- chown & no ACL, but we have ONWER@ and GROUP@
80- DIALUP, ANONYMOUS, ... builtin SIDs
81- audit & alarm support - in theory it's forwarded so it should work, but currently there's no platform which supports them to test
82- support for a real NFS4 client (we don't have an accepted API yet)
83