Re: [Samba] VFS ACL modules - question to developers
On Sat, Dec 10, 2011 at 12:36:09AM +0100, Björn JACKE wrote: > On 2011-12-05 at 10:27 -0800 Jeremy Allison sent off: > > We could extend the acl_tdb and acl_xattr modules so > > that they never consider the underlying file system permissions, > > but that would completely divorce the Windows permissions > > from the local filesystem permissions. We dont' do that > > yet (it would need some additional coding) as no one has > > ever demanded that as a feature. > > isn't this what acl_xattr:ignore system acls = yes is supposed to do? Not quite. It never checks the underlying system ACLs but it doesn't override them. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] VFS ACL modules - question to developers
On 2011-12-05 at 10:27 -0800 Jeremy Allison sent off: > We could extend the acl_tdb and acl_xattr modules so > that they never consider the underlying file system permissions, > but that would completely divorce the Windows permissions > from the local filesystem permissions. We dont' do that > yet (it would need some additional coding) as no one has > ever demanded that as a feature. isn't this what acl_xattr:ignore system acls = yes is supposed to do? Björn -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] VFS ACL modules - question to developers
On Tue, Dec 06, 2011 at 09:57:26AM +0100, NdK wrote: > Il 05/12/2011 19:27, Jeremy Allison ha scritto: > > > If we didn't do this NFS access or local process access > > would completely ignore the Windows permissions (which is > > not what most people want). > Then why not drop completely TDB storage of permissions and rely on > filesystem alone? > Denormalization is (usually) bad... Because, as has been pointed out before, mapping to the underlying filesystem permission is a *lossy* mapping (this is what we used to do). Most people using Windows don't want a lossy mapping, they want to see the exact Windows ACLs they set. The acl_xattr or acl_tdb method allows us to do this, with complete accuracy on evaluating the Windows ACLs, yet still have the underlying filesystem mapping as well. Sort of like eating, and having, your cake at the same time :-). Jeremy. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] VFS ACL modules - question to developers
Il 05/12/2011 19:27, Jeremy Allison ha scritto: > If we didn't do this NFS access or local process access > would completely ignore the Windows permissions (which is > not what most people want). Then why not drop completely TDB storage of permissions and rely on filesystem alone? Denormalization is (usually) bad... BYtE, Diego. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] VFS ACL modules - question to developers
Got it, thanks for the clarification. 2011/12/6 Jeremy Allison > On Tue, Dec 06, 2011 at 02:16:34AM +0800, David Roid wrote: > > Hi Jeremy, > > > > I can understand the limit of acl_xattr because every specific file > system may > > impose a limit on number of extended attributes. But now that with > acl_tdb ACLs > > are stored in tdb file, should not there be nothing to do with file > system? > > The acl_tdb module layers a storage of the pristine Windows ACL > into a tdb, but in order for the underlying file system permissions > to accurately reflect those Windows permissions we still have > to map the Windows ACL onto the underlying file system ACL. > > If we didn't do this NFS access or local process access > would completely ignore the Windows permissions (which is > not what most people want). > > We could extend the acl_tdb and acl_xattr modules so > that they never consider the underlying file system permissions, > but that would completely divorce the Windows permissions > from the local filesystem permissions. We dont' do that > yet (it would need some additional coding) as no one has > ever demanded that as a feature. > > It would only work for a Windows-only (CIFS/SMB/SMB2-only) > fileserver with no NFS or local access allowed. > > Jeremy. > -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] VFS ACL modules - question to developers
On Tue, Dec 06, 2011 at 02:16:34AM +0800, David Roid wrote: > Hi Jeremy, > > I can understand the limit of acl_xattr because every specific file system may > impose a limit on number of extended attributes. But now that with acl_tdb > ACLs > are stored in tdb file, should not there be nothing to do with file system? The acl_tdb module layers a storage of the pristine Windows ACL into a tdb, but in order for the underlying file system permissions to accurately reflect those Windows permissions we still have to map the Windows ACL onto the underlying file system ACL. If we didn't do this NFS access or local process access would completely ignore the Windows permissions (which is not what most people want). We could extend the acl_tdb and acl_xattr modules so that they never consider the underlying file system permissions, but that would completely divorce the Windows permissions from the local filesystem permissions. We dont' do that yet (it would need some additional coding) as no one has ever demanded that as a feature. It would only work for a Windows-only (CIFS/SMB/SMB2-only) fileserver with no NFS or local access allowed. Jeremy. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] VFS ACL modules - question to developers
