Mapping POSIX ACLs to NFSv4 ACLs for Samba storage
Prokofiev S.P.
proks at skylinetele.com
Fri Oct 11 13:58:10 UTC 2013
Hi all,
I propose to talk about an issue. I have a task of moving data from
UFS+ACLs storage to a ZFS pool. Dump/restrore is the best way. But only
owner/owner_group is saved. I've written a Perl script to translate
POSIX ACLs to NFSv4 ACLs. I referred to the last draft of it
(http://tools.ietf.org/html/draft-iet...acl-mapping-05
<http://tools.ietf.org/html/draft-ietf-nfsv4-acl-mapping-05>) to emulate
POSIX behaviour of permissions. I got something like that, for instance:
Source directory on UFS:
Code:
> getfacl /zjail/ads/home/samba-old/docs/SECRETARY/CERTIFICATE/
# file: /zjail/ads/home/samba-old/docs/SECRETARY/CERTIFICATE/
# owner: 10051
# group: 513
user::rwx
user:10015:r-x
user:10049:r-x
user:10072:rwx
group::---
group:544:rwx
group:10008:rwx
group:10131:r-x
mask::rwx
other::---
> getfacl -d /zjail/ads/home/samba-old/docs/SECRETARY/CERTIFICATE/
# file: /zjail/ads/home/samba-old/docs/SECRETARY/CERTIFICATE/
# owner: 10051
# group: 513
user::rwx
user:10015:r-x
user:10049:r-x
user:10072:rwx
group::---
group:544:rwx
group:10008:rwx
group:10131:r-x
mask::rwx
other::---
Target directory on ZFS:
Code:
# getfacl /zjail/ads/home/samba-new/docs/SECRETARY/CERTIFICATE/
# file: /zjail/ads/home/samba-new/docs/SECRETARY/CERTIFICATE/
# owner: 10051
# group: 513
owner@:--------------:fd----:deny
owner@:rwxpD-aA--cC-s:fd----:allow
user:10015:-w-p---A---C--:fd----:deny
user:10015:r-x---a---c--s:fd----:allow
user:10049:-w-p---A---C--:fd----:deny
user:10049:r-x---a---c--s:fd----:allow
user:10072:-------A---C--:fd----:deny
user:10072:rwxpD-a---c--s:fd----:allow
group@:------a---c--s:fd----:allow
group:10008:rwxpD-a---c--s:fd----:allow
group:544:rwxpD-a---c--s:fd----:allow
group:10131:r-x---a---c--s:fd----:allow
group@:rwxp---A---C--:fd----:deny
group:10008:-------A---C--:fd----:deny
group:544:-------A---C--:fd----:deny
group:10131:-w-p---A---C--:fd----:deny
everyone@:rwxp---A---C--:fd----:deny
everyone@:------a---c--s:fd----:allow
I was happy, but Windows made me sad. When I tried to look at
permissions of a file or a directory with a Windows file browser I had
warning about ordering of permissions. Then I tried to edit permissions
and allowed reordering and got this result of that:
Code:
getfacl /zjail/ads/home/samba-new/docs/SECRETARY/CERTIFICATE/
# file: /zjail/ads/home/samba-new/docs/SECRETARY/CERTIFICATE/
# owner: 10051
# group: 513
user:10015:-w-pD--A---C--:fd----:deny
user:10049:-w-pD--A---C--:fd----:deny
user:10072:-------A---C--:fd----:deny
group@:rwxpD--A---C--:fd----:deny
group:10008:-------A---C--:fd----:deny
group:544:-------A---C--:fd----:deny
group:10131:-w-pD--A---C--:fd----:deny
everyone@:rwxpD--A---C--:fd----:deny <<<<<<<<<
owner@:rwxpD-aA--cC--:fd----:allow
user:10015:r-x---a---c---:fd----:allow
user:10049:r-x---a---c---:fd----:allow
user:10072:rwxpD-a---c---:fd----:allow
group@:------a---c---:fd----:allow
group:10008:rwxpD-a---c---:fd----:allow
group:544:rwxpD-a---c---:fd----:allow
group:10131:r-x---a---c---:fd----:allow
everyone@:------a---c---:fd----:allow
But it won't work, because of (everyone@:rwxpD--A---C--:fd----:deny).
It's a mess. As it turned out according to
http://msdn.microsoft.com/en-us/libr...(v=vs.85).aspx
<http://msdn.microsoft.com/en-us/library/windows/desktop/aa379298%28v=vs.85%29.aspx>
it's a rule of ordering of Windows permissions.
More information about the freebsd-fs
mailing list