Hi Jeremy, I can understand the limit of acl_xattr because every specific file system may impose a limit on number of extended attributes. But now that with acl_tdb ACLs are stored in tdb file, should not there be nothing to do with file system? Regards -David 2011/12/6 Jeremy Allison > On Mon, Dec 05, 2011 at 03:00:01PM +0100, adrian.berlin wrote: > > Hi Jeremy, > > > > I'm going to check your patchs on Wednesday. > > Thanks. I'm going to be in the UK from Tues -> Tues (1 week) > with limited access to email, so please be patient with > responses to queries. > > > So I understand that ACL TDB are also limited by filesystem? > > Well the ACLs do need to be mapped onto the underlying > file system as well as being stored in the tdb, so yes > this module is still bound by the underlying file system > limits. > > Jeremy. > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] VFS ACL modules - question to developers
On Mon, Dec 05, 2011 at 03:00:01PM +0100, adrian.berlin wrote: > Hi Jeremy, > > I'm going to check your patchs on Wednesday. Thanks. I'm going to be in the UK from Tues -> Tues (1 week) with limited access to email, so please be patient with responses to queries. > So I understand that ACL TDB are also limited by filesystem? Well the ACLs do need to be mapped onto the underlying file system as well as being stored in the tdb, so yes this module is still bound by the underlying file system limits. Jeremy. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] VFS ACL modules - question to developers
Hi Jeremy, I'm going to check your patchs on Wednesday. So I understand that ACL TDB are also limited by filesystem? Cheers /Adrian Berlin Dnia 3 grudnia 2011 2:12 Jeremy Allison napisał(a): > On Thu, Dec 01, 2011 at 09:55:48AM +0100, adrian.berlin wrote: > > > > > That's a really interesting document. I'd like to work > > > on that with you to make Samba behave exactly how you > > > expect. > > > > This is a very good idea :) How can I help you? > > Keep reporting bugs and testing my patches for them :-). > > > > I have a jumbo patch for 3.6.x which should fix the > > > issues you're having with READ_ATTRIBUTES/WRITE_ATTRIBUTES. > > > > Where I can get this patch to test it? > > It's attached to this bug: > > https://bugzilla.samba.org/show_bug.cgi?id=8556 > > as a 40-patchset attachment. > > > > There are no limits in the acl_tdb code that would > > > cause it to behave as you describe. What you may > > > be seeing are limits in mapping the incoming ACL > > > down onto the underlying file system. > > > > > > Do you have debug level 10 logs of this ? > > > > > > Unfortunately not, but I will check it again today with level 10 log and > > EXT4 and XFS filesystem. > > > > > > > What is your underlying file system ? > > > > XFS > > The limit you're running into is on the ACLs within > XFS, not within Samba. > > Jeremy. > -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] VFS ACL modules - question to developers
On Thu, Dec 01, 2011 at 09:55:48AM +0100, adrian.berlin wrote: > > > That's a really interesting document. I'd like to work > > on that with you to make Samba behave exactly how you > > expect. > > This is a very good idea :) How can I help you? Keep reporting bugs and testing my patches for them :-). > > I have a jumbo patch for 3.6.x which should fix the > > issues you're having with READ_ATTRIBUTES/WRITE_ATTRIBUTES. > > Where I can get this patch to test it? It's attached to this bug: https://bugzilla.samba.org/show_bug.cgi?id=8556 as a 40-patchset attachment. > > There are no limits in the acl_tdb code that would > > cause it to behave as you describe. What you may > > be seeing are limits in mapping the incoming ACL > > down onto the underlying file system. > > > > Do you have debug level 10 logs of this ? > > > Unfortunately not, but I will check it again today with level 10 log and EXT4 > and XFS filesystem. > > > > What is your underlying file system ? > > XFS The limit you're running into is on the ACLs within XFS, not within Samba. Jeremy. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] VFS ACL modules - question to developers
> That's a really interesting document. I'd like to work > on that with you to make Samba behave exactly how you > expect. This is a very good idea :) How can I help you? > > I have a jumbo patch for 3.6.x which should fix the > issues you're having with READ_ATTRIBUTES/WRITE_ATTRIBUTES. Where I can get this patch to test it? > There are no limits in the acl_tdb code that would > cause it to behave as you describe. What you may > be seeing are limits in mapping the incoming ACL > down onto the underlying file system. > > Do you have debug level 10 logs of this ? Unfortunately not, but I will check it again today with level 10 log and EXT4 and XFS filesystem. > What is your underlying file system ? XFS Cheers /Adrian Berlin -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] VFS ACL modules - question to developers
On Tue, Nov 29, 2011 at 09:19:16AM +0100, adrian.berlin wrote: > > Hi! > > Do you have any update? > > Best regards > /Adrian Berlin > > Dnia 24 listopada 2011 12:43 adrian.berlin napisał(a): > > > Hi! > > > > 1. To check acl_tdb limits I used this script (on Windows): > > > > @echo off > > for /l %%i in (1,1,10) do ( > > icacls.exe \\IP_address\smb_share\folder /grant user%%i:F > > > > > > I could write only 22 entries. > > > > 2. Please see document on scribd http://www.scribd.com/doc/73654474/vfs-acls That's a really interesting document. I'd like to work on that with you to make Samba behave exactly how you expect. I have a jumbo patch for 3.6.x which should fix the issues you're having with READ_ATTRIBUTES/WRITE_ATTRIBUTES. There are no limits in the acl_tdb code that would cause it to behave as you describe. What you may be seeing are limits in mapping the incoming ACL down onto the underlying file system. Do you have debug level 10 logs of this ? What is your underlying file system ? Jeremy. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] VFS ACL modules - question to developers
Hi! Do you have any update? Best regards /Adrian Berlin Dnia 24 listopada 2011 12:43 adrian.berlin napisał(a): > Hi! > > 1. To check acl_tdb limits I used this script (on Windows): > > @echo off > for /l %%i in (1,1,10) do ( > icacls.exe \\IP_address\smb_share\folder /grant user%%i:F > > > I could write only 22 entries. > > 2. Please see document on scribd http://www.scribd.com/doc/73654474/vfs-acls > > Cheers > /Adrian Berlin > > > > > > Dnia 23 listopada 2011 21:39 Jeremy Allison napisał(a): > > > > > On Wed, Nov 23, 2011 at 01:15:46PM +0100, adrian.berlin wrote: > > > > Hi! > > > > > > > > I have few question to developers of VFS ACL modules (acl_tdb and > > > > acl_xattr): > > > > 1. Do you plan to extend quantity of entries in acl_tdb > > > > (now I can write 22 user ACLs plus CREATOR OWNER, CREATOR GROUP, domain > > > > users and everyone) > > > > > > I don't see any limits in acl_tdb. Where are you getting this > > > limit from ? > > > > > > > 2. Do you plan to fix few ACLs eg. Traverse folder / Execute file (to > > > > traverse > > > > I need to enable additional permission List folder / read data to > > > > traverse through > > > > folder), Read attributes seems to be always enabled, Read Extended > > > > Attributes seems > > > > to be always disabled, the same behaviour is with Write Attributes and > > > > Write Extended > > > > Attributes, Delete subfolder and files permission works only on files - > > > > I cannot remove subfolder. > > > > > > Can you expand on this more ? I need to know what specific > > > bugs you're seeing here. > > > > > > Thanks, > > > > > > Jeremy. > > > > -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] VFS ACL modules - question to developers
Hi! 1. To check acl_tdb limits I used this script (on Windows): @echo off for /l %%i in (1,1,10) do ( icacls.exe \\IP_address\smb_share\folder /grant user%%i:F I could write only 22 entries. 2. Please see document on scribd http://www.scribd.com/doc/73654474/vfs-acls Cheers /Adrian Berlin > Dnia 23 listopada 2011 21:39 Jeremy Allison napisał(a): > > > On Wed, Nov 23, 2011 at 01:15:46PM +0100, adrian.berlin wrote: > > > Hi! > > > > > > I have few question to developers of VFS ACL modules (acl_tdb and > > > acl_xattr): > > > 1. Do you plan to extend quantity of entries in acl_tdb > > > (now I can write 22 user ACLs plus CREATOR OWNER, CREATOR GROUP, domain > > > users and everyone) > > > > I don't see any limits in acl_tdb. Where are you getting this > > limit from ? > > > > > 2. Do you plan to fix few ACLs eg. Traverse folder / Execute file (to > > > traverse > > > I need to enable additional permission List folder / read data to > > > traverse through > > > folder), Read attributes seems to be always enabled, Read Extended > > > Attributes seems > > > to be always disabled, the same behaviour is with Write Attributes and > > > Write Extended > > > Attributes, Delete subfolder and files permission works only on files - I > > > cannot remove subfolder. > > > > Can you expand on this more ? I need to know what specific > > bugs you're seeing here. > > > > Thanks, > > > > Jeremy. > > -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] VFS ACL modules - question to developers
On Wed, Nov 23, 2011 at 01:15:46PM +0100, adrian.berlin wrote: > Hi! > > I have few question to developers of VFS ACL modules (acl_tdb and acl_xattr): > 1. Do you plan to extend quantity of entries in acl_tdb > (now I can write 22 user ACLs plus CREATOR OWNER, CREATOR GROUP, domain users > and everyone) I don't see any limits in acl_tdb. Where are you getting this limit from ? > 2. Do you plan to fix few ACLs eg. Traverse folder / Execute file (to traverse > I need to enable additional permission List folder / read data to traverse > through > folder), Read attributes seems to be always enabled, Read Extended Attributes > seems > to be always disabled, the same behaviour is with Write Attributes and Write > Extended > Attributes, Delete subfolder and files permission works only on files - I > cannot remove subfolder. Can you expand on this more ? I need to know what specific bugs you're seeing here. Thanks, Jeremy. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba